What to Expect from Brazil’s General Data Protection Law (LGPD)?

By on

Click here to learn more about Anas Baig.

The world is stepping into an era where the realization of data protection rights is at an all-time high. With Europe and North America already taking the steps towards data protection, Brazil is not far behind, drafting the LGPD (Lei Geral de Proteção de Dados Pessoais), which is set to go into effect in August 2020. This being the newest addition to the global privacy regulation spectrum, here is what people can expect from the LGPD.

Who Needs to Comply?

The LGPD is different from its predecessors when it comes to compliance. Whereas the CCPA and GDPR consider revenue, the LGPD focuses on the geographic area or the information a company holds on the citizens of Brazil.

Under article 3 of the LGPD, any organization performing the following tasks are required to comply with the LGPD:

  • Processing data within the territory of Brazil
  • Processing data of individuals who are within the territory of Brazil, regardless of where in the world the data processor is located
  • Processing data that is collected within the territory of Brazil

What are the Legal Bases for Processing Personal Data?

Under Article 7, the LGPD has defined ten legal bases for the lawful processing of personal data. It can be processed under the following circumstances:

1. With the consent of the data subject

2. To comply with a legal obligation of the controller

3. To execute public policies provided in laws or regulations or based on contracts or agreements

4. To carry out studies by research entities that ensure, whenever possible, the anonymization of personal data

5. To execute a contract or preliminary procedures related to a contract of which the data subject is a party

6. To exercise rights in judicial, administrative, or arbitration procedures

7. To protect the life or physical safety of the data subject or a third party

8. To protect health, in a procedure carried out by health professionals or by health entities

9. To fulfill the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties which require personal data protection prevail

10. To protect credit

Any organization that processes personal or sensitive data is required to document this data from initial collection to termination. The LGPD also requires organizations to have a description of what kind of data is collected, retention time, the purpose of the collection, and who the data can be shared with.

What are the Fines That Come Under the LGPD?

The LGPD is not lenient when it comes to fines and has set up a clear guideline on the consequences of non-compliance with the law.

Just like GDPR fines, the system ranges from:

  • Issuing warnings in case of violations and non-compliance with the intent of the entity adopting corrective measures
  • Daily fines
  • Fines up to 2 percent of the entity’s annual turnover in Brazil or 50 million Brazilian reais  per violation

Under the LGPD, the maximum amount a fine can reach is up 2 percent of a company’s annual turnover to R50 million (which approximates to €11 million or over $12 million). It will be the National Data Protection Authority’s responsibility to enforce such sanctions when the LGPD comes into effect.

The LGPD was designed in accordance with the EU’s GDPR. It has global jurisdiction, which means that any website that processes personal data from individuals in Brazil has to comply.

Rights of the Data Subject

Under article 18, the LGPD gives nine fundamental rights to its consumers. These rights are the following:

  • The right to confirmation of the existence of the processing
  • The right to access the data
  • The right to correct incomplete, inaccurate, or out-of-date data
  • The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD
  • The right to the portability of data to another service or product provider, by means of an express request
  • The right to delete personal data processed with the consent of the data subject
  • The right to information about public and private entities with which the controller has shared data
  • The right to information about the possibility of denying consent and the consequences of such denial
  • The right to revoke consent

Since the LGPD is based on the GDPR, it is natural to see similarities between the two — so much so that some experts call the LGPD Brazil’s GDPR. If we look at the rights, for example, LGPD has split the GDPR’s “right to be informed” into two clauses which are “right to be informed of the parties the controller has shared the data with” and the “right to be informed about the possibility of denying consent.”

National Data Protection Authority (NDPA)

The NDPA is the federal administration body tasked with being the enforcing body of both public and private data processors and is directly connected to the President of Brazil. It can act in matters such as providing technical standards and rules, asking for data protection impact assessment reports, evaluating best practices, supervising, and imposing sanctions.

Key Takeaways The drafting of the LGPD is a clear sign that countries all across the world are taking data privacy seriously. It is only a matter of time before every country worldwide will have a specific overall data protection regulation of their own. This would be good news for organizations and consumers alike, creating a much more protected and safer environment for data. That being said, there is always a risk of penalties due to non-compliance, and if these regulations grow in numbers, global organizations will have to be on their toes to stay compliant with all of these regulations

Leave a Reply