Alan C. E. Thomaz

This article intends to present some key elements of the recently approved Brazilian Data Protection Law (hereinafter referred to as “Lei Geral de Proteção de Dados” or “LGPD”), and explore a few similarities and differences between the LGPD and the General Data Protection Regulation (“GDPR”).

From a constitutional perspective, the Brazilian constitution established a fundamental right to intimacy and private life, i.e., a fundamental right to privacy, but does not provide a fundamental right for data protection. Brazil has historically adopted a sectorial law approach on privacy and data protection in the infra constitutional sphere. Therefore, while the GDPR is a review and a modernization of the former rules on data protection of the European Union (i.e., the Data Protection Directive 95/46/EC), the LGPD introduces completely new definitions, obligations, and requirements into the Brazilian legal system.

Like the GDPR, the LGPD has established detailed rules for collecting, using, processing, and storing personal data in Brazil. The definition of personal data of the LGPD was used by other sector-specific laws in Brazil and is identical to the GDPR. Personal data is, therefore, any “information related to an identified or identifiable natural person” (“data subject”).

Those rules apply to private and public entities in all economic sectors, both in the digital and physical environments. The Brazilian new data protection law applies[1] to any processing activity of personal data carried out by a natural person or legal entity, regardless of the means of processing and where the processor is headquartered, with similar extraterritorial reach as the GDPR.

Any processing activity subject to the LGPD must be carried out following its principles[2] and based on one or more of the 10 (ten) legal grounds outlined in such statute. Although there are specific differences and Brazil has offered a higher number of lawful basis, the legal grounds for processing personal data under the LGPD are considerably similar to those of the GDPR[3]. Likewise, in the GDPR, different lawful basis applies to the processing of sensitive data.

The LGPS has consolidated several rights available in specific laws and also introduced new rights. Most of them are identical to the GDPR, with small differences[4].

Like the GDPR, the LGPD has established the categories of controllers and operators (jointly referred to as “Processing Agents”)[5]. Because the controller is responsible for defining how personal data will be processed, it is subject to a more comprehensive list of requirements to comply with, such as (a) be transparent with the data subject on the processing activities carried out; (b) comply with data subject’s rights; (c) define and document the legal grounds for processing personal data; (d) perform privacy impact assessments, where required by the national data protection authority, and (e) appoint a data protection officer.

Both the GPDR and LGPD require data processing agents (controllers and operators) to adopt by designtechnical and organizational measures to protect personal data to avoid data incidents[6]. Under the LGPD, data incidents that may result in relevant risk or harm to individuals must be reported to the national data protection authority[7] and the affected data subjects within a reasonable time.

Historically, Brazil has never introduced a requirement for data localization or to permit international transfer. The LGPD also introduces specific new requirements for international data transfers, similar to the GDPR. Therefore, under the LGPD, international transfers may occur under an adequacy decision of the data protection authority, using contractual specific safeguards and under other particular derogations.[8]

The penalties under the LGPD may include warning, mandatory disclosure of the data incident, deletion of personal data, blocking, suspension, and partial or total prohibition from the exercise of activities related to the processing of personal data, and fines. The LGPD limits the penalty to up to 2% (two percent) of the company’s economic group gross revenues in Brazil, limited to R$ 50,000,000.00 (fifty million Brazilian Reais), per violation. Individual or class suits based on the LGPD are also possible.

The LGPD has entered into force on September 18th, 2020.  While there are various similarities, Brazil’s GDPR has changed specific provisions while importing the GDPR to its legal system. Therefore, organizations must be attentive to those differences when seeking compliance with both legislation.

 

[1] The LGPD is not applicable to processing activities (i) performed by natural persons, exclusively for private and non-economic purposes; (ii) for journalistic, artistic and academic purposes; (iii) public and state security, and national defense purposes; (iv) for investigation and prosecution of criminal offenses; and (v) data from outside the territory and destined for other countries, which only transit through the national territory, without any treatment operation being carried out.

[2] The principles of the LGPD are as follows: (a) free access (free and easy consultation of data processing activities and its duration); (b) transparency (clear, accurate and easily accessible information); (c) purpose (processing must be carried out for legitimate, specific, explicit and informed purposes, and no further processing shall take place when incompatible with such purposes); (d) adequacy (processing shall be compatible with the informed purpose); (e) data quality (guarantee that accurate, clear, relevant and updated data shall be processed); (f) data minimization or necessity (processing shall be limited to the minimum information necessary to achieve its purpose, using relevant, proportional and not excessive data); (g) security (use of  technical and administrative measures capable of protecting personal data from unauthorized access and from accidental or unlawful events of destruction, loss, alteration, communication or dissemination); (h) prevention (adoption of measures to prevent the occurrence of damages due to the processing of personal data); (i) non-discrimination (do not perform processing activities for unlawful or abusive discriminatory purposes); (j) accountability (demonstration by the agent of effective and capable measures of verifying compliance with the rules for the protection of personal data, including the effectiveness of such measures);

[3] Both statutes provide that personal data may be processed: (i) with the consent of the data subject; (ii) to comply with a legal or regulatory obligation; (iii) when necessary for the performance of a contract or preliminary procedures related to contract of which the data subject is a party, and (iv) when necessary to meet the legitimate interest of the data controller or third parties. In addition, other lawful bases for processing are established in the LGDP, which also have certain similarities with the GDPR, including: (v) the regular exercise of rights in judicial, administrative or arbitral proceedings; (vi) the protection of life or physical safety of the data subject or third party; (vii) the protection of health, in proceedings carried out by health professionals or by health entities; (viii) by research bodies, to carry out studies, guaranteed, whenever possible, the anonymization of personal data; (ix) by the public administration, for the execution of public policies set forth in law or regulation, or supported by contracts and similar instruments; and (x) the protection of credit.

[4] Among others, such rights include: (i) the right to obtain information regarding the processing of data; (ii) right to access, to rectify and erase data; (iii) right to withdraw the consent at any time; (iv) right to receive information to whom the data has been shared; (v) right to data portability to another supplier of goods and services; and (vi)right to obtain the review of automated decisions.

[5] Inspired in the definition of controllers and processors under the GPDR[5], the LGPD defines controllers as “natural person or legal entity, public or private, which is responsible for the decisions concerning the processing of personal data”, and operators as “natural person or legal entity, public or private, which performs the processing of personal data on behalf of the controller”.

[6] Data incident may be considered as “unauthorized access and from accidental or unlawful destructions, loss, change, communications, transmission, or any other occurrence resulting from inadequate or illegal treatment”.

[7] Specific information needs to be provided, including, at least: (a) a description of the data and individuals affected; (b) the risks related to the Data Incident; (c) the reasons why the notification to the ANPD has been delayed, where applicable, and (d) the technical and security measures taken to protected the data, and the measures that were or will be taken to revert or mitigate the effects of the Data Incident.

[8] Other legal basis for lawful international transfer under the LGPD include: (A) when it is necessary for the performance of a contract; (b) for the protection of life and physical safety of the data subject or third party; (c) for the regular exercise of rights in judicial, administrative or arbitral proceedings; (d) when necessary for international legal cooperation between intelligence, investigation and prosecution public bodies, in accordance with the instruments of international law; (e) based in a commitment made in an international cooperation agreement; (f) when authorized by the national data protection authority; and (g) when necessary for the execution of public policy or compliance with the legal attribution of the public service.