The implementation of the EU’s General Data Protection Regulation (GDPR) has unleashed a tsunami of new and updated privacy laws across the world, and Brazil is the latest country to announce a new piece of privacy legislation. On July 10, the Brazilian Federal Senate passed the Brazilian Personal Data Protection Regulation, referred to as the “LGPD” (derived from its Portuguese title). The LGPD bears resemblance to the GDPR, though it is lighter and broader in scope.
The LGPD is set to take effect in approximately 18 months, giving both Brazilian policy makers and companies operating in Brazil a short timeline. This post aims to give organizations insights into the key elements of the law, including the scope, legal bases for processing, key implementation factors, and penalties for non-compliance.
What is the scope of the LGPD?
The LGPD’s requirements apply to individuals, public and private bodies that process data subjects’ information (i.e., controllers) or that process data on another’s behalf (i.e., processors). The requirements extend to companies both within and outside of Brazil’s borders. Data subjects under the LGPD appear to be broadly defined, similarly to the GDPR. A data subject may be anyone in Brazil whose data is being processed/collected. The law does not specify if it only applies to Brazilian citizens and residents or if it extends to all individuals who are in Brazil when their information is collected.
What are the key elements of the LGPD?
Before Brazil can implement this new regulation, the country must establish a Supervising Authority – Brazil’s version of the GDPR’s Data Protection Authority (DPA) – which will implement and enforce the new law. As it stands, the LGPD has quite a few ambiguities that will require further direction and clarification once a Supervising Authority or similar public body is established. Once a Supervising Authority is in place, it will require that data controllers and processors implement data protection policies and procedures and conduct privacy impact assessments. Until a Supervising Authority is implemented and starts making decisions, compliance may prove to be a challenge because organizations will not know exactly what is required.
The LGPD also requires that data controllers appoint a Data Processing Officer, which is not to be confused with the GDPR’s Data Protection Officer (DPO). A Data Processing Officer’s role is to receive complaints and communications from data subjects, communicate with the Supervising Authority, and instruct an organization’s staff on how to best protect data subjects’ privacy. The role of the Data Processing Officer can be thought of as a combination of the GDPR’s DPO and EU Representative roles, as it is responsible for communicating between an organization, data subjects, and Supervising Authorities, and also overseeing the organization’s compliance with the regulation.
The most significant differentiator between the GDPR’s DPO and EU Representative is who is held liable for non-compliance. Because DPOs are considered independent overseers of a company’s privacy activities, they are not held liable for any misconduct on the part of the organization. However, EU Representatives, as the name implies, represent the company and therefore, can be held accountable for non-compliance. Currently, the LGPD does not provide any guidance on whether the Data Processing Officers will be held liable or not.
The LGPD also states that a Data Processing Officer’s identity and contact information shall be publicly disclosed in a clear manner, preferably on the data controller’s website. Additional guidelines have yet to be determined, as the Supervising Authority will be responsible for establishing the specific criteria for Data Processing Officers, including when organizations are exempt from appointing one.
What are the lawful bases for data processing?
Much like the GDPR, Brazil’s LGPD has set directives for how an organization can legally process an individual’s data. Policy regulators are seeking to increase transparency between an organization and the data subject through this regulation. The lawful basis of consent is preferred by many organizations, because it is the easiest way for organizations to process data while still abiding by the law. Article 10 of the LGPD states that consent request forms must be clear and must include:
- Purpose of processing;
- Duration of processing;
- Identification of the data controller;
- To whom the data will be disclosed; and
- The rights of the data subject.
The law provides some examples of acceptable processing for which consent is not required, including when the data is available for public access or when processing is necessary for any of the following:
- Compliance with a legal or regulatory obligation;
- The fulfillment of a contract or agreement;
- The legitimate interest of the data controller or third parties;
- Performance of historical, scientific and statistical research;
- Protection of life; and
- Protection of health (performed by public health authorities).
It is essential for organizations to properly process and document their lawful basis for data processing. Processing sensitive data (which includes health information, biometric information, and genetic data) is subject to additional restrictions. Article 12 the LGPD states that the processing of Sensitive Personal Data is prohibited unless (1) the controller has informed the data subject of the possible risks involved in processing sensitive data, and (2) the data subject has given precise consent that their sensitive data can be processed.
Concerning the processing of the data of minors, the LGPD states that data subjects ranging from the ages of 12 to 18 may provide consent, but must allow for revocation by parents and/or guardians.
Lastly, there are two exceptions to the law’s standard rules for processing and consent. The regulation does not apply when processing is performed by a natural person for personal reasons, or for the purpose of news reporting.
What are the penalties?
The LGPD requires organizations to report data breaches to DPAs, and in some cases to data subjects if the DPAs deem it necessary. Companies who fall under the LGPD’s domain should be aware of the sanctions Brazil plans to impose for non-compliance. Whether related to a breach or another violation of the LGPD, monetary penalties for non-compliance can result in fines of up to two percent of global gross sales, limited to 50 million reias (approximately $12.9 million USD) per violation. Additional consequences include:
- Publication of the violation;
- Suspension of personal data processing for two years;
- Prohibition of processing sensitive data for ten years; and
- Prohibition of operations for ten years.
According to the LGPD, these consequences may be applied cumulatively, resulting in heavy reputational and monetary losses. These penalties will be determined based on the extent of the violation, as well as the effects it has on data subjects.
With the largest economy in South America, Brazil’s LGPD will have a significant impact on business operations across the continent. And with less than two years to prepare, companies with Brazilian operations have much to do in a short amount of time. Though many global companies had a difficult time meeting the GDPR implementation deadline within its two-year preparation period, this time around will be easier for many organizations that have already undergone GDPR implementation. Since the EU set the standard for these sorts of expansive privacy regulations, organizations can look to their GDPR implementation efforts to address the major similarities, differences, and pain points associated with implementing the LGPD. To this end, we’ve put together a helpful guide that companies can use to compare the two laws and see where they stand.
Disclaimer: Focal Point Data Risk, LLC is not a law firm and does not provide legal advice. This content is intended for informational purposes only.
Get more insights into the latest privacy news.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.