Updated March 17, 2020
The implementation of the EU’s General Data Protection Regulation (GDPR) unleashed a wave of new privacy legislation across the world, spreading across the Atlantic to Brazil. On August 14, 2018, the Brazilian Federal Senate signed the Brazilian Personal Data Protection Regulation, referred to as the “LGPD” (derived from its Portuguese title), into law. On July 8, 2019, the final version of the LGDP was approved by current Brazilian President Jair Bolsonaro. The LGPD bears resemblance to the GDPR, though it is lighter and broader in scope.
The LGPD was set to take effect in February 2020, but this deadline was extended another six months to August 16, 2020, giving both Brazilian policy makers and companies operating in Brazil a little more time to prepare for implementation. This post aims to provide organizations with insights into the key elements of the law, including the scope, legal bases for processing, key implementation factors, and penalties for non-compliance.
The Scope of the LGPD
The LGPD’s requirements apply to individuals and public and private bodies that process data subjects’ information (i.e., controllers) or that process data on another’s behalf (i.e., processors). The requirements extend to companies both within and outside of Brazil’s borders. The definition of data subjects under Article 5 of the LGPD, is broad, similar to the GDPR: A data subject is anyone in Brazil whose data is being processed/collected. According to Article 3 of the LGPD, the law covers processing operations that meet any the following criteria: (i) the processing operation is carried out in Brazil, (ii) the purpose of the processing activity is the supply of goods/services to individuals located in Brazil or (iii) the processed personal data has been collected in Brazil.
Key Elements of the LGPD
The National Data Protection Authority (ANPD)
When the LGPD was approved by the Brazilian Federal Senate in August 2018, provisions for the creation of a Supervising Authority – Brazil’s version of the GDPR’s Data Protection Authority (DPA) – were included. However, before the law was sanctioned, the president at the time, Michel Temer, vetoed these provisions. Yet, just before the end of his term in December of 2018, President Temer published an executive order establishing the Brazilian Data Protection Authority, or the ANPD (based on the Portuguese acronym), tasked with three primary functions:
- Rulemaking and interpretive guidance on all matters related to data protection
- Investigation and enforcement of the LGPD
- Education and promotion of data protection and privacy within the Brazilian society
The ANPD includes a National Council for the Protection of Personal Data, which advises the commissioners and helps regulate data policy in Brazil. This body is comprised of 23 representatives from multi-sectoral backgrounds – 11 from different sectors of the Brazilian government and 12 from private industry, academia, and civil society.
Furthermore, five additional members appointed by the president of Brazil will be added to the National Council to make up the Management Board. Despite the need for an independent supervisory authority, the ANPD is part of the federal government and intrinsically linked to the office of the president of Brazil. This connection has led many to believe that the ANPD will be prone to political pressures, especially when it comes to protecting data subjects against violations involving public sector companies.
There is little time left before the LGPD goes into effect, yet the ANPD still is not operational and does not have any enforcement actions in place. In addition, the current president of Brazil has yet to make any appointments to the National Council’s Management Board. This has led to significant confusion around how the country’s data protection rules will be interpreted and enforced come August.
Data Protection Officers (DPOs)
The LGPD also requires that data controllers and processors appoint a Data Protection Officer (DPO). A DPO's job is to receive complaints and communications from data subjects, communicate with the Supervising Authority, and instruct an organization’s staff on how to best protect data subjects’ privacy. The role of the DPO can be thought of as a combination of the GDPR’s DPO and EU Representative roles, as it is responsible for communicating between an organization, data subjects, and Supervising Authorities, and also overseeing the organization’s compliance with the regulation.
However, unlike the GDPR, the LGPD’s DPO does not have to be a natural person and can even be performed by a third-party legal entity or individual. Therefore, companies, committees, and working groups are all able to fulfill the responsibilities of a DPO, which means an organization could outsource this role.
Under the GDPR, DPOs are not held liable for non-compliance and cannot receive sanctions for any violations. However, at this point, the LGPD has not provided any guidance on whether the DPOs will be held liable or not in these instances. The LGPD also states that a DPO’s identity and contact information should be publicly disclosed in a clear manner, preferably on the data controller’s website. Additional guidelines have yet to be determined, as the ANPD establishes the specific criteria for DPOs, including when organizations may be exempt from appointing one.
What are the Lawful Bases for Data Processing?
Much like the GDPR, Brazil’s LGPD has set directives for how an organization can legally process an individual’s data. Policy regulators are seeking to increase transparency between an organization and the data subject through this regulation. The lawful basis of consent is preferred by many organizations, because it is the most straightforward way for organizations to legally process data. Article 9 of the LGPD states that consent request forms must be clear and must include:
- Purpose of processing;
- Duration of processing;
- Identification of the data controller;
- To whom the data will be disclosed; and
- The rights of the data subject.
The law provides some examples of acceptable processing where consent is not required, including instances where the data is available for public access or when processing is necessary for any of the following:
- Compliance with a legal or regulatory obligation;
- The fulfillment of a contract or agreement;
- The legitimate interest of the data controller or third parties;
- Performance of historical, scientific and statistical research;
- Protection of life;
- Protection of health (performed by public health authorities); and
- A matter of national security, defense, and investigative activities.
It is essential for organizations to properly process and document their lawful basis for data processing. Processing sensitive data (which includes health information, biometric information, and genetic data) is subject to additional restrictions. Article 11 of the LGPD states that the processing of Sensitive Personal Data is prohibited unless (1) the controller has informed the data subject of the possible risks involved in processing sensitive data, and (2) the data subject has given precise consent that their sensitive data can be processed.
Concerning the processing of the data of minors, the LGPD states that data subjects ranging from the ages of 12 to 18 may provide consent, but must allow for revocation by parents and/or guardians.
Lastly, there are two exceptions to the law’s standard rules for processing and consent. The regulation does not apply when processing is performed by a natural person for personal reasons, or for the purpose of news reporting.
What are the Penalties?
The LGPD requires organizations to report data breaches to DPAs, and in some cases to data subjects if the DPAs deem it necessary. Companies who fall under the LGPD’s domain should be aware of the sanctions Brazil plans to impose for non-compliance. Whether related to a breach or another violation of the LGPD, monetary penalties for non-compliance can result in fines of up to 2% of global gross sales, limited to 50 million reias (approximately $12.9 million USD) per violation. Additional consequences include:
- Publication of the violation;
- Suspension of personal data processing for two years;
- Prohibition of processing sensitive data for ten years; and
- Prohibition of operations for ten years.
According to the LGPD, these consequences may be applied cumulatively, resulting in heavy reputational and monetary losses. These penalties will be determined based on the extent of the violation, as well as the effects it has on data subjects.
With the largest economy in South America, Brazil’s LGPD will have a significant impact on business operations across the continent and beyond. And with less than 6 months to prepare (and less than a year until enforcement begins), companies with Brazilian operations have much to do in a short amount of time. Though many global companies had a difficult time meeting the GDPR implementation deadline within its two-year preparation period, aligning with the LGPD may be easier for many organizations that have already undergone GDPR implementation. Since the EU set the standard for expansive privacy regulations, organizations can look to their GDPR implementation efforts to address the major similarities, differences, and pain points associated with implementing the LGPD.
To this end, we’ve put together a helpful guide that companies can use to compare the two laws and see where they stand.
Get more insights into the latest privacy news.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.