On August 14, Brazil adopted its new General Data Protection Law (LGPD) designed to replace and/or supplement its existing sectoral privacy framework. Brazil’s LGPD echoes many of the components of the GDPR and will likely serve as part of Brazil’s own push for a reciprocal adequacy finding from the European Commission similar to the one Japan received this past July. In addition to the LGPD, President Temer has stated that the government will establish a Brazilian national data protection authority (DPA) with a separate bill.
Like the GDPR, Brazil’s LGPD includes an expanded definition of personal data and contains purpose and use limitations for processing of that data. Article 5 defines personal data to include any information relatable to an identified or identifiable natural person. While anonymized data is not subject to LGPD requirements, the law defines anonymized data as data relating to a data subject who cannot be identified using reasonable technical means available at the time of the processing. Also like the GDPR, the law defines a narrower band of sensitive personal data including data about racial or ethnic origin, religious belief, political opinion, genetics, biometrics, or health or sex life.
Under Article 3 the LGPD applies to any entity (1) processing data in Brazil, (2) conducting data processing for the purpose of offering or supplying goods or services in Brazil, (3) processing data of individuals physically located in Brazil, or (4) processing data collected from an individual who physically present in Brazil at the time of collection.
For companies in scope, all data processing operations must comply with the LGPD except for the following types of processing listed in Article 4:
- Processing by a natural person for exclusively private and non-economic purposes;
- processing for exclusively journalistic and artistic purposes;
- processing for exclusively academic purposes;
- processing carried out for the sole purpose of national defense or national security; and
- processing carried out for the sole purpose of the investigation and prosecution of criminal offenses.
Article 4 clarifies that these types of processing will be governed by a separate, specific law based on the same general principles regarding data protection and data subject rights contained in the LGPD.
The LGPD creates a new set of obligations, oversight mechanisms, and data subject rights, many of which are similar to those found in the GDPR. These new provisions include:
- Legal bases. The law requires that companies to identify the legal basis or bases for the collection and processing of personal information. Generally, companies are restricted to use personal information only for the purposes for which it was collected. Where the company has a legitimate interest in processing the data for purposes other than those for which it was collected, however, such use may be permitted depending on the balance of interests between the controller and the data subject(s). Where processing is conducted on the basis of the company’s legitimate interest, Article 10 requires that only personal data strictly required for the purpose may be processed, and the supervisory authority may request a data protection impact assessment.
- Free and Informed Consent. Similar to the GDPR, the LGPD defines consent as a free, informed, and unequivocal pronouncement by which the data subject agrees to the processing of his or her personal data for a specific purpose. Per Article 7, the Brazilian supervisory authority may specify a required form for providing consent, but must at a minimum be provided in writing or another means that proves the data subject’s intent. If provided in writing as part of a contract, Article 8 states that consent must be included in a separate clause. The data subject may revoke consent at any time, and the controller must offer a free and facilitated procedure for the data subject to do so.
- Transparency. The LGPD requires companies to transparently demonstrate the measures they use to comply with the law’s requirements, including through the use of data protection assessments. Like the GDPR, the LGPD also creates the new mechanism of data protection impact assessments (DPIAs) which may be mandatory based on either heightened risk of processing or upon request from the DPA where the processing is based on a legitimate interest. Controllers are also required to keep records of their personal data processing operations, particularly where the processing is based on legitimate interests.
- Mandatory Data Breach Notification. Under the LGPD, companies are required to notify the DPA within a reasonable time frame, as defined by the DPA, after a data breach. While the LGPD does not set a presumptive 72-hour deadline, given the overall similarity of the new legal framework to the GDPR it would be reasonable to anticipate a strict interpretation of a “reasonable” time frame. Once notified, the DPA will determine whether to require the company to notify affected individuals, publicize the incident in the media, and/or take specific steps to reverse or mitigate any negative effects of the incident.
- Data Subject Rights. Like the GPDR, the LGPD enumerates a list of data subject rights including access, rectification, cancellation or exclusion, objection, and data portability. The data portability right closely mirrors the GDPR and requires that data subjects be allowed to request a full copy of their data in an interoperable electronic format. Data subject are also entitled to appeal any decision based on the automated processing of person data that affects the data subject’s interests to a natural person.
- International Data Transfers. The LGPD lists the different mechanisms under which a company may transfer personal information outside of Brazil, including express prior consent by the data subject, standard contractual clauses, binding corporate rules, adequacy findings for the destination country, and the adoption of seals, certificates, and codes of conduct to be issued and authorized by the DPA. The supervisory authority may also authorize a transfer of data separate and apart from the other approved mechanisms.
- Record Keeping. Companies subject to the LGPD will be required to keep records of their collection and processing of personal information throughout the data life cycle, including the types of personal information collected, the legal basis or bases for processing, the purpose of the collection and processing, the retention time, the applicable information security practices, and the recipients with whom the data can be eventually shared.
- Privacy by Design and Default. The LGPD obligates companies to adopt a design, production, and business model that incorporates the law’s principles and standards from the inception through completion and offering of new products and services. Where these products and services allow users to set the level of privacy protections for their data, they should default to the most restrictive possible settings.
- Penalties. Violations of the LGPD can be subject to administrative sanctions up to 2 percent of the entity’s turnover in Brazil in the last fiscal year, limited to 50 million Reais (roughly €11 million) per infraction. The LGPD also provides for potential fines that would accrue daily where violations are found to be ongoing.
The LGPD will enter into force 18 months after official publication, which will likely be February 2020.