Brazil’s General Data Protection Law (the “LGPD”), a law similar to the European Union’s General Data Protection Regulation (the “GDPR”) is now effective. On April 29 of this year, Brazil’s President issued Provisional Measure 959 that, amongst other things, postponed the effective date of the LGPD, which was originally set to be effective August 2020, to May 3, 2021. Brazil’s Chamber of Deputies amended the measure so that the LGPD would take effect in December 2020. The Senate then decided that any postponement was void because the effective date had already been decided by Congress. The amended measure was sent to the President for his signature, providing him with the date of September 17, 2020 to sign the measure, which would make the law effective as of the original effective date, or veto it. The President sanctioned the law and the LGPD is now effective. Although the law has taken effect, the LGPD’s enforcement provisions take effect August 1, 2021 (in Portuguese), and the provisions will be enforced by Brazil’s data protection authority, a Autoridade Nacional de Proteção Dados Pessoais (the “ANPD”), which the President established by decree in August (in Portuguese). However, the LGPD’s private right of action for violations of data subjects’ rights is effective now. Businesses should continue to take steps to comply with the statute given its effective date and private right of action and should prepare now for when administrative sanctions become enforceable next year.
Businesses that are GDPR compliant may be well on their way to achieving compliance with the LGPD given the similarities between the legal frameworks. Yet, business should be mindful of several differences that may impact how they adjust their GDPR compliance programs to meet the requirements of the LGPD to the extent that businesses process data applicable to both regimes.
At a glance. This post highlights some of the material provisions of the LGPD and compares them to their equivalents in the GDPR.
Applicability. Similar to the GDPR, the LGPD applies broadly to a wide range of data processing activities, data subjects, and their information.
- The GDPR applies to the processing of personal data if such data is processed in the EU or if the purpose of the processing is to offer goods or services to or monitor the behavior of EU residents. Arts. 2 and 3 GDPR.
- The LGPD applies to the processing of personal data if such data is processed in Brazil, the purpose of the processing is to offer or provide goods or services to Brazil residents or the personal data processed belongs to Brazilian residents or was collected in Brazil. Art. 3 LGPD.
Lawful Processing of Non-Special Categories of Personal Data. Businesses likely will be able to process data under the same legal bases provided under the LGPD and the GDPR.
- Under the GDPR, processing is lawful if the data subject has consented or processing is necessary to perform a contract, comply with legal obligations, protect a natural person’s vital interests, act in the public interest, or achieve a legitimate interest of the controller or third party under certain conditions. Art. 6 GDPR.
- The LGPD includes all of the legal bases for processing listed under the GDPR. In addition, the LGPD provides that controllers may process personal data specifically to exercise rights in judicial, administrative or arbitration procedures and to protect credit. Art. 7 LGPD.
Lawful Processing of Special or Sensitive Categories of Personal Data. Although the LGPD and the GDPR share several legal bases for processing sensitive information, the LGPD does not allow businesses to process such data under the bases identified under GDPR for legitimate activities of nonprofit entities and public data.
- Under the GDPR, the processing of special categories of personal data is prohibited unless (i) the data subject has consented; (ii) data is processed under certain conditions in the course of legitimate activities of nonprofit entities in connection with their purposes; (iii) processing relates to data made public by the data subject; or (iv) processing is necessary to comply with employment, social security or social protection law, to protect the vital interest of natural persons, to exercise or defend legal claims or for public interest reasons, including those related to public health or research purposes. Art. 9 GDPR.
- The LGDP allows processing of sensitive categories of personal data if the data subject consents or processing is necessary for (i) the controller to comply with a legal obligation; (ii) shared processing of data when necessary by the public administration for the execution of public policies; (iii) research purposes, (iv) exercising rights, including in connection with a contract and in a judicial, administrative and arbitration proceeding, (v) protecting vital interests of a data subject or a third party, including health in a medical procedure, or (vi) preventing fraud and protect the security of the data subject. Art. 11 LGPD.
Data Subject Rights. The LGPD provides to data subjects the right to data anonymization in addition to the other rights provided under the GDPR and requires businesses to respond to rights requests within fifteen (15) days.
- Under the GDPR, data subjects have the right to access, rectification, erasure, restriction, data portability, and objection, and the right against automated decision-making. Chp. 3 GDPR.
- In addition to the rights provided under the GDPR, the LGPD provides data subjects the right to request that their data be anonymized. Art. 18 LGPD. However, in response to a request to delete under the GDPR, controllers may anonymize data because, similar to the LGPD, anonymized data is not considered personal data under the GDPR.
Children’s Personal Data. The LGPD has a broader requirement than the GDPR to obtain consent for processing children’s personal data and extends heightened protection to children whose personal data is processed similar to the GDPR.
- Before collecting personal data of children who are younger than sixteen (16) years of age, the GDPR requires controllers to obtain the consent of a child’s legal guardian subject to certain exceptions. Any information directed to children should be provided using clear and plain language. Art. 8 GDPR.
- The LGPD broadly requires controllers to obtain the consent of a legal guardian before processing children’s data. Information directed towards children needs to be appropriate for the children’s understanding. Art. 14 LGPD.
International Transfer of Data. The LGPD provides similar mechanisms to the GDPR for transferring personal data to third countries and international organizations. Unlike the GDPR, the LGPD does not provide a list of specific derogations but many are covered by the law.
- The GDPR allows the transfer of personal data to a third country or an international organization on the bases of (i) an adequacy decision, (ii) appropriate safeguards such as binding corporate rules, standard contractual clauses, and approved codes of conduct and certification mechanisms, (iii) an international agreement; and (iv) derogations for specific situations, which includes when the transfer is made from a register intended to provide information to the public or by any person on the basis of legitimate interests. Chp. 5 GDPR.
- The LGPD allows the international transfer of personal data on the bases of (i) an adequacy decision, (ii) compliance with the LGPD as shown through contractual clauses, global corporate rules, and stamps, certificates and codes of conduct, (iii) international agreements and cooperation, (iv) the vital interest of the data subject or a third party; (v) ANPD approval, (vi) public interest; and (vii) data subject consent. Art. 33 LGPD. Unlike the GDPR, the LGPD does not provide for international transfers on the basis of a register intending to provide information to the public or legitimate interests as provided under the GDPR.
Controller and Processor Obligations. Generally, the LGDP has similar controller and processor obligations to the GDPR with differences in data record maintenance, data protection impact assessment, and the appointment of data protection officers.
- Under the GDPR, controllers and processors are required to maintain records of processing data activities; implement appropriate and technical measures, including data protection policies, to protect personal data; conduct data protection impact assessments in certain circumstances; provide notice of data breaches to supervisory authorities and data subjects; and designate a data protection offer under certain conditions. Chp. 4 GDPR.
- Similarly, the LGPD requires controllers and processors to maintain processing records; adopt security, technical and administrative measures to protect personal data; conduct data protection impact reports upon the ANPD’s request; provide notice of certain security incidents; and appoint a data protection officer. Chp. IV §§ I and II; Chp. VII §§ I and II; and Art. 41 LGPD.
Security Breach Notifications. The LGPD has a lower threshold than the GDPR for providing notice of security incidents and a potentially longer timeframe than the GDPR in which to provide notice to regulators.
- Under the GDPR, controllers are required to provide notice (a) to supervisory authorities within seventy-two (72) hours unless the security incident is unlikely to result in a risk to data subjects and (b) to data subjects without undue delay if the security incident is likely to result in a high risk to the data subjects. Arts. 33 and 34 GDPR.
- The LGPD requires businesses to notify within a reasonable amount of time the ANPD and affected data subjects if the incident may cause harm to data subjects. Art. 48 LGPD.
Administrative Sanctions. The LGPD imposes significantly less severe fines than the GDPR since they are based on businesses’ revenue in Brazil as compared to fines based on businesses’ revenue worldwide as provided under the GDPR.
- Under the GDPR, controllers and processors may be subject to a fine of two percent (2%) of worldwide revenue up to 10,000,000 EUR for lower-level violations and four percent (4%) of worldwide revenue up to 20,000,000 EUR for higher-level violations. Art. 83 GDPR.
- Under the LPGD, controllers and processors may be subject to a fine of up to two percent (2%) of revenues in Brazil up to a total of R$ 50,000,000. Art. 52 LGPD.
The ANPD is responsible for developing regulations and interpretive guidance related to the LGPD. We will continue to analyze the requirements imposed on businesses by the LGPD as regulations and guidance are released.