Brazil’s General Data Protection Law – Updated
On August 14, 2018, Brazil approved the General Data Protection Law (officially “Lei Geral de Protecao de Dados, or “LGPD”)), with enforcement scheduled to begin August 15, 2020. Then COVID-19 struck, and the enforcement and effective dates of the LGPD were pushed back May 3, 2021 and August 15, 2021, respectively. However, last week the Brazilian Senate reversed the planned postponement of the LGPD and the law will now become effective as soon as it is approved by Brazil’s President. Companies collecting data from Brazilian residents should take note of this change, as the reversal means these companies need to get compliant immediately.
What is the LGPD’s Purpose?
The LGPD is a new Brazilian law governing the use of online and offline personal data in Brazil in the private and public sectors. Previously, Brazil had a fragmented framework of over 40 legal norms at the federal level regarding data protection and privacy, and the LGPD is replacing and/or supplementing this regulatory framework in an effort to streamline the country’s approach and make it more competitive in the modern economy. The LGPD aims to balance individual rights with economic, technological and innovation development through clear and comprehensive rules for the adequate use of personal data.
How Does the LGPD Work?
The LGPD is similar to other global data privacy laws such as GDPR and CCPA, in that it is concerned with the concept of personal data, its use by those collecting it and the rights of those from whom it is collected. Some main points of the new law include:
- Scope of application: The LGPD will apply to all sectors of the economy, both public and private, online and offline. There are some exceptions, such as national and public security; pure research, artistic and journalistic purposes; however, any practice that process personal data will be subject to the law
- Concept of personal data: Personal data is broadly defined under the LGPD to include any data, isolated or aggregated to another, that may allow the identification of a natural person or subject them to a certain behavior, such as name, address, email address, phone number or even IP address of a website visitor
- Concept of sensitive personal data: Sensitive personal data is data that could be subject to discriminatory practices, such as racial or ethnic origin, religious belief, political opinion, health or sexual life data; this type of data collection requires the express consent of the data subject
- General principles of data protection: Similar to Australia’s data privacy law (“APA”), the LGPD lists principles (10, to be specific) that should be taken into account in the processing of personal data, such as purpose limitation, necessity, transparency, security, non-discrimination and accountability, the last of which makes it mandatory for the data controller and data processor to fully and transparently demonstrate the adoption of effective measures capable of proving compliance with the rules for the protection of personal data
- Extrajurisdictional application: Most global data privacy laws affect organizations located both inside and outside of a jurisdiction (either economic region, country or state), and the LGPD is no different. Any foreign company that has at least a branch in Brazil, or offers services to the Brazilian market and collects and treats personal data of data subjects located in the country, regardless of the nationality, will be subject to the new law
- Legal grounds for data processing: The LGPD lists 10 examples of situations that authorize the use of personal data, and explicit consent is only one of them. The legal basis of “legitimate interest,” allows the use of the data for purposes other than those originally authorized by its data subjects or those that led to its disclosure, but organizations seeking to use data under should be cautioned that erroneous interpretations of “legitimate interest” have led to fines and penalties under GDPR
- Data subjects’ rights: Similar to GDPR, LGPD grants data subjects (read: individuals, generally) basic rights such as:
- Right to access to data;
- Right to rectification;
- Right to cancellation;
- Right to exclusion;
- Right to opposition to treatment;
- Right to information and explanation about the use of data; and
- Right to data portability.
- Liability: Both the data controller and the data processor can be jointly and severally liable for information security incidents and/or improper and unauthorized use of the data or for non-compliance with the law
- Mandatory data breach notification: Data breach notifications to the data protection authority is mandatory, and must be performed within a reasonable time frame, which may, based on the severity of the case, determine the notification to all data subjects involved and the widespread publicity of the incident
- Record data processing activities: All personal data processing activities must be recorded and indicate what types of personal data will be collected, the legal basis that authorizes its use, purposes, retention time, the information security practices implemented in the storage and with whom the data can be eventually shared, so organizations must engage in an effort to properly assess and map the data they are collecting and processing
- Information security standards: Organizations should take appropriate technical, security and administrative measures to protect personal data, considering the nature of the data handled, the specific characteristics of the treatment and the current state of technology
- Penalties: Administrative sanctions may be applied by authority in case of violation of LGPD. Among the sanctions, there are notices and fines, that may vary from 2 percent of the company’s, group’s or conglomerate’s turnover in Brazil in its last fiscal year, limited in total to R 50,000,000.00 (50M reais, or $9.5M USD as of the date of this post) per infraction. There is also the possibility of daily fine to compel the entity to cease violations
The LGPD will have an impact on all organizations, collecting, processing and/or transferring data from Brazilian data subjects, regardless of whether those organizations have a physical presence in the country.
How Can Clym Help to be LGPD Compliant?
Clym provides a cost-effective, scalable and flexible platform to help comply with LGPD, CCPA, GDPR, and other laws, with plans starting at just $99/month (updated March 2023). Contact us today about how your startup can implement Clym to help manage your data privacy regulation compliance from a global perspective.