02 October 2020
Brazil's new privacy law, Lei Geral de Proteção de Dados (LGPD), and the EU's General Data Protection Regulation (GDPR) look pretty similar. In fact, they are practically identical in many places.
However, there are a few important differences between the two laws. If you're more familiar with one than the other, it's crucial be aware of these distinctions.
Here's a run-down of the similarities and the differences between the LGPD and the GDPR.
Before we get into a detailed comparison between the GDPR and the LGPD, here are a few ways in which these two laws are fundamentally similar:
First, we're going to look at the differences in how each law defines key terms.
Here's the GDPR's definition of "personal data," at Article 4 (1):
"...any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier..."
The LGPD defines "personal data" as "information regarding an identified or identifiable natural person."
These definitions are practically identical, and the small difference is probably down to translation. However, whereas the GDPR provides examples of personal data, the LGPD does not. This means that there might be more room for interpretation of the LGPD.
The GDPR calls sensitive personal data "special categories of personal data."
The special categories of personal data under the GDPR include information about the following things:
The list of "sensitive personal data" in the LGPD is identical, except that it includes one additional category: information regarding an individual's membership of religious, philosophical, or political groups.
The terms "controller" and "processor" are present in both the GDPR and the LGPD, but they are defined differently in the two laws.
|GDPR||"The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data..."||"A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller>."|
|LGPD||"Natural person or legal entity, of public or private law, that has competence to make the decisions regarding the processing of personal data."||"Natural person or legal entity, of public or private law, that processes personal data in the name of the controller."|
Despite the different wording, the GDPR's definitions have retained the same core meanings in the LGPD.
The LGPD's definition omits the phrase "alone or jointly with others." Accordingly, unlike the GDPR, the LGPD does not include the concept of "joint controllers."
At the core of both the GDPR and the LGPD are sets of principles, requirements, and data subject rights.
The GDPR provides seven principles of data processing, whereas the LGPD provides ten.
Here's a breakdown of how data processing principles differ and overlap across the GDPR and the LGPD.
|Lawfulness, fairness, and transparency||Yes||Partly||The LGPD does not contain this principle, but the same concepts exist across its "transparency," "prevention," and "non-discrimination" principles.|
|Data minimization||Yes||Partly||The LGPD's "necessity" principle is comparable to the GDPR's "data minimization."|
|Accuracy||Yes||Partly||A similar principle to "accuracy" in the LGPD translates as "quality of the data" or "data quality."|
|Storage limitation||Yes||No||The concept of "storage limitation" is arguably covered by the LGPD's "necessity" principle.|
|Integrity and confidentiality||Yes||Yes||"Integrity and confidentiality" translates as "security" in the LGPD.|
|Free access||No||Yes||The LGPD integrates its "right of access" into its "free access" principle.|
|Prevention||Partly||Yes||The "prevention of harm" principle is arguably inherent in the GDPR's "lawfulness, fairness, and transparency" principle.|
Many of these differences come down to translation and drafting choices. Compliance with the GDPR's principles should ensure compliance with those of the LGPD, and vice versa.
The LGPD's "requirements for processing" are equivalent to GDPR's "lawful bases for processing." Again, there is significant overlap between the two laws in this area.
Here's a breakdown of how the "lawful bases" and the "requirements" differ and overlap across the GDPR and the LGPD:
|Consent||Yes||Yes||The LGPD's definition of consent differs very slightly from the GDPR's, as we will see below.|
|Vital interests||Yes||Yes||The LGPD translation uses the phrase "protection of life or physical safety" rather than "vital interests."|
|Public task||Yes||Yes||The GDPR specifies that processing can be "in the public interest," as well as "in the exercise of official authority," whereas the LGPD appears to focus only on public authorities.|
|Research||No||Yes||Rather than containing a lawful basis of "research," the GDPR contains many exemptions for those carrying out research.|
|Legal rights||No||Yes||Again, the GDPR contains exemptions for those exercising legal rights, but no "legal rights" lawful basis. Also, the LGPD makes specific reference to the Brazilian Arbitration Law (available in English here).|
|Health||Partly||Yes||It isn't clear why the LGPD contains a "health" requirement in addition to its "vital interests"-equivalent requirement when they arguably achieve the same ends.|
|Credit||No||Yes||The "protection of credit" requirement is one of the unique provisions of the LGPD. However, "the protection of credit" could arguably be covered by the GDPR's lawful basis of "contract."|
Companies whose processing activities all occur under one of the GDPR's lawful bases will likely also be compliant with the LGPD.
The "data subject rights" are expressed quite differently across the GDPR and the LGPD. However, there is little substantial difference between the two.
|Data subject right||GDPR||LGPD||Notes|
|Right of access||Yes||Yes||
There are some minor differences between the types of information a data controller must provide under the GDPR and LGPD, but both require near-total transparency.
Under the GDPR, the deadline for complying with an access request is 30 days, plus an additional 30 days if required. Under the LGPD, the deadline is 15 days.
|Right to rectification||Yes||Yes|
|Right to erasure||Yes||Yes||
The "right to erasure" is split over two rights in the LGDP. The first requires deletion of data that is excessive, unnecessary, or unlawful. The second requires the deletion of data on request if it has been collected based on consent.
The right to erasure is subject to a similar range of exceptions under both laws.
|Right to restriction of processing||Yes||No|
|Right to data portability||Yes||Yes||Under the LGPD, the right to transfer personal data "to another service or product provider" is available "pursuant to the regulation of the controlling agency."|
|Right to object||Yes||Partly||
Under the GDPR, the right to object covers personal data collected based on "consent" and (in some cases) "legitimate interests." It also provides an absolute right to object to direct marketing.
There is no "right to object" in the LGPD, but the data subject has the right to withdraw consent.
|Rights concerning wholly automated processing||Yes||Yes||
The GDPR states that data subjects have the right not to be subject to wholly automated decision-making with legal or similarly significant effects. Some Data Protection Authorities interpret this as a ban on such decisions. Others interpret it as allowing the data subject to request a human review of such decisions.
The LGPD comes down on the latter side of this debate, in that it specifies that the data subject may request a human review of wholly automated decisions.
The LGPD also contains several additional rights that are implicitly present in the GDPR, but not among the "data subject rights" enumerated across Section 2, such as:
Here's a breakdown of what such a document must contain in each law:
|Name of the controller||Yes||Yes|
|Contact details for the controller||Yes||Yes|
|Categories of personal data processed||Yes||No|
|Purposes for processing personal data||Yes||Yes|
|Lawful basis for processing each category of personal data||Yes||No|
|Categories of third-party recipients of personal data||Yes||Partly||The LGPD specifies that controllers must provide "information regarding the shared use of data by the controller and the purpose."|
|Safeguards for international transfers of personal data||Yes (if relevant)||No|
|Personal data storage periods||Yes||Yes||The LGDP specifies that controllers must disclose "the duration of the processing," rather than personal data storage periods. However, storage is a method of processing, so this amounts to the same thing.|
|Information about data subject rights||Yes||Yes|
|Right to revoke consent||Yes (if relevant)||Yes (if relevant)|
|Right to make a complaint to the Data Protection Authority||Yes||Yes||The LGPD lists "the right to make a complaint" among its data subject rights.|
|Existence of automated processing and its consequences||Yes (if relevant)||Yes (if relevant)|
|Responsibilities of the agents (controllers and processors) that will carry out the processing||No||Yes|
The LGPD defines "consent" as a "free, informed and unambiguous manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose."
The GDPR defines "consent" as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
These definitions share the following elements:
The LGPD lacks the "affirmative action" element of the GDPR's definition.
These definitions are very similar. This implies that the LGPD is likely to require strong, opt-in consent, meaning "pre-ticked boxes" and other forms of "implied consent" will be invalid.
Data security is one area where the GDPR and the LGPD appear to diverge quite significantly.
The LGPD requires organizations to adopt "technical and administrative measures" to safeguard personal data. However, it is left to the National Data Protection Authority to establish what these measures should be.
Under both laws, organizations can consider factors such as cost, the nature of the personal data, and the severity of risk when deciding what safeguards to impose.
Both the GDPR and the LGPR require controllers to undertake a Data Protection Impact Assessment (DPIA) (known as an "impact report" in the LGPD) where the personal data is sensitive in nature, or where the means of processing are particularly risky or experimental.
Both laws require the organization to report data breaches to the Data Protection Authority. The GDPR specifies a maximum time limit of 72 hours, whereas the LGPD says that the notification must occur within "a reasonable time period, as defined by the national authority."
Both laws require organizations to write a data breach notification letter containing information concerning the consequences of the breach, and any steps taken to contain or mitigate it.
The difference between the two laws' reporting obligations is that the GDPR is more detailed, requiring controllers to notify the Data Protection Authority of:
"...the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned."
The LGPD simply requires:
"...a description of the nature of the affected personal data [and] information on the data subjects involved."
The GDPR also requires controllers to notify the affected data subjects if the breach results in "a high risk to [their] rights and freedoms."
The LGPD does not mention a requirement to notify data subjects, but states that the National Data Protection Authority may require a "broad disclosure of the event in communications media."
Both laws make warnings, reprimands, and injunctions available to Data Protection Authorities. Both laws contain a "private right of action," allowing data subjects to take a privacy case to court.
Violating the GDPR can result in the following penalties:
Violating the LGPD can result in:
While the maximum one-off fines are lower under the LGPD, its daily fines could potentially stack up to some huge sums.
Businesses operating in Brazil have until August 1, 2021, to meet the LGPD's requirements. Those who have worked hard to become GDPR-compliant will not need to make many changes to comply with the LGPD.
Although the Brazilian law is shorter in form, it imposes many of the same obligations as the GDPR. At the core of the LGPD are its principles, requirements, and data subject rights. These sections are all very similar to their EU counterparts.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.