Brazil's LGPD vs. the GDPR

Brazil's LGPD vs. the GDPR

Brazil's new privacy law, Lei Geral de Proteção de Dados (LGPD), and the EU's General Data Protection Regulation (GDPR) look pretty similar. In fact, they are practically identical in many places.

However, there are a few important differences between the two laws. If you're more familiar with one than the other, it's crucial be aware of these distinctions.

Here's a run-down of the similarities and the differences between the LGPD and the GDPR.


The Basics

Before we get into a detailed comparison between the GDPR and the LGPD, here are a few ways in which these two laws are fundamentally similar:

  • They both have extraterritorial application (the LGPD applies to non-Brazilian businesses operating in Brazil, and the GDPR applies to non-EU businesses operating in the EU).
  • They both apply to people, businesses, public bodies, and charities in every sector, and of every size.
  • They're both enforced by regulators (the Data Protection Authorities in each EU country, and the Brazilian National Data Protection Authority).

Definitions

Definitions

First, we're going to look at the differences in how each law defines key terms.

Personal Data

Here's the GDPR's definition of "personal data," at Article 4 (1):

"...any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier..."

The LGPD defines "personal data" as "information regarding an identified or identifiable natural person."

These definitions are practically identical, and the small difference is probably down to translation. However, whereas the GDPR provides examples of personal data, the LGPD does not. This means that there might be more room for interpretation of the LGPD.

Sensitive Personal Data

The GDPR calls sensitive personal data "special categories of personal data."

The special categories of personal data under the GDPR include information about the following things:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Health
  • Sex life
  • Genetic data
  • Biometric data

The list of "sensitive personal data" in the LGPD is identical, except that it includes one additional category: information regarding an individual's membership of religious, philosophical, or political groups.

Controllers and Processors

The terms "controller" and "processor" are present in both the GDPR and the LGPD, but they are defined differently in the two laws.

Controller Processor
GDPR "The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data..." "A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller>."
LGPD "Natural person or legal entity, of public or private law, that has competence to make the decisions regarding the processing of personal data." "Natural person or legal entity, of public or private law, that processes personal data in the name of the controller."

Despite the different wording, the GDPR's definitions have retained the same core meanings in the LGPD.

The LGPD's definition omits the phrase "alone or jointly with others." Accordingly, unlike the GDPR, the LGPD does not include the concept of "joint controllers."

Principles, Requirements, and Rights

Principles, Requirements, and Rights

At the core of both the GDPR and the LGPD are sets of principles, requirements, and data subject rights.

Principles

The GDPR provides seven principles of data processing, whereas the LGPD provides ten.

Here's a breakdown of how data processing principles differ and overlap across the GDPR and the LGPD.

Principle GDPR LGPD Notes
Lawfulness, fairness, and transparency Yes Partly The LGPD does not contain this principle, but the same concepts exist across its "transparency," "prevention," and "non-discrimination" principles.
Purpose limitation Yes Yes
Data minimization Yes Partly The LGPD's "necessity" principle is comparable to the GDPR's "data minimization."
Accuracy Yes Partly A similar principle to "accuracy" in the LGPD translates as "quality of the data" or "data quality."
Storage limitation Yes No The concept of "storage limitation" is arguably covered by the LGPD's "necessity" principle.
Integrity and confidentiality Yes Yes "Integrity and confidentiality" translates as "security" in the LGPD.
Accountability Yes Yes
Free access No Yes The LGPD integrates its "right of access" into its "free access" principle.
Prevention Partly Yes The "prevention of harm" principle is arguably inherent in the GDPR's "lawfulness, fairness, and transparency" principle.
Non-discrimination Party No

Many of these differences come down to translation and drafting choices. Compliance with the GDPR's principles should ensure compliance with those of the LGPD, and vice versa.

Lawful Bases/Requirements

The LGPD's "requirements for processing" are equivalent to GDPR's "lawful bases for processing." Again, there is significant overlap between the two laws in this area.

Here's a breakdown of how the "lawful bases" and the "requirements" differ and overlap across the GDPR and the LGPD:

Lawful basis/Requirement GDPR LGPD Notes
Consent Yes Yes The LGPD's definition of consent differs very slightly from the GDPR's, as we will see below.
Contract Yes Yes
Legal obligation Yes Yes
Vital interests Yes Yes The LGPD translation uses the phrase "protection of life or physical safety" rather than "vital interests."
Public task Yes Yes The GDPR specifies that processing can be "in the public interest," as well as "in the exercise of official authority," whereas the LGPD appears to focus only on public authorities.
Legitimate interests Yes Yes
Research No Yes Rather than containing a lawful basis of "research," the GDPR contains many exemptions for those carrying out research.
Legal rights No Yes Again, the GDPR contains exemptions for those exercising legal rights, but no "legal rights" lawful basis. Also, the LGPD makes specific reference to the Brazilian Arbitration Law (available in English here).
Health Partly Yes It isn't clear why the LGPD contains a "health" requirement in addition to its "vital interests"-equivalent requirement when they arguably achieve the same ends.
Credit No Yes The "protection of credit" requirement is one of the unique provisions of the LGPD. However, "the protection of credit" could arguably be covered by the GDPR's lawful basis of "contract."

Companies whose processing activities all occur under one of the GDPR's lawful bases will likely also be compliant with the LGPD.

Data Subject Rights

The "data subject rights" are expressed quite differently across the GDPR and the LGPD. However, there is little substantial difference between the two.

Data subject right GDPR LGPD Notes
Right of access Yes Yes

There are some minor differences between the types of information a data controller must provide under the GDPR and LGPD, but both require near-total transparency.

Under the GDPR, the deadline for complying with an access request is 30 days, plus an additional 30 days if required. Under the LGPD, the deadline is 15 days.

Right to rectification Yes Yes
Right to erasure Yes Yes

The "right to erasure" is split over two rights in the LGDP. The first requires deletion of data that is excessive, unnecessary, or unlawful. The second requires the deletion of data on request if it has been collected based on consent.

The right to erasure is subject to a similar range of exceptions under both laws.

Right to restriction of processing Yes No
Right to data portability Yes Yes Under the LGPD, the right to transfer personal data "to another service or product provider" is available "pursuant to the regulation of the controlling agency."
Right to object Yes Partly

Under the GDPR, the right to object covers personal data collected based on "consent" and (in some cases) "legitimate interests." It also provides an absolute right to object to direct marketing.

There is no "right to object" in the LGPD, but the data subject has the right to withdraw consent.

Rights concerning wholly automated processing Yes Yes

The GDPR states that data subjects have the right not to be subject to wholly automated decision-making with legal or similarly significant effects. Some Data Protection Authorities interpret this as a ban on such decisions. Others interpret it as allowing the data subject to request a human review of such decisions.

The LGPD comes down on the latter side of this debate, in that it specifies that the data subject may request a human review of wholly automated decisions.

The LGPD also contains several additional rights that are implicitly present in the GDPR, but not among the "data subject rights" enumerated across Section 2, such as:

  • The right to information about public and private entities with which the controller has shared data
  • The right to information about the possibility of denying consent and the consequences of such denial
  • The right to revoke consent

Privacy Policy

Privacy Policy

Neither the GDPR nor the LGPD explicitly refer to a "Privacy Policy," but both laws require controllers to provide clear and transparent information to data subjects about their processing activities.

Here's a breakdown of what such a document must contain in each law:

GDPR LGPD Notes
Name of the controller Yes Yes
Contact details for the controller Yes Yes
Categories of personal data processed Yes No
Purposes for processing personal data Yes Yes
Lawful basis for processing each category of personal data Yes No
Categories of third-party recipients of personal data Yes Partly The LGPD specifies that controllers must provide "information regarding the shared use of data by the controller and the purpose."
Safeguards for international transfers of personal data Yes (if relevant) No
Personal data storage periods Yes Yes The LGDP specifies that controllers must disclose "the duration of the processing," rather than personal data storage periods. However, storage is a method of processing, so this amounts to the same thing.
Information about data subject rights Yes Yes
Right to revoke consent Yes (if relevant) Yes (if relevant)
Right to make a complaint to the Data Protection Authority Yes Yes The LGPD lists "the right to make a complaint" among its data subject rights.
Existence of automated processing and its consequences Yes (if relevant) Yes (if relevant)
Responsibilities of the agents (controllers and processors) that will carry out the processing No Yes

The upshot of the above is that, if you have a GDPR-compliant Privacy Policy, it will require few amendments to make it compliant with LGPD.

The LGPD defines "consent" as a "free, informed and unambiguous manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose."

The GDPR defines "consent" as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."

These definitions share the following elements:

  • Free
  • Informed
  • Unambiguous
  • Specific/For a given purpose

The LGPD lacks the "affirmative action" element of the GDPR's definition.

These definitions are very similar. This implies that the LGPD is likely to require strong, opt-in consent, meaning "pre-ticked boxes" and other forms of "implied consent" will be invalid.

Data Security

Data Security

Data security is one area where the GDPR and the LGPD appear to diverge quite significantly.

Data Security Rules

The GDPR's data security requirements are set out across Article 32, and include pseudonymizing and encrypting personal data where possible and regularly testing security systems.

The LGPD requires organizations to adopt "technical and administrative measures" to safeguard personal data. However, it is left to the National Data Protection Authority to establish what these measures should be.

Under both laws, organizations can consider factors such as cost, the nature of the personal data, and the severity of risk when deciding what safeguards to impose.

Both the GDPR and the LGPR require controllers to undertake a Data Protection Impact Assessment (DPIA) (known as an "impact report" in the LGPD) where the personal data is sensitive in nature, or where the means of processing are particularly risky or experimental.

Data Breach Notification

Data Breach Notification

Both laws require the organization to report data breaches to the Data Protection Authority. The GDPR specifies a maximum time limit of 72 hours, whereas the LGPD says that the notification must occur within "a reasonable time period, as defined by the national authority."

Both laws require organizations to write a data breach notification letter containing information concerning the consequences of the breach, and any steps taken to contain or mitigate it.

The difference between the two laws' reporting obligations is that the GDPR is more detailed, requiring controllers to notify the Data Protection Authority of:

"...the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned."

The LGPD simply requires:

"...a description of the nature of the affected personal data [and] information on the data subjects involved."

The GDPR also requires controllers to notify the affected data subjects if the breach results in "a high risk to [their] rights and freedoms."

The LGPD does not mention a requirement to notify data subjects, but states that the National Data Protection Authority may require a "broad disclosure of the event in communications media."

Penalties

Both laws make warnings, reprimands, and injunctions available to Data Protection Authorities. Both laws contain a "private right of action," allowing data subjects to take a privacy case to court.

Violating the GDPR can result in the following penalties:

  • For less serious violations, a fine of up to €10 million (approximately $11 million) or 2% of total worldwide turnover (whichever is greater)
  • For more serious violations, a fine of up to €20 million ($22 million) or 4% of total worldwide turnover (whichever is greater)

Violating the LGPD can result in:

  • A fine of up to 2% of a company's gross revenue in Brazil for the previous financial year, up to a maximum of R$ 50,000,000 per violation (approximately $9,500,000 USD)
  • A daily fine of no more than R$ 50,000,000

While the maximum one-off fines are lower under the LGPD, its daily fines could potentially stack up to some huge sums.

Summary

Businesses operating in Brazil have until August 1, 2021, to meet the LGPD's requirements. Those who have worked hard to become GDPR-compliant will not need to make many changes to comply with the LGPD.

Although the Brazilian law is shorter in form, it imposes many of the same obligations as the GDPR. At the core of the LGPD are its principles, requirements, and data subject rights. These sections are all very similar to their EU counterparts.

Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.