Brazil's data protection law, Lei Geral de Proteção de Dados (LGPD), is finally here. The LGPD is a long and detailed law that will significantly impact day-to-day business in Brazil.
Among other provisions, the law sets out:
- Sets out guiding principles for processing personal data
- Provides consumers with a set of rights over their data
- Lays down some rules regarding the reporting of data breaches
- Establishes a Brazilian National Data Protection Authority (ANPD)
Every business with Brazilian customers, partners, or clients must have a solid understanding of the LGPD. We're here to help with that.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 1. Brazil's LGPD: The Basics
- 1.1. When Does the LGDP Take Effect?
- 1.2. Who is Covered by the LGPD?
- 2. Brazil's LGPD: Definitions
- 2.1. How Does the LGPD Define "Personal Data?"
- 2.2. What is "Sensitive Personal Data?"
- 2.3. What is a "Data Subject?"
- 2.4. What are "Controllers" and "Processors?"
- 3. Brazil's LGPD: Principles, Requirements, and Rights
- 3.1. What are the LGPD's "Principles of Data Processing?"
- 3.2. What are the LGPD's "Requirements for Processing?"
- 3.3. What are the LGPD's "Data Subject Rights?"
- 3.5. How Does Consent Work Under the LGPD?
- 4. Brazil's LGPD: Data Security
- 4.1. What are the LGPD's Data Security Rules?
- 4.2. What are the LGPD's Data Breach Notification Rules?
- 4.3. What are the LGPD's Rules for International Data Transfers?
- 5. What are the Penalties for Violating the LGPD?
- 6. LGPD Compliance Checklist
Brazil's LGPD: The Basics
Those familiar with the EU General Data Protection Regulation (GDPR) will find many sections of the LGPD familiar. This is no coincidence: Brazil developed the LGPD partly as a step towards striking a data-sharing "adequacy" agreement with the EU.
When Does the LGDP Take Effect?
Originally passed in 2018, the enactment of the LGDP has been pushed back several times. The Brazilian Senate recently rejected a bid by the President to push it back even further. The law will finally come into effect in September 2020.
Once the President has signed the bill, the LGPD will retroactively take effect from August 14, 2020. However, the law will not be enforced until August 1, 2021, so businesses have a short transition period in which to become fully compliant.
Who is Covered by the LGPD?
The LGPD applies to organizations all over the world, not just in Brazil. Regardless of size, turnover, or sector, a person or organization will be covered by the LGPD if it is:
- Processing personal data in Brazil, or
- Processing the personal data of people situated in Brazil, or
- Offering goods or services to Brazilian consumers, or
- Processing personal data that was collected in Brazil
So, if you have customers, business partners, employees, or contractors in Brazil, you should comply with the LGPD.
Brazil's LGPD: Definitions
The LGPD gives definitions to important terms across Article 5. These definitions help define the law's scope and jurisdiction.
How Does the LGPD Define "Personal Data?"
The LGPD defines "personal data" as "information regarding an identified or identifiable natural person."
"Natural person" means a living individual, as opposed to a "legal person," such as a corporation.
Unlike certain US privacy laws, such as the NY Shield Act and Washington D.C. Data Breach Notification Law, the LGPD doesn't limit its definition of personal data to a set of specific identifiers. In fact, the law doesn't provide any examples of "personal data" at all.
The LGPD's definition of personal data derives from the GDPR. As such, we can expect to see the Brazilian regulator take a broad view of what constitutes personal data, including:
- Names and initials
- Contact details such as email addresses, physical addresses, and phone numbers
- A person's views (e.g., posts on a website or social media)
- Opinions about a person (e.g., a human resources file)
It's also likely that the LGPD will also recognize computer-generated information such as IP addresses, cookie data, and advertising IDs. Brazil's internet law (known as the "Marco Civil," available here) covers such data types.
"Processing" personal information means doing something to or with it: collecting it, sharing it, erasing it, etc.
What is "Sensitive Personal Data?"
The LGPD defines specific types of information as "sensitive personal data," which means any Information relating to an individual's:
- Ethnic origin
- Political opinions
- Trade union membership
- Membership of religious, philosophical or political groups
- Sex life
- Genetic data
- Biometric data
There are special rules regarding sensitive personal data and you must take particular care when processing it.
What is a "Data Subject?"
The LGPD uses the term "data subject" to mean the individual to whom personal data relates.
From your company's perspective, a data subject could be anyone: your customers, employees, or anyone else who comes into contact with your business.
What are "Controllers" and "Processors?"
The main players in Brazil's LGPD are the "controller" and the "processor."
A "controller" is a public or private entity that "has competence to make the decisions regarding the processing of personal data." When a company collects email addresses for members of its mailing list, it is the controller of that personal data.
A "processor" is a public or private entity that "processes personal data in the name of the controller." When an email marketing company receives a business' mailing list and emails its customers on the business' behalf, it is acting as a processor.
Brazil's LGPD: Principles, Requirements, and Rights
The LGPD provides guiding principles and strict rules for businesses, and grants individuals rights over their personal data.
What are the LGPD's "Principles of Data Processing?"
The LGPD provides ten principles of data processing. All processing of personal data must take place according to these principles:
- Purpose: You must only process personal data for a legitimate and specified purpose.
- Suitability: You must only process personal data in a way that is compatible with the context in which it was collected.
- Necessity: You must only process personal data that is relevant, proportional, and necessary to achieve a specific purpose.
- Free access: You must provide data subjects with information about the form, duration, and integrity of the processing of their personal data.
- Data quality: You must keep personal data accurate, clear, relevant, and up-to-date.
- Transparency: You must provide clear, precise, and easily accessible information about how you process personal information.
- Security: You must implement technical and administrative measures to protect personal data from unauthorized access and accidental loss.
- Prevention: You must ensure that your processing of personal data does not cause harm.
- Non-discrimination: You must not process personal data in ways that are unlawful, abusive, or discriminatory.
- Accountability: You must be able to demonstrate that you are compliant with privacy and data protection law.
What are the LGPD's "Requirements for Processing?"
The LGPD contains ten "requirements for processing." You must meet one of these requirements before processing personal data.
Think of the requirements like valid, lawful reasons for which you may process personal data. If you don't have one of the following ten reasons for processing personal data, you must not do so:
- Consent: You have the free, informed, and unambiguous agreement of the data subject to process their personal data for a specific purpose.
- Legal obligation: You need to process personal data to comply with a law or regulation.
- Public task: You need to process personal data to execute public policy.
- Research: You need to process personal data to carry out a study for a research entity (you must anonymize personal data where possible).
- Contract: You need to process personal data to carry out contractual obligations or enter into a contract at the data subject's request.
- Legal rights: You need to process personal data to exercise legal rights, or arbitration rights pursuant to the Brazilian Arbitration Law (available in English here).
- Vital interests: You need to process personal data to protect the life or safety of the data subject or another person.
- Health: You need to process personal data to protect a person's health in a procedure carried out by a health professional.
- Legitimate interests: You have a legitimate interest in processing personal data that outweighs any risks to the data subject's rights and freedoms.
- Credit: You need to process personal information to protect the data subject's credit rating.
What are the LGPD's "Data Subject Rights?"
The LGPD provides nine rights for individuals over their personal data, known as the "data subject rights."
As the controller of an individual's personal data, you are responsible for safeguarding and facilitating their rights.
The nine data subject rights appear at Article 18 of the LGDP and are as follows:
- You must confirm whether you have processed an individual's personal data on request.
- You must provide access to an individual's personal data on request.
- You must correct an individual's personal data if it is inaccurate, incomplete, or out-of-date.
- You must erase, anonymize, or block personal information if it is unnecessary, excessive, or has been processed in violation of the LGDP.
- You must agree to transfer an individual's personal data to another organization, on request.
- You must delete an individual's personal data on request, if it was collected with their consent (subject to some exceptions).
- You must inform an individual about any third parties with whom you have shared their personal data.
- You must inform an individual that they have the right to refuse consent, and what the consequences will be if they do so.
- You must allow an individual to revoke consent to your processing of your personal information.
When providing confirmation that you have processed an individual's personal data or access to an individual's personal data, you must do so within 15 days.
At Article 20 of the LGPD, separate from the nine data subject rights, is an additional right involving "automated processing."
This right applies if you have made a significant decision that affects a person's interests, such as a credit or job application, using entirely automated processes (i.e., with a computer/AI). In this case, the individual has the right to request that a human reviews the decision.
Like most privacy laws, the LGPD requires businesses (and all controllers) to publish up-front information for data subjects about how they handle personal information.
- Your purposes for processing personal data
- How you process personal data
- The duration over which you intend to process personal data
- The name and contact details of your business (the controller)
- Information regarding how and why you share personal information
- Responsibilities of all parties that will process the personal information you collect
- Information about the data subject rights
How Does Consent Work Under the LGPD?
As noted above, you need to meet one of the "requirements for processing" before you can process an individual's personal data. One of the most important requirements for processing is "consent."
Article 5 (7) of the LGPD defines "consent" as a "free, informed and unambiguous manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose."
There are several elements to this definition:
- Free: This implies that a person should not suffer any detriment if they refuse to consent. For example, access to a website should not be made contingent on the visitor agreeing to targeted advertising.
- Unambiguous: This means that you cannot assume a person has consented. For example, if a person fails to untick a box that says, "Yes, please send me marketing emails," they have not given unambiguous consent.
- For a given purpose: This implies that consent should be specific to a particular purpose. If someone has consented to receive marketing phone calls, you will need to ask specifically if you wish to send them marketing emails.
In many jurisdictions, consent in privacy law is a legal "grey area." How the courts will interpret the definition provided in the LGPD remains to be seen.
The LGPD's definition is reminiscent of the definition present in the GDPR, which is generally interpreted as forbidding any form of "opt-out" or "implied" consent.
For more information, see our article GDPR Consent Examples.
Brazil's LGPD: Data Security
The LGDP obliges controllers and processors to keep personal data secure and confidential.
What are the LGPD's Data Security Rules?
To protect personal data from unauthorized access, loss, damage, and unlawful processing, you must adopt "technical and administrative measures" to protect it.
The LGPD is not specific about the nature of such measures, instead leaving it to the National Data Authority to set out security rules.
For more information about securing personal data, see our article Protecting Personal Data in Your Business.
What are the LGPD's Data Breach Notification Rules?
If you experience a data breach, you must notify the individual(s) affected and the National Data Protection Authority, within "a reasonable time period."
You must include the following information in your data breach notification letter:
- What personal data was affected?
- Which individuals were affected?
- What security measures did you implement to protect the personal data?
- What risks are related to the incident?
- If there has been a delay in reporting the incident, why?
- What are you doing to mitigate the effects of the data breach?
What are the LGPD's Rules for International Data Transfers?
Because the LGPD provides a relatively strong set of protections for individuals' personal data, it prohibits organizations from transferring personal data to third parties outside of Brazil unless safeguards are in place.
There are nine grounds on which you may transfer personal data to a third party outside of Brazil:
- Where the third party is situated in a country that is deemed to have adequate data protection standards comparable to those provided under the LGPD
Where compliance with the LGPD's principles of data processing and data subject rights is guaranteed, in the form of:
- Contractual clauses specific to the data transfer
- Standard contractual clauses
- Global corporate rules within a corporate group
- A certificate or code of conduct
- Where the transfer is necessary for legal cooperation
- Where the transfer is necessary to protect someone's life or physical safety
- Where the transfer has been authorized by the National Data Protection Authority
- Where the transfer results in a commitment undertaken through international cooperation
- Where the transfer is necessary for the execution of a public policy
- Where the individual has been informed about the international nature of the transfer and has given their consent
- Where the transfer is necessary to satisfy the "legal obligation," "contract," or "legal rights" requirements for processing
What are the Penalties for Violating the LGPD?
The LGPD sets out several penalties that can be issued by the National Data Protection Authority. The most severe are:
- A fine of up to 2% of a company's gross revenue in Brazil for the previous financial year, up to a maximum of R$ 50,000,000 per violation (approximately $9,500,000 USD)
- A daily fine of amount no greater than R$ 50,000,000
There is also a range of sanctions, such as a warning and an order to delete personal data.
LGPD Compliance Checklist
In preparation for the LGPD's August 2020 enforcement deadline:
- Understand and implement the principles of data processing
- Ensure you are compliant with the requirements for processing
- Be ready to facilitate data subject rights
- Assess whether you are meeting the LGPD's standards for consent
- Apply appropriate security safeguards to the personal data you control
- Be prepared to provide notice of any data breaches
- Assess any international transfers of personal data you conduct