12 October 2020
Brazil's data protection law, Lei Geral de Proteção de Dados (LGPD), is finally here. The LGPD is a long and detailed law that will significantly impact day-to-day business in Brazil.
Among other provisions, the law sets out:
Every business with Brazilian customers, partners, or clients must have a solid understanding of the LGPD. We're here to help with that.
Those familiar with the EU General Data Protection Regulation (GDPR) will find many sections of the LGPD familiar. This is no coincidence: Brazil developed the LGPD partly as a step towards striking a data-sharing "adequacy" agreement with the EU.
Originally passed in 2018, the enactment of the LGDP has been pushed back several times. The Brazilian Senate recently rejected a bid by the President to push it back even further. The law will finally come into effect in September 2020.
Once the President has signed the bill, the LGPD will retroactively take effect from August 14, 2020. However, the law will not be enforced until August 1, 2021, so businesses have a short transition period in which to become fully compliant.
The LGPD applies to organizations all over the world, not just in Brazil. Regardless of size, turnover, or sector, a person or organization will be covered by the LGPD if it is:
So, if you have customers, business partners, employees, or contractors in Brazil, you should comply with the LGPD.
The LGPD gives definitions to important terms across Article 5. These definitions help define the law's scope and jurisdiction.
The LGPD defines "personal data" as "information regarding an identified or identifiable natural person."
"Natural person" means a living individual, as opposed to a "legal person," such as a corporation.
Unlike certain US privacy laws, such as the NY Shield Act and Washington D.C. Data Breach Notification Law, the LGPD doesn't limit its definition of personal data to a set of specific identifiers. In fact, the law doesn't provide any examples of "personal data" at all.
The LGPD's definition of personal data derives from the GDPR. As such, we can expect to see the Brazilian regulator take a broad view of what constitutes personal data, including:
It's also likely that the LGPD will also recognize computer-generated information such as IP addresses, cookie data, and advertising IDs. Brazil's internet law (known as the "Marco Civil," available here) covers such data types.
"Processing" personal information means doing something to or with it: collecting it, sharing it, erasing it, etc.
The LGPD defines specific types of information as "sensitive personal data," which means any Information relating to an individual's:
There are special rules regarding sensitive personal data and you must take particular care when processing it.
The LGPD uses the term "data subject" to mean the individual to whom personal data relates.
From your company's perspective, a data subject could be anyone: your customers, employees, or anyone else who comes into contact with your business.
The main players in Brazil's LGPD are the "controller" and the "processor."
A "controller" is a public or private entity that "has competence to make the decisions regarding the processing of personal data." When a company collects email addresses for members of its mailing list, it is the controller of that personal data.
A "processor" is a public or private entity that "processes personal data in the name of the controller." When an email marketing company receives a business' mailing list and emails its customers on the business' behalf, it is acting as a processor.
The LGPD provides guiding principles and strict rules for businesses, and grants individuals rights over their personal data.
The LGPD provides ten principles of data processing. All processing of personal data must take place according to these principles:
The LGPD contains ten "requirements for processing." You must meet one of these requirements before processing personal data.
Think of the requirements like valid, lawful reasons for which you may process personal data. If you don't have one of the following ten reasons for processing personal data, you must not do so:
The LGPD provides nine rights for individuals over their personal data, known as the "data subject rights."
As the controller of an individual's personal data, you are responsible for safeguarding and facilitating their rights.
The nine data subject rights appear at Article 18 of the LGDP and are as follows:
When providing confirmation that you have processed an individual's personal data or access to an individual's personal data, you must do so within 15 days.
At Article 20 of the LGPD, separate from the nine data subject rights, is an additional right involving "automated processing."
This right applies if you have made a significant decision that affects a person's interests, such as a credit or job application, using entirely automated processes (i.e., with a computer/AI). In this case, the individual has the right to request that a human reviews the decision.
Like most privacy laws, the LGPD requires businesses (and all controllers) to publish up-front information for data subjects about how they handle personal information.
As noted above, you need to meet one of the "requirements for processing" before you can process an individual's personal data. One of the most important requirements for processing is "consent."
Article 5 (7) of the LGPD defines "consent" as a "free, informed and unambiguous manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose."
There are several elements to this definition:
In many jurisdictions, consent in privacy law is a legal "grey area." How the courts will interpret the definition provided in the LGPD remains to be seen.
The LGPD's definition is reminiscent of the definition present in the GDPR, which is generally interpreted as forbidding any form of "opt-out" or "implied" consent.
For more information, see our article GDPR Consent Examples.
The LGDP obliges controllers and processors to keep personal data secure and confidential.
To protect personal data from unauthorized access, loss, damage, and unlawful processing, you must adopt "technical and administrative measures" to protect it.
The LGPD is not specific about the nature of such measures, instead leaving it to the National Data Authority to set out security rules.
For more information about securing personal data, see our article Protecting Personal Data in Your Business.
If you experience a data breach, you must notify the individual(s) affected and the National Data Protection Authority, within "a reasonable time period."
You must include the following information in your data breach notification letter:
Because the LGPD provides a relatively strong set of protections for individuals' personal data, it prohibits organizations from transferring personal data to third parties outside of Brazil unless safeguards are in place.
There are nine grounds on which you may transfer personal data to a third party outside of Brazil:
Where compliance with the LGPD's principles of data processing and data subject rights is guaranteed, in the form of:
The LGPD sets out several penalties that can be issued by the National Data Protection Authority. The most severe are:
There is also a range of sanctions, such as a warning and an order to delete personal data.
In preparation for the LGPD's August 2020 enforcement deadline:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.