What Rights Does LGPD Grant to Data Subjects?
The LGPD sets out nine fundamental rights granted to all Brazilian data subjects that are similar to the eight fundamental rights laid out in the GDPR. The ninth comes from a more specific definition of the “right to be informed” as granted in the GDPR. LGPD separates the right to be informed into (1) the right to “information about the public and private entities with which the controller has shared data” and (2) “information about the possibility of denying consent and the consequences of such denial.” This gives the data subject not only a right to request information the organization collects about the data subject, but also the right to ask about what will happen if the data subject does not give the controller consent to process his or her personal data. Data subjects are also entitled to an explanation about any automated decision-making carried out by the controller that affects their interests. When a data subject requests a review, the controller must provide “clear and adequate information regarding the criteria and procedures used for an automated decision.”
What Is Exempted under LGPD?
Although the GDPR has six lawful bases for processing data, the LGPD expands upon those, listing 10 legal bases for justifying the processing of personal data. The 10 bases listed in the LGPD generally follow the bases listed in the GDPR, with the exception of the last legal basis listed in the LGPD, giving the ability to process data for “the protection of credit.” This implies that consent is not necessary under the LGPD to process data for credit protection purposes, but this section should still be read in the context of two other laws that govern personal data for protection of credit purposes (the Federal Consumer Code and the Positive Credit History Law).
In addition to the legal basis exempted to process data, like the GDPR and CCPA, under the LGPD, data that has been anonymized is generally exempt from the requirements of the LGDP so long as the process by which the data was anonymized is not able to be reversed applying reasonable efforts. The LGPD defines “anonymization” as the “use of reasonable technical means available at the time of processing, by means of which the data loses the possibility of direct or indirect association to a natural person.” A key difference here, however, is that per the LGPD, some anonymized data may even be deemed as “personal data” if it is used to “formulate behavioral profiles of a particular natural person, if that person is identified.” As such, if the anonymized data is still being used for behavior profiling, it is subject to the restrictions of personal data. Another difference is that, unlike the GDPR, the LGPD does not necessarily endorse pseudonymization as a best practice; in fact, it only addresses pseudonymization once, encouraging public health research bodies to either anonymize or pseudonymize when possible. GDPR, by contrast, frequently references pseudonymization as a best practice in order to assure compliance.
What Other Key Requirements Does LGPD Impose?
Aside from having to identify a legal basis for processing data without consent, companies must also create and maintain a map of the personal data that they collect and process. This requirement is not imposed by CCPA but it does appear under GDPR. Furthermore, organizations must ensure that they are tracking consents and revocations by data subjects, which should be done as a matter of best practice even to establish compliance if it were not specifically mentioned in LGPD.
Does LGPD Require a DPO?
Like the GDPR, and unlike the CCPA, the LGPD requires businesses and organizations to hire a Data Protection Officer (DPO). However, unlike GDPR, the LGPD does not outline specific cases for which a DPO is needed. It simply states that the “controller shall appoint an officer to be in charge of processing personal data.” This implies that any organization that processes the data of people in Brazil will need a DPO. Both controllers and processors must appoint a DPO.
Who Will Enforce LGPD?
The LGPD creates an enforcement authority responsible for overseeing the data protection regulation in the National Data Protection Authority (Autoridade Nacional de Proteção de Dados, or ANPD). The ANPD has the authority to create separate guidelines, rules, and deadlines applicable to small businesses and startups to make sure that they comply with the LGPD. As the ANPD begins to issue guidance on the provisions of the LGDP, this will affect how they will be enforced and implemented. The LGPD does not give a firm deadline for reporting data breaches to the ANPD; it merely states that “the controller must communicate to the national authority and to the data subject the occurrence of a security incident . . . in a reasonable time period, as defined by the national authority.”
What Are the Fines for Noncompliance?
Fines for noncompliance are not as substantial in the LGPD as they are in the GDPR, giving the maximum fine for a violation as “2% of a private legal entity’s, group’s or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reals.” The sanctions will be applied only after an administrative procedure where opportunity is given for a full defense, and taking into account the severity of the infraction and other parameters.