Joining the global trend originating in Europe with the General Data Protection Regulation (GDPR), Brazil recently enacted its own omnibus law governing the use of personal data, the Lei Geral de Proteção de Dados (LGPD), or General Law for the Protection of Privacy. Similar to the EU’s GDPR and California’s Consumer Privacy Act (CCPA), LGPD is intended to regulate the processing of personal data. The stated purpose of the law is to protect “the fundamental rights of freedom and privacy and the free development of the personality of the natural person.”
This article addresses the most commonly asked questions about the applicability of LGPD and its exemptions and enforcement. The analysis is woven with a comparison to the GDPR and CCPA.
The LGPD applies to any natural person or legal entity, including the government, that processes the personal data of the people of Brazil, even if the entity processing the data is based outside of Brazil. There are some exceptions, however, such as (1) when the processing is done by a natural person exclusively for private and noneconomic purposes; (2) when done exclusively for journalistic, artistic, or academic purposes; or (3) when done for purposes of public safety, national defense, state security, or activities or investigation and prosecution of criminal offenses.
Personal data in this statute is defined broadly as “information regarding an identified or identifiable natural person.” There are also special restrictions for the processing of “sensitive personal data,” which is data that relates to racial or ethnic origin, religious beliefs, political opinion, affiliation to unions or political, philosophical or religious organizations, health information, sexual preference, or genetic and biometric data. To that end, and similarly to the GDPR and CCPA, sensitive personal data may only be processed when the data subject specifically and distinctly consents to the specified purposes.
Personal data may be processed without consent for certain specific and limited purposes, including (1) to comply with a legal obligation; (2) when it is necessary by the public administration for the execution of public policies; (3) when it is a study carried out by a research entity; or (4) to protect the life or physical safety of the data subject or a third party.
Companies can collect and use publicly available personal data under the LGPD only if it is (1) being used for the same purpose that it was originally collected, in which case consent from the data subject is not needed; or (2) for a different purpose, but only if the controller has identified a valid legal basis for the use of the data.
The LGPD sets out nine fundamental rights granted to all Brazilian data subjects that are similar to the eight fundamental rights laid out in the GDPR. The ninth comes from a more specific definition of the “right to be informed” as granted in the GDPR. LGPD separates the right to be informed into (1) the right to “information about the public and private entities with which the controller has shared data” and (2) “information about the possibility of denying consent and the consequences of such denial.” This gives the data subject not only a right to request information the organization collects about the data subject, but also the right to ask about what will happen if the data subject does not give the controller consent to process his or her personal data. Data subjects are also entitled to an explanation about any automated decision-making carried out by the controller that affects their interests. When a data subject requests a review, the controller must provide “clear and adequate information regarding the criteria and procedures used for an automated decision.”
Although the GDPR has six lawful bases for processing data, the LGPD expands upon those, listing 10 legal bases for justifying the processing of personal data. The 10 bases listed in the LGPD generally follow the bases listed in the GDPR, with the exception of the last legal basis listed in the LGPD, giving the ability to process data for “the protection of credit.” This implies that consent is not necessary under the LGPD to process data for credit protection purposes, but this section should still be read in the context of two other laws that govern personal data for protection of credit purposes (the Federal Consumer Code and the Positive Credit History Law).
In addition to the legal basis exempted to process data, like the GDPR and CCPA, under the LGPD, data that has been anonymized is generally exempt from the requirements of the LGDP so long as the process by which the data was anonymized is not able to be reversed applying reasonable efforts. The LGPD defines “anonymization” as the “use of reasonable technical means available at the time of processing, by means of which the data loses the possibility of direct or indirect association to a natural person.” A key difference here, however, is that per the LGPD, some anonymized data may even be deemed as “personal data” if it is used to “formulate behavioral profiles of a particular natural person, if that person is identified.” As such, if the anonymized data is still being used for behavior profiling, it is subject to the restrictions of personal data. Another difference is that, unlike the GDPR, the LGPD does not necessarily endorse pseudonymization as a best practice; in fact, it only addresses pseudonymization once, encouraging public health research bodies to either anonymize or pseudonymize when possible. GDPR, by contrast, frequently references pseudonymization as a best practice in order to assure compliance.
Aside from having to identify a legal basis for processing data without consent, companies must also create and maintain a map of the personal data that they collect and process. This requirement is not imposed by CCPA but it does appear under GDPR. Furthermore, organizations must ensure that they are tracking consents and revocations by data subjects, which should be done as a matter of best practice even to establish compliance if it were not specifically mentioned in LGPD.
Like the GDPR, and unlike the CCPA, the LGPD requires businesses and organizations to hire a Data Protection Officer (DPO). However, unlike GDPR, the LGPD does not outline specific cases for which a DPO is needed. It simply states that the “controller shall appoint an officer to be in charge of processing personal data.” This implies that any organization that processes the data of people in Brazil will need a DPO. Both controllers and processors must appoint a DPO.
The LGPD creates an enforcement authority responsible for overseeing the data protection regulation in the National Data Protection Authority (Autoridade Nacional de Proteção de Dados, or ANPD). The ANPD has the authority to create separate guidelines, rules, and deadlines applicable to small businesses and startups to make sure that they comply with the LGPD. As the ANPD begins to issue guidance on the provisions of the LGDP, this will affect how they will be enforced and implemented. The LGPD does not give a firm deadline for reporting data breaches to the ANPD; it merely states that “the controller must communicate to the national authority and to the data subject the occurrence of a security incident . . . in a reasonable time period, as defined by the national authority.”
Fines for noncompliance are not as substantial in the LGPD as they are in the GDPR, giving the maximum fine for a violation as “2% of a private legal entity’s, group’s or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reals.” The sanctions will be applied only after an administrative procedure where opportunity is given for a full defense, and taking into account the severity of the infraction and other parameters.
