Comprehensive data privacy legislation is a spreading global trend, with more and more countries enacting laws to regulate the use of personal data. Brazil is one of the latest countries to adopt a wide-ranging data protection law. Its Lei Geral de Proteção de Dados (LGPD) is an attempt to unify a patchwork of over 40 federal statutes that previously governed the personal data of Brazilians.
Strongly influenced by the EU General Data Protection Regulation (GDPR), the LGPD has important differences from its European counterpart. Now in effect, Brazil’s LGPD grants numerous rights to data subjects living in Latin America’s largest economy.
Companies doing business in Brazil will need to comply with the LGPD or risk heavy fines and other penalties. We've put together a comprehensive post for you to understand the LGPD and get started.
Summary:
- After delays, LGPD comes into force
- LGPD Brazil summary
- LGPD compliance checklist
- Frequently Asked Questions (FAQ)
After Delays, LGPD Comes Into Force
The number of internet users in Brazil—an estimated 160 million in 2021—is larger than the entire population of any other Latin American country. It is the fifth-highest number of internet users in the world. Its internet penetration stands at about 75% and has grown rapidly, from just over 64% in 2017 to a predicted 83% by 2025. About 9 out of 10 Brazilians access the web on a daily basis.
Brazil has long been considered a data governance leader. The government launched the Brazilian Internet Steering Committee in 1995 to help it set internet governance principles. In 2014, Brazil passed the innovative Marco Civil da Internet (Civil Rights Framework for the Internet), which is often referred to as “The Internet Constitution.” Four years later, Brazil approved the LGPD, a law that regulates online and offline personal data in the private and public sectors.
According to the law, the LGPD’s stated purpose is to protect “the fundamental rights of freedom and privacy and the free development of the personality of the natural person.” These protections were originally scheduled to be postponed until 2021, but after a confusing series of moves by the National Congress, the LGPD Brazil effective date was moved to September 18, 2020, retroactive to August 16, 2020 (the original enactment date in the statutory text). LGPD penalties took effect August 1, 2021.
LGPD Brazil summary
The Brazilian data privacy law is heavily modelled on the EU’s GDPR. Like its European counterpart, the LGPD gives rights to data subjects, imposes obligations on companies that process data, sets a legal basis for the collection and processing of data, requires data protection impact assessments, mandates the appointment of a data protection officer, and provides data subjects with a private right of action.
The full LGPD Brazil text runs to more than 40 pages, and features legal language that can be difficult to comprehend for the non-initiated. For the purpose of cutting through the legalese, the following key points should help bring some clarity around who the LGPD applies to, the types of data regulated, and other key points of the law.
Protected Data
The scope of personal data under the LGPD is quite broad, including not only personal data, but also sensitive personal data.
Personal data is defined in the law as any information related to “an identified or identifiable natural person.” This is a more expansive view of personal data than what’s found in the GDPR. The most important distinction is data that is identifiable, or can be aggregated to other data to identify a person. In the context of big data, virtually any kind of information can be regarded as personal data using this definition.
A distinct category of personal data, sensitive personal data, as the LGPD defines it, is data that concerns racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, and genetic or biometric data. This type of data may only be processed in limited circumstances.
Anonymized data is not within the scope of the LGPD. However, if the anonymization process can be reversed, or if the data is used for behavioural profiling purposes, then the law applies.
Applicability
The LGPD also differs from the GDPR, as well as another GDPR offshoot, the California Consumer Privacy Act (CCPA), in the scope of its applicability, setting no size limits on what businesses and organizations must comply. The law applies to any natural person or legal entity that processes the personal data of Brazilians. In short, any company that collects, uses, transfers, stores, or otherwise processes the personal data of a Brazilian customer or employee is subject to the LGPD.
Limited exceptions are in place, such as personal data that’s processed for journalistic, artistic, or academic purposes, for specific governmental purposes (e.g. public safety and national defense), or for private, noncommercial purposes.
Taking a page from the GDPR and the CCPA, the LGPD has extraterritorial jurisdiction. Regardless of where a business or organization is located, it must comply with LGPD privacy provisions if:
- It collects or processes data within Brazil
- It processes data with the aim of offering goods or services to individuals in Brazil, or
- It processes data that was collected in Brazil.
In other words, if your business has customers, clients, or workers in Brazil, you need to become LGPD compliant.
Data Processing General Principles
Article 6 of the LGPD lays out ten principles that should be considered in the course of data processing: purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, nondiscrimination, and accountability. Considered in totality, these principles help Brazilian data protection authorities gauge a company’s compliance with the LGPD.
Note that the ten principles in the LGPD are three more than the GDPR’s seven principles. The differences include a storage limitation that is present in the GDPR but not in the LGPD, and a free access principle that is unique to the LGPD. Other differences are more technical than substantive, such as the GDPR principle of lawfulness, fairness, and transparency versus the separate principles found in the LGPD of transparency, prevention, and non-discrimination.
Data Subject Rights
Provided in Article 18 of the LGPD are nine data subject rights (one more than is found in the GDPR). The LGPD contains a more specific definition of the “right to be informed” than in the GDPR and splits the right into two parts. The first part involves the right to information about the entities with which data is shared. The second part deals with the subject’s right to be informed about the consequences of refusing to give a controller consent to process their data.
Data subjects in Brazil also have the right to an explanation about a controller’s automated decision-making that affects their interests, including decisions intended to define their personal, professional, consumer, and credit profile. When a review about automated decision-making is requested, the controller must provide “clear and adequate information regarding the criteria and procedures used for automated decisions.”
Brazilian data subjects whose rights are violated under the LGPD may file lawsuits against controllers or processors that cause “material, moral, individual, or collective damage.” This includes class action lawsuits. The right to file a lawsuit for a data protection violation—known as a “private right of action”—is found in the GDPR and the CCPA, although the CCPA’s private right of action is limited to data breach violations.
Data Processing Grounds
The LGPD only allows data processing to occur when there is a legal basis for it. A data processor must cite one of the ten data processing categories enumerated in the LGPD. This is similar to how the GDPR works, but while the GDPR lists six lawful bases for data processing, the LGPD lists ten:
- With the data subject’s consent
- To comply with a legal or regulatory obligation of the controller
- For the execution of public policies provided in laws or regulations
- To carry out research projects that ensure anonymized personal data
- To fulfill a contract that the data subject is a party to, at the subject’s request
- To exercise rights in legal proceedings
- To protect the life or safety of the data subject or a third party
- For the protection of health in a procedure done by health professionals or health authorities
- To protect credit (i.e. a credit score)
- To fulfill the legitimate interests of the controller or a third party, except in cases where the data subject’s fundamental rights and liberties which require personal data protection prevail
Obtaining the consent of a data subject will be the most popular reason for validating data processing. However, to obtain consent in a legal manner, the LGPD requires consent forms to be clear and to provide information about the processing purpose, type and duration of the processing, the controller’s identity, the entities the collected data will be shared with, and the data subject’s rights, including the right to deny consent.
Data Breach Reporting
The LGPD, like the GDPR, has data breach reporting requirements, but they are far less onerous than the 72 hour deadline that apply to data breaches affecting European data subjects. In fact, the LGDP does not spell out an explicit data breach reporting deadline. It merely states that a “security incident that may create a risk or relevant damage to the data subjects” must be reported in “a reasonable time period,” as defined by the national authority. Further guidance on what constitutes a “reasonable time period” is presumably forthcoming.
Data controllers that suffer a breach must also notify impacted data subjects. Communications to the national authority and data subjects should contain minimum disclosures that are spelled out in Article 48.
Data Protection Officers
Another familiar feature from the GDPR that made its way into the LGPD is the requirement that controllers and processors hire a data protection officer (DPO). But importantly, while the GDPR lists criteria for when a DPO is needed, the LGPD is more general, simply stating in Article 41 that, “The controller shall appoint a data protection officer to be in charge of processing personal data.” This implies that any organization that processes the data of Brazilians will be required to hire a DPO.
Further distinguishing the LGDP from the GDPR in this area, Brazilian DPOs don’t need to be an individual. That’s according to Executive Order No. 869/18, which opens the door for an internal committee, department, or working group to serve as DPOs. It also makes it possible to outsource DPO duties to a third party, such as a law firm or specialized company.
National Data Protection Authority and LGPD Enforcement
The aforementioned Executive Order No. 869/18 also established the Autoridade Nacional de Proteção de Dados (the National Data Protection Authority, or ANPD). The ANPD is responsible for enforcing the LGPD and for providing guidance around compliance and interpretation. It has at its disposal a number of enforcement mechanisms, including fines up to 2% of a company’s gross revenue, with a maximum fine of R$50 million per violation (roughly equivalent to $10 million USD). GDPR fines are thus significantly less than GDPR fines (maximum of 4% of gross revenue, up to €20 million.)
Other enforcement tools and penalties available to the ANPD include:
- Formal warnings with deadlines for corrective actions
- Daily fines for noncompliance, cumulatively up to the maximum fine
- Public disclosure of the violation following investigation and confirmation
- Blocking of the personal data involved in the violation until the issue is resolved
- Elimination of the personal data involved in the violation
- Suspension of the database operations or processing activity involved in the violation
- Prohibition of data processing activities
Finally, the private right of action found in the LGPD makes it likely that some ANPD investigations will lead to “follow-on” litigation from data subjects whose rights were violated.
The Brazilian data privacy law imposes several other key requirements on companies engaged in handling the personal data of the people of Brazil.
These requirements include:
- Creating and maintaining a map of the personal data that’s collected and processed
- Following protocols for international data transfers
- Preparing a data protection impact assessment (DPIA)—not always required but may be requested by the national authority
- Implementing privacy by design and default principles
- Recording data processing activities
- Tracking consent and revocations of consent
- Implementing information security standards
- Proving guarantees of compliance
LGPD Compliance Checklist
Full compliance is a competitive advantage under Brazil’s new data protection regime. Companies from every industry not complying with the LGPD could face a range of monetary and other penalties and even be prohibited from processing the data of Brazilians. Whether you currently have operations in Brazil or plan to enter the market there, you can’t afford to ignore the rules.
Companies doing business in Brazil should understand the basics of how to comply with the LGPD.
To fully navigate LGPD compliance matters, keep the following steps in mind:
- Define—and document—your legally acceptable reasons for processing personal data.
- Keep records of personal data processing activities.
- Honor the privacy rights of Brazilian data subjects.
- Establish a system for responding to requests from data subjects exercising their rights.
- Make sure that your privacy policy includes disclosures that match LGPD transparency rules.
- Name a Data Protection Officer (DPO).
- Collect consent from data subjects and maintain consent records.
- Prepare and perform Data Protection Impact Assessments (DPIAs) if required or requested.
- Adopt security, technical, and administrative measures that protect personal data from unauthorized accesses, deletion, alteration, sharing, or processing.
- Follow data breach response and notification protocols.
- Implement data processing systems and procedures that make privacy the default setting (i.e., privacy by design and default).
- Comply with international data transfer requirements.
- Adopt industry codes of conduct and certifications that demonstrate compliance with LGPD data protection rules.
- Have data processing agreements with vendors and other third parties to make sure they comply with the LGPD.
Got all that? Understanding the fine print of the LGPD isn’t easy, but Didomi makes it easy to comply with data privacy rules in Brazil—and anywhere in the world—with our Consent Management Platform. Schedule a demo to learn more:
{{talk-to-an-expert}}
Frequently Asked Questions (FAQ)
What is the Lei Geral de Proteção de Dados (LGPD)?
The LGPD is a comprehensive data protection law introduced in Brazil to unify over 40 federal statutes that previously governed the personal data of Brazilians. Its aim is to regulate the use of personal data in both online and offline scenarios across private and public sectors, with a focus on protecting individuals' freedom, privacy, and personal development.
How does the LGPD differ from the EU General Data Protection Regulation (GDPR)?
While LGPD is heavily influenced by GDPR, there are notable differences.
For instance, the LGPD has broader definitions of personal data and has no size limits on businesses and organizations that must comply. It lists ten legal bases for data processing compared to GDPR's six, and features three additional principles on data processing.
It also delineates the role of the Data Protection Officer (DPO) differently, allowing for an internal committee or third-party firms to serve as DPOs.
What types of personal data are protected under the LGPD?
The LGPD protects both personal data and sensitive personal data.
Personal data is defined as any information related to an identified or identifiable natural person.
Sensitive personal data encompasses data concerning racial or ethnic origin, religious belief, political opinion, trade union or organizational membership, health or sex life, and genetic or biometric data.
What are the key responsibilities of companies under the LGPD when processing personal data?
- Defining and documenting legally acceptable reasons for processing personal data;
- Keeping records of processing activities;
- Honoring the privacy rights of Brazilian data subjects;
- Establishing systems for responding to requests from data subjects;
- Naming a Data Protection Officer (DPO);
- Collecting and maintaining consent records;
- Preparing Data Protection Impact Assessments (DPIAs) if required;
- Adopting security measures;
- Following data breach response protocols;
- Complying with international data transfer requirements
- Having data processing agreements with vendors and third parties.