The definitive guide to Brazil's privacy law, the LGPD

What is the Brazilian LGPD all about?

Brazil, a country which counts around 200 million people and considered one of the most internet-connected countries in the world, is currently working towards its privacy rulings to protect its nationals and their personal data and privacy, by the coming into the validity of privacy law, and the creation of a National Data Protection Authority.

Law 13.709 of Brazil is the General Law for the Protection of Personal Data or, in Portuguese the Lei Geral de Proteção de Dados Pessoais (“LGPD”), and was sanctioned by the former president of Brazil, Michel Temer in August of 2018 and is programmed to enter into force in August 2021. Its aim is to regulate the treatment of personal data of all individuals or natural persons in Brazil, as defined in the first article of the LGPD.

This means that all companies incorporated or trading in Brazil that have information of Brazilian nationals in their databases are expected to comply with all procedures and policies provided in the new law, once it becomes enforceable. Companies and groups which do not follow on the law’s terms may receive a fine such as 2% of their sales revenue, or even up to $50 million Brazilian Real (about USD 12 Million).

Data processing under LGPD

The interpretation of data processing is very similar to the interpretation given by the GDPR; data processing can be understood as any procedure that involves the use of data, such as the collection, classification, processing, storage, sharing, transfer, elimination of personal data. The law states that there are three main roles in data processing, which are the controller, the operator, and the officer.

The controller is assigned with the responsibility to determine all relevant and applicable policies about the data processing and is also in charge of creating guidelines that the operator must then execute. These roles are similar to the Data Controller and Data Processor is given by the GDPR. Both roles are referred to collectively as the “treatment agents”. The officer must try to make the gap between the controller, the data owner or subject, and the government agency or authority.

Just as with GDPR, LGPD aspires to be transborder, which means that all companies which process data of Brazilian data subjects, or as the law defines, collect personal data from clients and users of Brazil, must abide with the LGPD and may be subject of fines, even if not incorporated in the country.

Subject rights LGPD grants

These are the rights granted to the users and clients of companies by the LGPD as determined by Article 18 of the LGPD:

1. Confirmation of the existence of treatment.
2. Access to data.
3. Correction of incomplete, inaccurate or outdated data.
4. Anonymization, blocking or elimination of unnecessary, excessive or treated data in discrepancy with the provisions of the law.
5. Data portability to another service provider or product, upon express request and observance of commercial and industrial secrets, in accordance with the regulations of the controlling body.
6. Data portability to another service or product provider, upon express request, in accordance with the national authority regulations, observing the commercial and industrial secrets.
7. Elimination of personal data processed with the consent of the holder, except in the cases provided for in Article 16 of the law.
8. Information of any public and private entities with which the controller has made shared use of data.
9. Information on the possibility of not providing consent and on the consequences of refusal.
10. Revocation of consent, pursuant to paragraph 5 of Article 8 of the law.

It's worth mentioning that these granted rights are very similar to the rights given to GDPR EU Data Subjects, although there are some small differences, such as data portability which is more extensive in the LGPD, and the information request right has been split into two.

Enforcement

After many debates and delays, on May 29th of this year, the Brazilian Congress finally approved definitively the creation of the National Data Protection Authority, an entity linked to the Executive branch of the Brazilian government. The way this institution is linked to the government and not created independent has been largely criticized by local activists and legal privacy specialists. Despite criticism, without this approval given by congress, data protection in the South American giant would have been incomplete due to the lack of an agency to enforce the law which is programmed to become enforceable in August 2021. Additionally, Brazilian data subjects would not have an official separate body to claim any rights which are given to them by LGPD.

Other highlights 

LGPD is viewed by many lawyers and privacy specialists as inspired and derived from the European Union (EU) General Data Protection Regulation (GDPR). For those unfamiliar with GDPR, it’s a European regulation that came into validity on May 25, 2018, and that has become a new standard for many countries which were previously indifferent to data privacy as a local enforceable policy.

One of the main points established by the legislation is the differentiation of what is personal data (name, address, identity number), sensitive (origin, religion, health, political opinions) and anonymous (without any type of identification), and the consequent differentiation in how each one can be used.

The coming into the validity of the LGPD implies that all companies incorporated or trading in Brazil that has information of Brazilian nationals in their databases, are expected to comply with all procedures and policies provided in the new law, once it becomes enforceable. Companies and groups which do not follow the law’s terms and directives may receive a fine such as 2% of their sales revenue, or even up to $50 million Brazilian Real (approximately $12 Million USD).

The law has also been seen by some as unfair to small companies in Brazil, as the law does not differentiate between small and multi-million and multi-national companies, giving all companies the same treatment. Also many people in Brazil do not like that the presidency may have too much influence in the administration and direction of the recently created National Data Protection Authority, stating that favoritism to large companies is highly likely, as is the interference with political interests of Bolsonaro’s party of the body’s decisions and information.