All You Need to Know about Brazil’s New Data Protection Law
On 14 August 2018, Brazil passed a comprehensive general data protection law, the Lei Geral de Proteção de Dados (LGPD) which aims to align existing legislation to the new international standard set by the EU’s General Data Protection Regulation (GDPR).
Although Brazil already had over 40 legal norms that governed, directly and indirectly, the protection of privacy and personal data at federal level, they sometimes conflicted or were too ambiguous. The LGPD will replace and supplement these existing norms by regulating the use of personal data by both public and private sectors.
The new legislation will come into effect on 15 August 2020, 24 months after it was approved. The initial waiting period until enforcement was of 18 months, but it was later extended by a further 6 months through an executive order issued by President Michel Temer.
The LGPD owes many of its requirements to the precedent set by the GDPR. It includes the need for data protection officers, data protection impact assessments and data breach notifications and has, at its core, the principles of privacy by design and by default pioneered by the GDPR. The great similarities between the two laws may also signal Brazil’s desire to pursue an adequacy decision from the European Commission that, if positive, would liberalize cross-border transfers between the South American country and the European block.
Who does the LGPD Apply to?
The LGPD applies to all individuals and legal entities, both public and private that carry out personal data processing activities that take place or are related to individuals located in Brazil, aim to supply goods or services in the country or involve personal data collected in Brazil.
Like the GDPR, the LGPD has an extraterritorial reach, meaning it protects the data of individuals in Brazil, no matter where the data collector is located. All companies that serve the Brazilian market, whether they have offices in the country or not, are therefore subject to the LGPD.
The LGPD’s applicability is wide. By including individuals processing data for economic purposes, it clearly aims to regulate not only big companies but every entity collecting and processing data, from small entrepreneurs to multinational corporations.
The new law does not apply to data processing carried out for strictly personal purposes by individuals, for exclusively journalistic, artistic, literary or academic purposes or for national security, national defense, public safety or criminal investigation or punishment activities.
What is personal data according to the LGPD?
The personal data protected by the LGPD is defined very broadly as information related to an identified or identifiable individual. This means that it applies not only to data that can explicitly identify a person, but also information from which identity can be inferred.
Sensitive data which requires additional layers of security includes data related to race or ethnic origin, religious, political or philosophical views, and affiliations as well as health, sexual, biometric or genetic data.
While anonymized data falls outside the scope of regulations such as the GDPR and the CCPA, the LGPD states anonymized data will be considered personal data when it is used for behavioral profiling.
Company Obligations Under the LGPD
Organizations falling under the scope of the LGPD must, first of all, appoint a Data Protection Officer (DPO) that will be responsible for providing guidance for best practices, receiving complaints and communicating with the ANPD.
Companies are obligated to adopt technical and administrative measures to protect personal data from unauthorized access and accidental or illegal destruction, loss, alteration, communication or dissemination. They must implement an information security program, conduct Data Protection Impact Assessments (DPIA) and develop an incident response and remediation plan.
In case of a data breach that may result in relevant risk or damage to data subjects, an organization must notify the ANPD within a reasonable time, later to be clarified by the authority. If ordered by the ANPD, the company must then notify data subjects affected by the security incident, alert the media or take steps to mitigate the effects of the incident.
Data subjects have to be informed of the purpose for which their data is being collected. They also have the right to request that their data be corrected, deleted or provided to them in an easily readable format for the purpose of transferring it to a different company. Organizations must ensure that they have internal policies and procedures in place to respond to all these requests.
Companies must also delete data after it is no longer needed for the original purpose for which it was collected unless data subjects have expressly permitted them to retain the data.
The Brazilian ANPD
The original text of the LGPD included provisions for the creation of a Brazilian National Data Protection Authority or Autoridade Nacional de Proteção de Dados (ANPD), an independent public body that would be responsible for the enforcement of the new law and offer guidance and complementary norms.
However, before sanctioning the law, then President Michel Temer vetoed several articles of the bill, including those governing the establishment of the ANPD and the National Council for the Protection of Personal Data and Privacy or Conselho Nacional de Proteção de Dados Pessoais e da Privacidade, an institution similar to the EU Data Protection Board. The President justified his decision by referring to the fact that it is not within the prerogative of the National Congress to create new regulatory bodies, the initiative should come from the executive branch of the government.
The establishment of the ANPD was one of the last executive orders issued by President Temer before the end of his term and was published on 28 December 2018. The new ANPD will have a multi-level structure and be headed by a board of five directors, to be appointed by the Brazilian president.
The National Council for the Protection of Personal Data was also created to serve as an advisory body to the ANPD and to help steer data policy in Brazil. It will consist of 23 members, 11 from different parts of the Brazilian government and 12 from private businesses, academia, and civil society.
Personal data collected in Brazil can only be transferred outside the country under specific rules, similar to those of the GDPR. Data can only be transferred to countries that provide a level of data protection comparable to that of the LGPD, although the law does not detail how and by whom this level will be determined.
Transfers can also be permitted to organizations in third-countries that are bound by contract through standard contractual clauses or by global corporate policies that demonstrate a level of data protection in line with the LGPD.
Cross-border transfer restrictions do not apply to international legal cooperation between government agencies or if data subjects have given prior consent for the transfer.
When it comes to penalties, the LGPD took a page from the GDPR’s book and did not shy away from imposing serious fines for noncompliance. Companies are liable to pay up to 2% of their total revenue in Brazil in the previous year or up to 50,000,000 Brazilian Reals (approximately $13,000,000 at the time of writing), whichever is higher.