LGPD vs. GDPR: The Biggest Differences
Brazil passed its comprehensive general data protection law, the Brazil’s Lei Geral de Proteção de Dados (LGPD) on 14 August 2018. Tailored on its European cousin, the General Data Protection Regulation (GDPR), the new legislation aimed to replace and supplement existing legal norms by regulating the use of personal data by both public and private sectors.
Set to come into force on 15 August 2020, after its initial 18-month deadline was extended by an additional 6 months by President Michel Temer, doubts concerning the LGPD’s future enforcement surfaced when the same president vetoed several acts of the bill before its passing, most notably those needed to create Brazil’s data protection authority, the Autoridade Nacional de Proteção de Dados (ANPD).
All uncertainty has now been cast aside: on 8 July 2019, Brazil’s new president, Jair Bolsonaro, promulgated Law No. 13.853/2019 which amends some provisions of the LGPD and provides for the creation of the ANPD. With its data protection authority now a reality, Brazil is moving full speed ahead towards the enforcement of the LGPD.
Many companies that have gone through the rush for GDPR compliance consider the European regulation to be the most exhaustive of its kind in the world today, but there are notable differences between it and the LGPD which means that GDPR compliance does not ensure LGPD compliance, although it’s definitely a step in the right direction. Let’s look at some of the key differences.
While both the GDPR and the LGPD protect any information relating to an identified or identifiable natural person, unlike the GDPR, the LGPD does not give a detailed definition of what kind of information it refers to, making its scope very broad.
Anonymized data falls outside the scope of both laws as long as reasonable steps have been taken to ensure that it cannot be re-identified. The LGPD however makes an exception: data is considered personal when used for the behavior profiling of a particular natural person, if that person is identified.
Pseudonymized data meanwhile falls under the scope of the GDPR since it’s considered information on an identifiable natural person, but the LGPD does not mention it except in the context of research undergone by public health agencies.
Both the GDPR and the LGPD have an extraterritorial reach: they apply to all companies offering goods or services to data subjects in the EU or Brazil, regardless of where they are located.
There is one notable difference between them: the GDPR explicitly includes organizations that are not established in the EU, but that monitor the behavior of individuals located in it. The LGPD has no such provision. The LGPD will also not apply to data flows that originate outside of Brazil and are merely transmitted, but not further processed in the country.
Legal bases for data processing
One of the major differences between the two laws is the legal bases for data processing. The GDPR lists six, while the LGPD goes further and includes ten. To the GDPR’s original six: explicit consent, contractual performance, public task, vital interest, legal obligation and legitimate interest, the LGPD adds a further four: studies by a research body, exercise of rights in legal proceedings, health protection and credit protection.
The most interesting addition to this list is the credit protection, a provision exclusive to Brazil, which was no doubt included due to current discussions of reform of one of the laws that regulates credit scoring in Brazil, the Positive Credit History Law.
Data Protection Officers
Under the GDPR, data controllers and processors whose core activities consist either of processing operations which require regular and systematic monitoring of data subjects on a large scale, or processing on a large scale of special categories of data, are required to appoint a data protection officer (DPO).
The LGPD on the other hand only requires data controllers to appoint a DPO. However, it does not limit the circumstances under which a DPO must be appointed which means that all companies, regardless of their size, type or the volume of the data they collect will need a DPO. That being said, while this is how things stand at the moment, the ANPD is allowed to adjust this provision and, now that its creation has been ensured, is expected to issue complementary rules to limit the applicability of this particular requirement.
Data Subjects’ Access Requests
An individual’s right to data access is guaranteed under both the GDPR and the LGPD. Under it, data subjects can request access to the data a company has collected about them and can request further actions concerning it: its portability, deletion or correction. The GDPR allows organizations 30 days to answer data subjects’ access requests, while the LGPD only gives them 15 days.
There is also a difference in the cost of the requests: the LGPD makes them mandatorily free of charge, while the GDPR makes gratuity optional.
Mandatory Data Breach Notifications
While both laws have made data breach notifications mandatory, their requirements differ slightly. While the GDPR imposes a strict 72 hours in which companies are required to notify Data Protection Authorities (DPAs) of data breaches, organizations falling under the incidence of the LGPD must do so within an undefined “reasonable” time. This timeframe however is subject to adjustment from the ANPD as well. The LGPD requires companies to also notify data subjects of data breaches, something that is not a requirement under the GDPR.
The GDPR’s notorious fines allow DPAs across Europe to issue fines of up to 4% of a company’s global annual turnover or €20,000,000 (roughly $22,000,000), whichever is higher. Under the LGPD, organizations face similar, if slightly less grave, penalties: up to 2% of their total revenue in Brazil in the previous year or up to 50,000,000 Brazilian Reals (approximately $13,000,000), whichever is higher. The LGPD also lists possible daily penalties to enforce compliance.
Government agencies fall outside the scope of LGPD fines, while the GDPR leaves it up to DPAs to decide on this matter.
While there are a great number of similarities between the LGPD and the GDPR, there are points such as the legal bases and mandatory data breach notifications on which the LGPD goes further than the European legislation.
There are also many provisions left broad in the Brazilian law that are subject to adjustment from the ANPD and that the new authority is likely to tackle in the months leading up to the LGPD’s enforcement. It remains to be seen if the complementary rules it will issue will bring the LGPD closer to or further away from the GDPR.