Brazil’s General Data Protection Law (LGPD) came into effect on August 16, 2020, and is designed to consolidate dozens of existing laws relating to the processing of personal data. In February of 2022, the Brazilian Congress passed an amendment to the Constitution which gives citizens a fundamental right to personal data protection. Aimed at expanding citizens’ rights and centralizing data protection, the amendment is expected to elevate the protections of the LGPD and facilitate investments in the technology sector.
The regulatory authority set up to implement the LGPD is the National Data Protection Authority (ANPD). While the ANPD has faced criticism for its lack of independence from the presidential office since its inception in 2020, Brazil has announced its intentions to grant the regulatory body full autonomy.
Here is an overview of the LGPD:
The LGPD applies to entities that process data in Brazil, provide services to individuals located in Brazil, or collect data while the subject is in Brazilian territory. In these cases, the protections of the LGPD follow the data overseas.
Like the GDPR, consent is not necessary to process non-sensitive data if the controller has legal obligations, contractual commitments, public interest considerations, or legitimate interests that necessitate data processing. However, the LGPD adds additional lawful bases for processing where it is necessary for credit protection, studies by research organizations, exercising rights in legal proceedings, and health protection. Consent is necessary for sensitive information in most cases, with exceptions for regulatory compliance, public policies, protection of life, fraud prevention, or for studies done by research institutions where data is anonymized. Minors cannot have their data processed without the explicit consent of a parent or legal representative.
Data subjects have the right to access and correct their data, obtain information about its processing and shared usage, revoke consent, transfer personal information, and request the deletion or anonymization of data processed in violation of the LGPD. A key difference for GDPR-compliant organizations is the reduced 15 day deadline to respond to data access requests, compared to GDPR’s 30 days. Under the LGPD, processing should be terminated and data should be deleted if the processing purpose has been achieved, the data is no longer necessary, or if it is required by the data subject or national authority. Storage is permitted if it is necessary for regulatory compliance or research purposes, as well as for the exclusive use of the controller if third party access is prohibited and data is anonymized.
Under the LGPD, data may be transferred to countries that offer adequate protection, or to entities that have provided a guarantee of compliance with the LGPD in the form of contractual clauses or binding corporate rules. Additionally, data may be transferred with specific consent, ANPD authorization, or when necessary to execute a contract.
The DPO will be a point of contact for the ANPD, handle complaints from data subjects, and inform employees of LGPD requirements. The ANPD has the power to waive the DPO requirement and has done so for small businesses and startups, however the appointment of a DPO is still considered good practice. The LGPD imposes no specific qualifications for DPOs, and the appointed officer can be internal or external to the organization.
While the implementation of the LGPD has been slowed by the ongoing development of the ANPD, recent steps toward the ANPD’s independence indicate Brazil’s commitment to stricter enforcement of the LGPD. The LGPD includes penalties of up to 2% of an entity’s revenues in Brazil, 50 million reais per infraction, or a daily fine determined by the data authority. Infractions may also be punished by the prohibition, suspension, or partial suspension of all activities relating to the data processing.
In general, entities working in Brazil can expect the operational impacts of the LGPD to be similar to the GDPR. While the texts differ in some of their definitions and details, the principles of the LGPD follow the GDPR’s guidance and some parts of the LGPD are essentially copied from the GDPR. For companies that are not already GDPR compliant, the similarity of international data protection laws like the LGPD to the GDPR underscores the importance of becoming GDPR compliant as a baseline requirement. However, organizations should keep in mind the details that distinguish the LGPD, including the broader requirement for a data protection officer and shorter notification period for data breaches.
Organizations operating in Brazil should ensure that data is mapped from collection to deletion to ensure that it is traceable and clearly compliant with the LGPD. Information about processing and access to the data should be readily available to data subjects to guarantee transparency. After initial processing, controllers should confirm that any further usage is compliant with LGPD restrictions on long-term storage, including by anonymizing the data. Where no further processing is sought, controllers should ensure that they remove data in a timely manner according to LGPD requirements.
As the ANPD gains its independence and Brazil further cements its data protection laws into the Constitution, companies should watch for changes in the LGPD’s enforcement. As the ANPD has been developing over the past 2 years, enforcement of the LGPD has been inconsistent. However, with Brazil’s renewed commitment to personal data protection and the autonomy of the ANPD, enforcement could shift significantly and companies should prepare for potential changes.