Worldwide: Brazil's New Data Protection Law: The LGPD

Last Updated: 19 September 2018
Article by Cooley LLP

The global data protection landscape continues to evolve, and Brazil is the latest country to enact an omnibus law governing how organizations collect, use, disclose and otherwise process personal data. Beginning on February 15, 2020, Brazil's data protection law, Lei Geral de Proteção de Dados (LGPD) (unofficial English translation available here), will go into effect and require companies to comply with strict requirements related to the processing of personal data.

After years of debate and consultation, the Brazilian Federal Senate approved a final version of the bill on July 10, 2018, which was then sent to the president for review and signature. Although the bill originally included provisions creating a national Data Protection Authority (DPA) to oversee and enforce the law, President Michel Temer vetoed this section before signing the LGPD into law on August 12, 2018. According to the president, under Brazilian law only the executive branch has authority to establish this type of regulatory body. The president has stated publicly that a new bill will be sent to Congress establishing the DPA, but to date no action has been taken.

Once established, the DPA will be charged with enforcing the LGPD and issuing interpretative guidance to the public. These guidelines (and any official translations of the law into English and other languages) will undoubtedly affect how the law's requirements will be interpreted, implemented and enforced. For now, companies must look to the broad principles set forth in the LGPD as they prepare for February 2020, which are summarized below.

Who must comply with LGPD?

The LGPD applies to any individual or legal entity, whether public or private, with personal data processing activities that:

  1. are carried out in Brazil;
  2. are for the purpose of offering or supplying goods or services in Brazil or relate to individuals located in Brazil; or
  3. involve personal data collected in Brazil.

Like the EU General Data Protection Regulation (GDPR), the LGPD has extraterritorial scope and will apply to global businesses that meet these criteria, regardless of where the company is headquartered. However, the LGPD does not apply to data processing carried out:

  1. by a person for strictly personal purposes;
  2. exclusively for journalistic, artistic, literary or academic purposes; or
  3. exclusively for national security, national defense, public safety or criminal investigation or punishment activities.

Also similar to the GDPR, the LGPD imposes requirements on both data controllers (the entity in charge of making decisions about processing) and data processors (the entity that processes personal data in the name of the controller). Although many of the requirements apply only to controllers, due to existing consumer protection laws in Brazil it is possible that processors could be held jointly and severally liable for any cause of action under the LGPD that involves harm to data subjects.

What type of data is covered?

In effect, the LGPD covers personal data relating to Brazilian data subjects, personal data collected directly from Brazil, or personal data collected through the offering of goods or services to Brazil. Like the GDPR (and the California Consumer Protection Act (CaCPA)), Brazil's new law broadly defines "personal data" to include all information related to an identified or identifiable natural person. The LGPD also includes special restrictions related to the processing of "sensitive personal data", which is defined as data relating to an individual's racial or ethnic origin, religious beliefs, political opinion, affiliation to unions or political, philosophical or religious organizations, health, sex life or genetic and biometric data.

The LGPD includes two key distinctions from the GDPR with respect to personal data:

  • Some anonymized data may be considered "personal data" when used for profiling. Anonymized data is generally exempt from the LGPD's requirements, so long as the anonymization may not be reversed using reasonable efforts (e.g., the cost and time required to identify individuals, available technologies and other appropriate means). However, Article 12 states that even anonymized data may be deemed "personal data" when it is used to enhance, build upon or otherwise create behavioral profiles about individuals.
  • No broad concept of "pseudonymized" data. Unlike the GDPR, the LGPD does not provide broad incentives for data controllers to pseudonymize data, which is the process of separating data from direct identifiers to make the process of re-identifying individuals more difficult. Pseudonymization is only addressed under Article 13 of the LGPD, which encourages public health research bodies to anonymize or pseduonymize health data whenever possible.

What about publicly-available personal data?

Under the existing pre-LGPD data protection regime in Brazil, companies can collect and use personal data made available over the internet or from any public source for any reason, including marketing, profiling and big data analytics. Under the LGPD, however, public personal data may only be collected and used in two ways:

  • for the same purpose that the data was originally collected or posted, which will not require the data subject's consent; or
  • for a different purpose, but only if the controller has identified a valid legal basis for the use under Article 7, such as legitimate interest (more on this below).

Therefore, the practice of "scraping" or otherwise collecting publicly-available data for marketing, big data or other monetization purposes will in many cases be limited under the LGPD.

What rights do data subjects have under the LGPD?

Article 18 of the LGPD requires controllers to provide for nine distinct rights of data subjects in relation to their personal data, including:

  • confirmation of the existence of processing;
  • access;
  • rectification;
  • anonymization, redaction or elimination of unnecessary or excessive personal data, or of data that is not being processed in compliance with LGPD;
  • portability;
  • deletion of personal data being processed based upon consent;
  • disclosure of subprocessors and other third parties with whom personal data is shared;
  • information about consent choices and the consequences of refusing consent; and
  • revocation of consent.

Under Article 20, data subjects are also entitled to an explanation about any automated decision-making carried out by the controller and to request that a natural person review decisions based exclusively on such processing. Controllers must comply with these requests and provide clear and adequate information about the criteria and procedures used for automated decision-making. Notably, the right to review by a natural person applies to any type of automated decision-making or profiling, regardless of the impact that such decision has on the data subject. Alternatively, under the GDPR controllers are only required to provide a review when the automated decision has a material impact on the data subject.

Depending on how the DPA ultimately interprets these provisions, this requirement may significantly affect companies that engage in profiling for purposes such as advertising or analytics. Under the GDPR, controllers engaging in profiling activities without a material impact on consumers would not need to comply with requests for explanation and review of these practices. Under the LGPD, however, digital media and other companies may face additional obligations to provide individuals with information about the criteria and procedures they use to create profiles, and even conduct manual reviews of their analytics and processing models.

What are the key compliance requirements under the LGPD?

The specific steps necessary to comply with the LGPD are, for now, relatively unclear without a DPA to issue interpretive guidance. Companies must therefore look to the high-level principles set forth in the law as they prepare for the LGPD's effective date in February 2020. Based upon these principles, the LGPD includes the following key compliance requirements:

  • Maintain a record of data processing activity under Article 37. Companies should create and maintain a data inventory or "data map" of the personal data they collect and process. The LGPD does not include specific requirements for the form or content of these records, however they will likely be similar to the data inventories required under Article 30 of the GDPR.
  • Define and document legal bases for processing personal data. Companies must identify a legal basis for each processing activity and document the legal basis in their Article 37 records of processing. Under Article 7 of the LGPD, a controller may only process (or direct the processing of) personal data if it has a legal basis to do so. The law enumerates ten legal bases for processing:
    1. consent;
    2. compliance with law,
    3. by the government for public policy or regulation;
    4. research (provided that personal data is anonymized whenever possible);
    5. when necessary for the performance of a contract with the data subject;
    6. to exercise legal rights in lawsuits, arbitration or administrative proceedings;
    7. the protection of life or physical safety;
    8. by medical providers for the protection of health;
    9. when necessary to meet the legitimate interest of the data controller or third parties; and
    10. the protection of credit.

Additional restrictions apply to the processing of sensitive personal data, which may only be processed with the data subject's specific consent or when the processing is essential for certain limited legal bases set forth in Article 11.

  • Document and maintain valid consents. Similar to the GDPR, Article 8 of the LGPD places the burden of proof on the controller to demonstrate valid consent. Therefore companies must ensure that internal procedures are in place to track consents and revocations by data subjects to ensure lawful processing under the LGDR. Consent must be obtained in advance and must be free, informed and unequivocal, and provided for a specific purpose. Data subjects may provide their consent in writing or by other means that prove the data subject's intent (i.e., checking an "unticked box" to demonstrate assent to processing), and may revoke their consent at any time. If consent is the only legal basis for processing, any changes in processing that are incompatible with the original consent must be disclosed to data subjects in advance to provide them with an opportunity to revoke their consent.
  • Update privacy notices and consent forms. Companies will also need to update privacy notices and consent forms to ensure compliance with the LGPD's transparency requirements in Article 9. Privacy notices must clearly, adequately and visibly provide information to data subjects about:
    • the specific purpose of the processing, including if the processing is a condition for receiving products or services;
    • the form and duration of the processing;
    • identification of the data controller, including contact details;
    • third parties that will receive the personal data;
    • the responsibilities of any third parties processing data on the controller's behalf; and
    • the rights of data subjects enumerated in Article 18, how to exercise those rights, and whether any personal data will be processed to respond to a request to exercise those rights.

Public bodies and government authorities have additional disclosure requirements, such as informing the public when sensitive personal data will be processed for legal, regulatory, or public administration purposes.

  • Appoint a data protection officer (DPO). Under Article 41 of the LGPD, companies must appoint a data processing officer to receive complaints and communications from data subjects, communicate with the DPA, train employees and carry out other duties relating to the company's personal data processing activities. Unlike the GDPR, the LGPD does not provide for any exemption to the DPO requirement – all companies must appoint a "natural person" to act as the DPO. Companies must publicly and clearly display the name and contact information of the individual DPO, preferably on the controller's website. Although the yet-to-be-formed DPA is expected to clarify the requirements of Article 41, the existing law does not require the DPO to be physically located in Brazil, and also leaves open the possibility that companies may appoint third-party individual consultants to the position of DPO.
  • Develop internal policies and procedures for responding to data subject requests. Companies must reasonably respond to data subjects' requests to exercise their rights under the LGPD, including access, correction, anonymization, deletion and portability.
  • Notify security incidents to the DPA and to data subjects. Under Article 48, controllers must notify the DPA of security incidents that may result in relevant risk or damage to data subjects. Notice must be provided in a "reasonable" time after which the DPA may order the controller to notify data subjects, alert the media, and/or take other steps to mitigate the effects of the incident. Additional guidance on the timing and nature of security incident notifications must be provided by the DPA.
  • Develop an incident response and remediation plan. Companies must implement an incident response plan pursuant to Article 50 that ensures the controller is able to comply with the mandatory incident reporting requirements of Article 48.
  • Implement an information security program. Controllers and processors must adopt security, technical and administrative safeguards designed to protect personal data from unauthorized access, destruction, loss, modification, communication or other types of unauthorized or unlawful processing. The DPA may provide guidelines for minimum technical standards in the future. Other security frameworks under Brazilian law provide additional guidance related to existing standards, such as Brazil's Civil Rights Framework for the Internet, or Marco Civil da Internet (English translation available here).
  • Perform data protection impact assessments (DPIAs). DPIAs may be necessary when a controller relies upon legitimate interest as a legal basis for processing and in other circumstances, such as the processing of sensitive personal data. The requirements for DPIAs are not clear from the plain text of the LGPD, but additional guidance is expected from the DPA once established.
  • Privacy by design and default. Companies subject to the LGPD must implement a privacy governance program and adopt internal processes and policies to achieve the law's principles, such as data protection and transparency.
  • Comply with cross-border data transfer requirements. Articles 33 through 36 of the LGPD place restrictions on cross-border transfers of personal data. Such transfers are only permitted in certain situations, including: (i) when the transfer will be made to a country with an adequate level of data protection (as determined by the DPA); (ii) when the data subject has provided express and specific consent to the transfer; and (iii) where the controller effectuates the transfer through use of an approved legal mechanism, such as model clauses approved by the DPA, binding corporate rules, or custom contractual provisions that guarantee the same level of data protection as under the LGPD. Unlike the GDPR, the LGPD does not permit cross-border data transfers based solely upon the controller's legitimate interest.

What are the penalties and/or fines for noncompliance?

Consequences of noncompliance under the LGPD may include warnings, corrective measures, daily fines, penalties, and suspensions of processing activities that violate the law. For example, the DPA may impose fines of up to 2 percent of a company's gross revenues in Brazil in the previous year, or R$ 50,000,000 (fifty million Brazilian Reais, or approximately 12,000,000 USD), whichever is greater, per violation. Daily fines for a specific violation are also subject to this cap.

Will our GDPR compliance program cover the requirements of the LGPD?

Without a DPA in Brazil to issue interpretive guidance similar to the Article 29 Working Party in the EU, the specific requirements for compliance with the new law are unknown. However, the law itself contains many similarities to the GDPR. Based upon the text alone, companies that are already complying with the GDPR will likely be able to rely on various compliance activities that are already in place in order to demonstrate compliance under Brazil's LGPD.

The chart below summarizes the key differences discussed throughout this post between the Brazilian LGPD and the EU GDPR.

Brazil LGPD EU GDPR
Extraterritorial Scope Applies to the processing of personal data by companies that (i) conduct processing activities in Brazil, (ii) process personal data collected in Brazil, or (iii) process data for the purpose of providing goods or services in Brazil or to individuals located in Brazil. Applies to the processing of personal data by companies (i) "established" in the EEA, (ii) that offer goods or services to individuals in the EEA, or (iii) that monitor individuals in the EEA.
Registration of Processing All companies must register. Exemption for companies with less than 250 employees.
Anonymized Data May be considered personal data when used for behavioral profiling. Not considered personal data.

Publicly-Available Personal Data Permits processing without consent when used for the same purpose for which the data was originally collected; other purposes require consent or another legal basis. Treated in the same manner as personal data that is not publicly-available.
Legal Bases for Processing Ten enumerated legal bases, including the protection of credit and the protection of health by a health care provider. Six enumerated legal bases.
Legitimate Interest More flexible; may not be used as a legal mechanism for cross-border data transfers. More restrictive; sufficient legal basis for cross-border data transfers.
Waiver of Consent Exemption where data subjects have manifestly made public their personal data. No exemption.
DPO Requirement Mandatory for all companies; DPO must be a natural person. Exemption for some companies; no requirement for the DPO to be a natural person.
Data Subject Rights Right of anonymization; more expansive rights of deletion, portability and revocation of consent; must be provided to data subjects free of charge. More limited rights of deletion, portability and restriction of processing; controller may charge a fee in certain circumstances.
Potential Maximum Fines Up to R$50 million (approximately 12 million USD) or 2 percent of total revenue in Brazil, whichever is higher. Up to €20 million or 4 percent of total global revenue, whichever is higher.
Service Providers & Processing Agreements Processors are bound to the same principles as the controller (no contract requirement set forth in the LGPD's provisions). Controllers must execute a written contract meeting the GDPR's requirements with processors.
Data Breach Notification Within a reasonable time (to be determined by the DPA). 72 hours.
Automated Decision-Making Data subjects have the right to review by the controller of any decision or profiling, regardless of impact. Data subjects' right to controller review applies only when the automated processing or profiling causes a legal or significant effect.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions