Brazil: Data Protection Series: Brazil's LGPD Compliance Challenges

Last Updated: 30 October 2018
Article by Vanessa Mello

As companies prepare to adapt to Brazil's new GDPR-style data protection law, local GCs highlight the benefits of greater data protection legislation for businesses, but suggest the lack of an appointed authority to oversee and enforce the law will create major compliance challenges for legal teams.

After eight years of discussions in congress, on 14 August 2018, Brazil became the latest Latin American country to implement an overhaul of its data protection laws governing how companies collect, use, disclose and process personal data. The Latin American Corporate Counsel Association (LACCA) and TMF Group take a look at Brazil's new laws as well as some of the compliance challenges facing GCs and their teams.

The Lei Geral de Proteção de Dados (LGPD), which will come into effect in February 2020, reproduces some of the central points of the European General Data Protection Regulation (GDPR) and imposes significant compliance obligations on companies that process data or offer services to individuals in Brazil. "The law is about the protection of all personal data, similar to the GDPR, affecting all companies that deal with data," says Vanessa Mello, director of client legal compliance operations at TMF Group Brazil.

The LGPD applies to all legal entities that process personal data, whether public or private, operating in Brazil or that supply goods or services to individuals located in Brazil. Companies must expressly seek consent from the owner of the data, informing them exactly what data is being collected, why, and for how long it will be stored. In addition, the data must be destroyed when the company no longer has any need for it. As under most privacy frameworks, additional protections apply to certain categories of data, such as the personal data of minors and "sensitive" data. "This will have a big impact on businesses in Brazil," says Mello. "Companies used the information they collected as they wanted before, such as for commercial purposes, pricing or survey or market research type purposes but they will not be able to do that anymore."

Similar to the EU's GDPR provisions, the scope of the new law also applies to global businesses that are headquartered abroad but that affect or target Brazilian citizens.

The law also outlines fines for non-compliance; however, unlike the GDPR penalty, which can reach up to 4% of a company's global revenue, Brazil's law is less severe, reaching up to 2% and limited to 50 million reais (approximately US$13.5 million) per infraction. Each infraction will be analysed and applied proportionally to the resulting damage.

Greater clarity

Until now, Brazil did not have a general data protection law that could be applied across all business sectors. Instead, there were different rules for different sectors of society, including the financial sector, the credit sector, the health sector and the internet sector, which can often be confusing for companies. "Currently, there are a few instances in which a company will have to choose which rule it will comply with, and that creates much insecurity because one can never be fully in compliance with all applicable laws and regulations," says Thaïs Sá Ramos, privacy coordinator at insurance provider Prudential do Brasil.

For many, the lack of certainty regarding which laws apply creates major problems for legal teams, so providing clearer and more standardised rules for companies as well as more comprehensive protections for user data is a major step forward for Brazil's regulatory environment. "Before this law came into place there were approximately 40 different regulations about data protection, but this law will consolidate them all into one law," says Mello.

The compliance challenge

Many multinational companies will already have to adhere to international standards and will have many of the necessary protections and policies in place, so tailoring their compliance programmes to fit new requirements in Brazil should be relatively simple. "For companies that want to do business in Brazil or already do, they are used to international legislation – like ones in the EU understand the GDPR laws. There are more than 100 countries with this type of legislation in place, so it's unlikely to be a big impact on multinationals," says Mello. "Instead, it will be a new big challenge to the companies that are already doing business in Brazil. Companies will have to make sure their systems are compliant."

Indeed, while greater standardisation has been welcomed by corporate lawyers across Brazil, many point out that some local companies are likely to face challenges when it comes to ensuring compliance with the new legislation. "Compliance will be costly and take up a lot of effort, small companies may not be able to keep up," says Ramos. "If anything, the new regulation is oversophisticated for our landscape, where we went from zero to 150%."

Despite having nearly 16 months to adapt to the new law, many local companies are expected to need a lot of support. "Systems and technology have to adapt and in Brazil there are many bureaucratic systems," says Mello. "Adapting to the laws will be a big exercise for companies in order to perform day-to-day activities without breaching the requirements."

So far, there has been little guidance for companies. Although the bill originally included provisions creating a national Data Protection Authority (DPA) to oversee and enforce the legislation, President Michel Temer vetoed this section before signing it into law. The president has stated publicly that a new bill will be sent to congress establishing the DPA, but so far, no action has been taken. While this means that the specific steps necessary to comply with the LGPD remain relatively unclear without a DPA to issue interpretive guidance, it is also creating confusion for companies in terms of how things will be enforced in the meantime, according to Dirceu Santa Rosa, partner at Montaury Pimenta, Machado & Vieira de Mello. "Without a regulator or authority for privacy and data protection, state-based public prosecutor offices and consumer protection 'watchdogs' are taking action in any data breach cases, even before the LGPD is enforceable. This is creating a very hostile environment for data privacy in Brazil and might require immediate attention from authorities," he says.

Many others agree and say while the lack of an enforcing body leaves room for public prosecutors and individual states to rule independently, it also creates major burdens for companies. "It's creating a patchwork of different applications of the law throughout the country and exponentially increasing everyone's efforts to comply," says Ramos.

Preparing well in advance

With little guidance from authorities so far, companies should try and look to the high-level principles set forth in the law as they prepare for the LGPD's effective date and start preparing well in advance. "From a compliance perspective, the moment to start preparations for the LGPD is now," says Santa Rosa. Part of this is getting the company's board of directors and/or leadership on board. "Most company leaders and even many legal directors are still only slightly aware of the changes that the LGPD could bring to the Brazilian legal environment. Therefore, the biggest challenge for legal teams is informing company leadership correctly and raising awareness that the compliance efforts should start as soon as possible," he points out.

Patricia Barbelli, GC and legal and corporate security director at Diageo in Brazil, Uruguay and Paraguay, says that while it is important for the legal team to headup compliance efforts, it should not be the sole responsibility of the department. "Data privacy is a subject that is relevant to the company as a whole, so all teams and areas of the company should behave as data privacy officers. For example, HR deals with relevant sensitive private information and it will be a key player in following the data privacy obligations," she says. "In addition, the tone must come from the top, as it does for other compliance matters and data privacy must be a priority in the agenda of company management."

The new law also states that companies must appoint a data processing officer (DPO) to receive complaints and communications from data subjects, communicate with the DPA, train employees and carry out other duties relating to the company's personal data processing activities. Although the yet-to-be-formed DPA is expected to clarify the requirements of the DPO, Barbelli highlights that there continues to be a lack of expertise in Brazil since the topic is a relatively new one. "This is a very specialised role," she says. "It requires knowledge in technology, management and corporate governance and it is hard to find a professional already prepared in the market to be the spearhead of data privacy in such a short period of time."

For Santa Rose, the key for many local companies may be getting someone trained internally for the role of DPO as soon as possible, particularly since companies may not have the budget to hire someone with the relevant expertise. "Many companies in Brazil have limited budgets for their legal and compliance teams, which means that the opportunity to become a DPO might be handled internally by existing in-house counsel from related areas, or compliance professionals," he says. "Companies and legal counsel should look to build expertise and start now."

In short, businesses from all sectors will need to adapt over the next 16 months and a new culture about the appropriate use of data must be formed. While the LGPD is likely to create a number of compliance challenges for local companies, those that are able to see the protection of personal data as an investment and competitive advantage rather than a cost and compliance burden, will be able to use it as a market differentiator. In a time of major information leaks and high-profile scandals over the misuse of data, complying with clear and transparent rules can increase consumer confidence in companies and the marketplace. "If a company can see the opportunity that comes with the new rules, it can turn things entirely to its advantage and become more competitive by advertising its improved privacy practices, offering new privacy-related services and creating an image of credibility and data safety," says Ramos. "The new law may, in fact, open many new doors for our economy, if Brazil can eventually become a country considered safe for data processing."

TMF Group has the local knowledge to help you navigate these complexities. Whether you want to set up a new venture in Brazil, or just want to streamline a partnership between the US and Brazil, talk to us. Learn more about TMF Group in Brazil.

This article was originally published on laccanet.com on 19 October 2018.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions