Brazil has enacted a new data protection law modeled on the European Union's General Data Protection Regulation.
On July 10, 2018, Brazil's Federal Senate (Federal Senate) unanimously approved the country's first General Data Protection Law (Lei Gerald de Proteção de Dados, or the LGPD),1 which was signed into law by Brazilian President Michel Temer on August 14, 2018. Much like the European Union's General Data Protection Regulation (GDPR), the LGPD establishes a comprehensive data protection system in Brazil and imposes detailed rules for the collection, use, processing and storage of electronic and physical personal data. The regulation will go into effect in February 2020.
Key Elements of the LGPD
Personal Data
Like the GDPR, the LGPD broadly defines "personal data" to include any information, whether by itself or in the aggregate, that is relatable to an identifiable natural person, and includes certain provisions that govern the collection and use of "sensitive personal data," which is defined as data that inherently places a data subject at risk of discriminatory practices. Sensitive personal data may include information on racial or ethnic origin, religious belief, political opinion, health and other information that allows unequivocal and persistent identification of the data subject, such as genetic data. Anonymized data is not considered personal data.
Extraterritorial Jurisdiction
The LGPD also is similar to the GDPR in its broad extraterritorial application. The Brazilian law applies to companies that: (1) carry out processing of personal data in Brazil; (2) collect personal data in Brazil; (3) process data related to natural persons located in Brazil; or (4) process personal data for the purpose of offering goods or services in Brazil.
Legal Basis for Data Processing
The LGPD provides 10 unique legal bases for processing personal data, which include when data processing is:
- done with the express consent of the data subject;
- necessary for compliance with a legal or regulatory obligation;
- necessary for the fulfillment of an agreement;
- necessary for the exercise of rights in a judicial, administrative or arbitration proceeding;
- necessary to protect life or physical integrity;
- necessary to protect health;
- necessary for the implementation of political policies (for processing by the government);
- necessary for purposes of credit protection;
- necessary to meet the legitimate interest of the data controller or third parties; or
- necessary for the performance of historical, scientific or statistical research.
With respect to consent of the data subject, the LGPD provides that consent may be waived where the data subject has "manifestly made public" his or her personal data. Where consent is not waived, a data subject's consent must be informed, revocable and provided for a specific purpose prior to the processing of the data subject's personal data.
Data Protection Officers
The LGPD requires each data controller to appoint a data processing officer (DPO) whose responsibilities will include oversight of the organization's data processing activities and facilitation of data subject requests. This DPO role differs from the data protection officer role under the GDPR in that the LGPD DPO is an independent overseer of the company's data protection activities and, as such, is not liable for such activities. The DPO may be an officer or an employee of the data controller, or of a third party provider, but in each case much perform his or her duties autonomously. In addition, unlike the GDPR, the LGPD DPO requirement applies to all controllers, without exceptions for small businesses or small-scale processors, although it is possible that the national data protection authority, once established, may identify certain exceptions to this requirement.
Data Protection Impact Assessment
The LGPD requires companies to generate a data protection impact assessment (DPIA) before undertaking personal data processing activities that may put data subjects at higher risk. The DPIA must document data processing activities that may create risks to data subjects, as well as the measures, safeguards and mitigation mechanisms the company has implemented to address those risks.
Data Transfer Restrictions
The LGPD imposes restrictions on cross-border transfers of personal data. Personal data may only be transferred to countries deemed to provide an adequate level of data protection, or pursuant to standard contractual clauses or other approved mechanisms. These adequacy decisions, standard contractual clauses and other transfer mechanisms will be issued by the national data protection authority when created.
Data Breach Notification
The LGPD requires companies to notify the national data protection authority within a "reasonable" time of any data breach. The period of time defined as reasonable is still to be determined by the data protection authority, though some experts believe that it is likely to mirror the GDPR's 72-hour notice period given the overall similarities between the LGPD and the GDPR. Following receipt of the notice, the data protection authority will determine whether the data subjects must be notified and what mitigating steps must be taken by the company.
Penalties
The LGPD provides that the national data protection authority may impose sanctions for violation of the LGPD, including fines, or potentially even the total or partial prohibition of activities related to data processing. Fines may be up to 2 percent of the company's turnover in Brazil in its last fiscal year, limited in total to 50 million Brazilian reais per infraction (approximately US$12 million).
Key Takeaways
Companies that are already compliant with the GDPR will likely be in a position to comply with the LGPD without significant additional effort, as the two regulations include similar requirements for data processing, DPIAs and data transfers. Companies with data processing activities in Brazil and companies outside of Brazil that collect personal data from Brazilian residents should continue to monitor the implementation of the LGPD by Brazilian officials over the next 18 months so they can tailor their compliance programs accordingly.
Footnotes
1 No official English translation of the LGPD has been provided.
Privacy & Cybersecurity Update - August 2018
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.