On August 14, 2018, Law No. 13,709 (LGPD – Lei Geral de Proteção de Dados) was enacted, creating a personal data protection legal framework in Brazil. The LGPD is influenced by the EU General Data Protection Regulation (GDPR); individuals, private entities and public authorities are affected by its provisions.
Brazil now integrates a group of more than 120 countries that have enacted personal data protection laws; among them are other South American countries, such as Argentina, Chile, Colombia, Peru and Uruguay, according to the Ibero-American Data Protection Network1. The adoption of best practices in line with other international regulations creates room for global and multinational businesses to set up standardized programs worldwide, contributing to efficiency and enhancing data protection.
The LGPD will only become fully effective 18 months from its enactment. This term will be important for companies and individuals to take measures to comply with the provisions of the LGPD and with further regulations yet to come.
The enforcement of most of the provisions of the LGPD depends on the creation of a governmental authority (the "Authority") with jurisdiction to oversee, enforce and provide further regulation on personal data protection. Implementing regulation by means of a Federal Decree is also expected.
Foundations and principles
The foundations of the LGPD, as stated in the law itself, are respect of privacy; informative self-determination; liberty of expression, information, communication and opinion; integrity of intimacy, honor and image; economic and technological development and innovation; free initiative, free competition and consumer protection; human rights, free personality development, dignity, and exercise of citizenship.
Processing of personal data shall be subject to good-faith and to the following principles: purpose limitation; adequacy; necessity and reasonableness related to the purpose limitation; free access; quality of the data; transparency; security; prevention; non-discrimination; and accountability. Some of these principles are also adopted by the GDPR2, which explains why both rules deal with relevant matters in similar ways, such as territorial scope, data subject rights, international transfer of personal data and breach of law.
The following table compares the territorial scope of the LGPD with that of the GDPR. There are similarities, especially when it comes to the offering of goods and services. Nevertheless, the European regulation has a wider scope in comparison with the LGPD, since even the monitoring of behavior is one of the hypotheses cast by the GDPR.
Territorial scope in the Brazilian and the European legal frameworks
The choice of the Brazilian legislator in terms of territorial scope was clearly to find a middle-ground between a more restrictive solution, exclusively concerned with data processing physically carried out in the country, and the European reference, in which the law has a wider scope.
Rights and data subject consent
The LGPD sets forth that the individual is the rightful data subject of his/her personal data. The data subject is entitled to take or obtain from the controller, at any time and upon request before the Authority or before the consumer defense authorities, the following measures and information regarding personal data: confirmation of its processing; access; rectification; anonymization; portability; erasure; public and private entities with which the data was shared; information on the possibility of consent refusal and consequences of such refusal; and consent withdrawal.
The role of the data subject consent for data processing is at the core of the LGPD, since it is one of the conditions for data processing. It can be given in writing or in any other verifiable means. Contracts must highlight the consent and specify the purpose limitation of the personal data processing. The burden of proof that consent was given pursuant to the LGPD lies with the controller.
Brazilian Law also allows the processing of personal data without consent of the data subject for the following purposes: compliance with legal or regulatory obligations to which the controller is subject; implementation of public policy; development of studies by research entities; performance of a contract to which the data subject is a party; regular exercise of rights in judicial or administrative proceedings; protection of vital interests of any person; legitimate interests of the controller; protection of health, and protection of the credit system.
The GDPR provides a similar approach to data subject consent; it is the first hypothesis for the legitimacy of data processing. GPDR also sets forth conditions to consent, including formal requirements, and the possibility of consent withdrawal. Both GDPR and LGPD do not require data subject consent in particular situations.
The data subject also has the right to have the data erased upon the termination of its processing under both laws, which arises from the "storage limitation" principle provided for in the GDPR.
International transfer of personal data
The LGPD allows for the international transfer of personal data provided that: (i) the transfer is made to countries or international organizations providing protection considered adequate – the definition of adequacy is yet to be determined by the Authority; (ii) the data controller guarantees compliance with the principles and rights set forth in the LGPD, by way of (a) specific contractual provisions related to the transfer; (b) standard clauses; (c) corporate global rules; and (d) certifications and codes; (iii) the transfer is required by global legal cooperation between public intelligence and investigation authorities; (iv) the transfer is needed for the protection of life of the data subject or of a third party; (v) the data protection governmental authority so authorizes; (vi) the transfer is required as a matter of public policy or public service; (vii) the data subject consents specifically with the international transfer; or (viii) the data processing is required for the exercise of rights or compliance with duties of the data controller.
Brazilian Law confers upon the Authority extensive powers to authorize the international transfer of data in situations not expressly provided by LGPD. Discretion of the Authority to rule this matter is limited to some boundaries, such as the nature of the data, the adoption of security measures and the existence of legal and institutional guarantees for the protection of personal data.
The GDPR addresses such matter similarly: it subjects the transfer of personal data to an adequacy decision based on the level of protection provided by the receiving party. GDPR contains a general principle, which establishes that any transfer shall take place only if certain conditions are complied with by the controller and the processor.
Both the LGPD and the GDPR focus on international cooperation; there are provisions in both rules allowing for the international transfer for cooperation.
Breach of law and exercise of rights
The controller or the processor shall be held liable for damages in the event of breach of law. Controller and processor shall indemnify the data subject as follows: (i) processors shall be jointly and severally liable with controllers for the damages caused in the data processing when processors breach the legislation applicable to data protection or have not followed instructions of the controller; and (ii) the controllers shall be jointly and severally liable when they are directly involved in the data processing.
Controllers and processors shall not be held liable if they prove that (i) they have not processed the data, (ii) even though they have carried out the data processing, there was no breach of law; or (iii) the damage resulted from an exclusive fault of the data subject or of any third-party. Controllers or processors may be held liable if they do not put in place security measures.
Courts may, at their discretion, ascribe the burden of proof to the controller and/or the processor in the event of breach of law. The LGPD also allows for class actions. Breaches in the context of consumer relations shall be subject to the Brazilian Consumer Law, which may determine, among other aspects, the strict liability of the controllers and/or the processors and the disregard of the legal entity.
Breaches of the LGPD can subject the non-compliant party to the following penalties: (i) warning, with the indication of corrective measures; (ii) fines of up to 2% of the gross revenues (taxes excluded) of the corporate entity, group or conglomerate in Brazil in the preceding fiscal year, limited to R$ 50 million per breach; (iii) daily fines, up to the limit referred to in item (ii) above; (iv) publication of the breach; (v) blocking of the personal data until its regularization; and (vi) erasure of the personal data.
The Authority may impose penalties based on an administrative procedure, which should consider the breach and some additional criteria, such as the nature of the breach, the good-faith of the breaching party, the level and extension of the damage, the actual damage generated, the cooperation of the breaching party and the reasonableness of the penalty. Another criterion to be taken into account is the adoption, by the breaching party, of (i) mechanisms and procedures capable of minimizing the damage aimed at the safe and adequate control of personal data, and (ii) best practices and governance.
GDPR adopts a similar approach to this matter, granting investigative, corrective and advisory powers to the Member States' personal data protection authorities. Depending on the severity of the breach, the authorities may impose administrative fines in amounts of up to 4% of the breaching party's total worldwide turnover in the preceding financial year. The GDPR also allows Member States to establish additional penalties, as long as they are effective, reasonable and dissuasive.
In the case of Brazil, regulation to be issued is to define the methods to be employed in the calculation of the penalties, reducing room for discretion and lack of reasonableness. Adoption of adequate security measures, as well putting in place improved levels of practices and control, are advisable to reduce the exposure of controllers and processors to liabilities.
1 There is a collaborative group of Ibero-American countries established in 2003, called the Ibero-American Data Protection Network, with the mission 'to promote and contribute to the strengthening and adaptation of regulatory processes in the region, through the elaboration of guidelines that serve as a parameter for future regulations or for the revision of existing ones'. Standards for Personal Data Protection for Ibero-American States. Available at: http://www.redipd.es/documentacion/common/Estandares_eng_Con_logo_RIPD.pdf
2 GDPR contains the principles that ascertain guidelines for data processing in the European context. Some similar provisions include: transparency, purpose limitation, minimization/necessity, accuracy, security/confidentiality, and accountability.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.