Brazil's Comprehensive Privacy Law Now In Effect

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
Following lots of legislative uncertainty, Brazil has now formally enacted the country's first general data protection law, Lei Geral de Proteção de Dados, ...
Brazil Privacy

Following lots of legislative uncertainty, Brazil has now formally enacted the country's first general data protection law, Lei Geral de Proteção de Dados, or "LGPD." While administrative sanctions do not go into effect until August 1, 2021, individuals and public prosecutors can now bring claims for losses and damages. Indeed, at least one public civil action has already been filed. LGPD is the first comprehensive general data protection law in Latin America. It was modeled after the EU's GDPR. While there are many similarities, LGPD does introduce new concepts. Below are some of the key elements to keep in mind.

  • When does LGPD apply? Like GDPR, LGPD has extraterritorial effect. A company does not need to be based in Brazil or otherwise have any physical presence for the law to apply. Generally, LGPD applies when an organization does any of the following: (i) processes personal data in Brazil; (ii) processes personal data that was collected in Brazil; or (iii) processes personal data to offer goods or services in Brazil.
  • Does LGPD provide rights to individuals? Yes. While many of the rights are similar to those in GDPR, LGPD also introduces additional rights. In addition to GDPR-like rights of access, deletion, portability, LGPD also gives people a right to access information about those with whom an organization has shared the individual's data. It also calls for individual access to information on whether an organization holds particular data.
  • What are the requirements for transferring data? Organizations may transfer personal data to other countries that provide an "adequate level of data protection." Brazil has not yet identified which countries it considers as providing an adequate level of protection. All other transfers require a valid legal transfer mechanism. While there are several available transfer methods, the two main ways organizations can transfer data include: (1) with the specific and express consent of the individual, which must be prior and separated from the other purposes and requisitions of consent; and (2) through contractual instruments such as binding corporate rules and standard clauses, committing the organization to comply with the LGPD principles, individual rights, and the Brazilian data protection regime. No specific model clauses or language are available yet.
  • Are there other record keeping requirements? LGPD calls for record of processing requirements. There are also certain requirements for "impact reports."
  • Do we have to appoint a Data Protection Officer? It depends. Companies that qualify as "controllers" are required to appoint a data protection officer. Unlike GDPR, there are no specific requirements for the qualifications of this individual.

Putting it Into Practice. Many questions remain open as to the interpretation and enforcement of this law. Brazil's National Data Protection Authority (ANPD), the administrative agency tasked with enforcing administrative sanctions and issuing regulations under the LGPD, has not yet been established. In the meantime, organizations can begin reviewing their global privacy programs to assess any gaps in compliance. They may want to focus on, among other things, the differences between current rights processes and the rights anticipated under LGPD.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More