1. The LGPD is Brazi’s overarching, federal, data protection law.
2. As with the EU’s General Data Protection Regulation (GDPR), it sets out the lawful bases for processing data, key rights of data subjects, and penalties for non-compliance.
3. Key differences with the GDPR include the lack of a data portability right, credit protection as a legitimate ground for processing data, and a less prescriptive approach to enforcement in the LGPD.
4. Over time we can expect regulations enabled under the LGPD to bring it further into line with the GDPR.
In 2018, Brazil passed into law the Lei Geral de Proteção de Dados (LGPD). This law has similarities, as well as key differences, with data protection laws in other jurisdictions such as the EU’s General Data Protection Regulation (GDPR). Here we set out the key elements of the LGPD, and set our four key ways in which it is different from the GDPR.
What is the LGPD and What Came Before It?
The LGPD is a comprehensive data protection law. It regulates the control and processing of personal data in Brazil, and sits alongside, as well as replacing, some elements of existing privacy law in Brazil. It applies to the personal data of individuals, or ‘data subjects’.
The law came into effect on August 16, 2020, and penalties under the law applied from August 1, 2021.
Since Brazil brought this law into effect, various other countries are following suit, such as China with its Personal Information Protection Law (PIPL).
With Brazil ranking as the world’s 8th largest economy, and the largest in Latin America, it is increasingly becoming a destination for businesses interested in global expansion. This means, however, that those businesses need a thorough understanding of the data protection laws that apply there.
Prior to the LGPD coming into effect, a range of Brazilian laws and rules applied to privacy and data protection. The most important of these included:
- Brazil’s Constitution (‘Constituição Cidadã‘ or ‘Constitution of Citizenship’).
- Provisions relevant to data protection include a right to privacy, the right to keep communications secret and habeas data, the right of an individual to access and correct data held on them by public agencies
- Civil Code 2002 (‘Codigo Civil‘).
- A key privacy provision here is the requirement that, except where permitted or necessary for the “administration of justice or the maintenance of public order”, certain personal information cannot be disclosed
- Consumer Protection Code 1990 (‘Código de Defesa do Consumidor‘, or ‘CDC’).
- This law deals with consumer information held by banks and credit agencies. Under this law (see article 43 especially), records must be accurate, and are subject to rectification by the individual. In addition, this Code emphasizes the importance of seeking an individual’s consent when requesting their information
- Brazilian Civil Rights Framework for the Internet (‘Marco Civil da Internet‘).
- Article 10 of this framework allows for the correction of retained data stored on the internet. It also specifies that the law will apply to any dealing in that data in Brazil, even if a foreign corporation is carrying out the activity. Note, the constitutionality of this law has been questioned by some prosecutors and officials.
While this piecemeal privacy framework that existed in Brazil prior to 2018 is largely superseded by the LGPD, certain elements still remain in force. We will discuss some of the complications that arise due to this further below.
What Are the Key Elements of the LGPD?
How Does the LGPD Differ From the EU’s GDPR?
While the LGPD was developed with the GDPR in mind, there are some key differences between the two pieces of data protection regulation. Those differences include:
For a detailed explanation of the GDPR itself see The Principles of the General Data Protection Regulation (GDPR) and International Expansion
Frequently Asked Questions (FAQ)
‘LGPD’ stands for Lei Geral de Proteção de Dados. Roughly, this can be translated as the General Law on Data Protection.
The LGPD has a slightly different set of data rights, a more extensive set of lawful grounds for processing data, and a more complicated enforcement apparatus, compared to the GDPR.