Key Takeaways
1. The LGPD is Brazi’s overarching, federal, data protection law.
2. As with the EU’s General Data Protection Regulation (GDPR), it sets out the lawful bases for processing data, key rights of data subjects, and penalties for non-compliance.
3. Key differences with the GDPR include the lack of a data portability right, credit protection as a legitimate ground for processing data, and a less prescriptive approach to enforcement in the LGPD.
4. Over time we can expect regulations enabled under the LGPD to bring it further into line with the GDPR.
In 2018, Brazil passed into law the Lei Geral de Proteção de Dados (LGPD). This law has similarities, as well as key differences, with data protection laws in other jurisdictions such as the EU’s General Data Protection Regulation (GDPR). Here we set out the key elements of the LGPD, and set our four key ways in which it is different from the GDPR.
What is the LGPD and What Came Before It?
The LGPD is a comprehensive data protection law. It regulates the control and processing of personal data in Brazil, and sits alongside, as well as replacing, some elements of existing privacy law in Brazil. It applies to the personal data of individuals, or ‘data subjects’.
The law came into effect on August 16, 2020, and penalties under the law applied from August 1, 2021.
Since Brazil brought this law into effect, various other countries are following suit, such as China with its Personal Information Protection Law (PIPL).
With Brazil ranking as the world’s 8th largest economy, and the largest in Latin America, it is increasingly becoming a destination for businesses interested in global expansion. This means, however, that those businesses need a thorough understanding of the data protection laws that apply there.
Prior to the LGPD coming into effect, a range of Brazilian laws and rules applied to privacy and data protection. The most important of these included:
- Brazil’s Constitution (‘Constituição Cidadã‘ or ‘Constitution of Citizenship’). Provisions relevant to data protection include a right to privacy, the right to keep communications secret and habeas data, the right of an individual to access and correct data held on them by public agencies
- Civil Code 2002 (‘Codigo Civil‘). A key privacy provision here is the requirement that, except where permitted or necessary for the “administration of justice or the maintenance of public order”, certain personal information cannot be disclosed.
- Consumer Protection Code 1990 (‘Código de Defesa do Consumidor‘, or ‘CDC’). This law deals with consumer information held by banks and credit agencies. Under this law (see article 43 especially), records must be accurate, and are subject to rectification by the individual. In addition, this Code emphasizes the importance of seeking an individual’s consent when requesting their information
- Brazilian Civil Rights Framework for the Internet (‘Marco Civil da Internet‘). Article 10 of this framework allows for the correction of retained data stored on the internet. It also specifies that the law will apply to any dealing in that data in Brazil, even if a foreign corporation is carrying out the activity. Note, the constitutionality of this law has been questioned by some prosecutors and officials.
While this piecemeal privacy framework that existed in Brazil prior to 2018 is largely superseded by the LGPD, certain elements still remain in force. We will discuss some of the complications that arise due to this further below.
What Are the Key Elements of the LGPD?
Territorial scope
The LGPD applies to any processing of personal data where the:
Processing is carried out in Brazil
The purpose of the processing is to offer goods or services
The personal data has been collected in Brazil.
- As with the EU’s GDPR, it is central to the LGPD that the data processor need not be headquartered or physically based in Brazil.
-
Basis for Processing
-
As with the GDPR, data is only to be processed under one of the legal bases or grounds that are specified in that law. Otherwise, processing is prohibited. Permissible bases for processing personal data are set out in Article 7 of the LGPD and include:
-
With the data subject’s consent
-
Where required to comply with the data controller’s legal responsibilities
-
For the purposes of public administration and public policy as set out in relevant instruments
-
For the purposes of research by a public entity (note, data is to be ‘anonymised’ where possible)
-
Where necessary in accordance with a contract
-
In order to exercise privilege in legal proceedings
- For the protection of life
-
For the protection of health, by healthcare professionals
-
In the ‘legitimate interests’ of the data controller or a third party, where there is not otherwise a breach of rights
-
For the purposes of protecting a credit rating.
-
- in order to ensure compliance with these legal requirements, all businesses should consider implementing a data protection plan informing employees of expectations regarding data protection.
- They may also need to put a ‘data processing agreement‘ in place to ensure that any third parties manage data in a compliant manner.
Rights of Data Subjects
Article 18 of the LGPD sets out the key rights of the data subject. These include a right to
- Confirm that personal data is being processed
- Access personal data held by the entity in a portable format
- Rectify incorrect, incomplete or out-of-date data
- Anonymise or delete data in some cases
- Request the transfer of data
- Delete personal data
- Receive information on how any personal data is being shared
- Be given information about the right not to consent to processing
- Revoke consent to processing
-
Enforcement
- Under article 52 of the LGPD, the maximum fine for non-compliance is 2 percent of global revenue, up to a maximum of 50 million reals (currently approximately $USD 9 million).
- Under article 48, where there is a data breach that may result in damage or risk, it must be reported to the national data protection authority within a ‘reasonable’ period of time.
How Does the LGPD Differ From the EU’s GDPR?
While the LGPD was developed with the GDPR in mind, there are some key differences between the two pieces of data protection regulation. Those differences include:
- Level of Detail
- The GDPR is extremely detailed. Not only is the regulation itself much longer than the LGPD, the GDPR contains extensive ‘recitals’ which extend and explain the application of each provision in the GDPR. A telling example in the LGPD is the definition of “personal data”. It is simply defined as “information regarding an identified or identifiable natural person”. It does not extensively list examples of personal data as the GDPR does.
- The key practical consequence of this, is that regulatory bodies and the courts in Brazil will have significantly more leeway in how they interpret terms like ‘personal data’ and other key provisions in the LGPD, than those same bodies do in the EU.
- Rights of Data Subjects
- While the rights themselves are broadly similar between the two pieces of legislation (each of the rights are replicated in each law), There are some small but important differences, including:
- The GDPR data portability right requires that the data be provided in a “structured, commonly used, and machine-readable format”. There is no such requirement in the LGPD, though this might be refined further in future regulations
- The GDPR gives a 30 day time limit for businesses to respond to access requests from data subjects. The LGPD gives only 15 days for response.
- The Bases of Processing
- The 10 legal bases for processing data in the LGPD (see above) exceed the six legal bases provided in the GDPR. While in some cases this is because the Brazilian law splits into two separate grounds, bases for processing which are captured under one ‘heading’ in the GDPR, the LGPD does include some additional grounds: Specifically, credit protection and research are not legitimate grounds for processing legal data in the GDPR.
- The practical import of this is that it may be easier for organizations in Brazil to process personal data without seeking the consent of the data subject.
- Enforcement and Court Proceedings
- The GDPR is relatively clear about where responsibilities lie for enforcement of the law. Data Protection Authorities (DPAs) are set up within each EU member state and investigate breaches of the GDPR. Court action can be taken by individuals and DPAs both in national courts and the Court of Justice of the European Union (CJEU).
- By contrast, as the LGPD sits on top of existing laws and processes in Brazil, enforcement is not straightforward. As well as the National Data Protection Authority (NDPA), other government bodies can independently bring action. This includes public prosecutors (Ministério Público). Public prosecutors in Brazil act independently and have a broad remit to bring any civil or criminal case under the law.
- Relatedly, the existing National System of Consumer Defence will be able to bring action for data breach under existing consumer laws.
- The variety of enforcement mechanisms in Brazil could lead to extensive court action and confusion about whose task it is to deal with breaches of the LGPD
For a detailed explanation of the GDPR itself see The Principles of the General Data Protection Regulation (GDPR) and International Expansion
Conclusion
Frequently Asked Questions
‘LGPD’ stands for Lei Geral de Proteção de Dados. Roughly, this can be translated as the General Law on Data Protection.
The LGPD has a slightly different set of data rights, a more extensive set of lawful grounds for processing data, and a more complicated enforcement apparatus, compared to the GDPR.
