Brazil’s Data Protection Law (LGPD, Lei Geral de Proteção de Dados)
Brazil joins the EU and US in working to protect individuals and their data. Following the General Data Protection Regulation (GDPR), Brazil passed the Lei Geral de Proteção de Dados (LGPD) in 2018. It is expected to take effect in August 2020.
Data Privacy in Brazil
In 1988, the Brazilian Constitution was rewritten. With its enactment came the first modern stand on personal privacy in Brazil, setting forth:
the right to secrecy in communications,
the rights to know what information the government has gathered on an individual and request its amendment, and
a requirement that the Consumer Protection Code be implemented to outline the rights between consumers and businesses.
While a good first step toward protecting one’s personal data, the use of technology continued to expand which required even broader protection for people. New technologies, like social media, malware, cell phones and Internet access, meant that information about individuals became free flowing. For many years, the government worked to keep pace with evolving needs, enacting more than 40 laws that cover a patchwork of data privacy issues.
Of course, this became unwieldy for individuals, the government and businesses as these laws would often contradict or supersede one another. Thus, the LGPD was passed in 2018. The law is intended to go into effect August 2020.
Components of the LGPD
The LGPD offers a uniform approach to controlling and enforcing personal data protection, including providing clear definitions of various types of data.
The law defines personal data as information that can identify an individual.
It continues to state that sensitive personal data includes the following:
union membership, membership in religious, philosophical or political groups
information on one’s sex life
genetic or biometric data that can be traced back to a person
It also specifies that rights that people have with respect to their data. LGPD gives people the rights to:
know that their data is being processed,
access this data
correct their data
block or eliminate unnecessary data
request a copy of and move their data
withdraw consent to collect data, and
request a review of decisions made based on automated processing of personal data.
Additionally, the law also specifies when data may be processed without consent, protects the data of children, and requires data controllers to appoint a Data Processing Officer (DPO) to handle data-related requests and complaints. It also requires companies to incorporate Privacy by Design / Privacy by Default practices, meaning that the processing of data is to be considered as part of the creation of any new product or service.
Brazil Data Protection Law, Worldwide Influence
Like the EU’s General Data Protection Regulation (GDPR), the LGPD has worldwide significance. It applies to any company that is processing data within Brazil, even if they are not physically located there. It also applies to companies that sell goods, services or information about Brazilian people. This means that a business could be physically located in Chile, but might still be bound by the terms of the LGPD if they are using data belonging to those in Brazil.
LGPD Fines and Consequences
One key differentiator of the LGPD, as compared to former data privacy efforts, is that it establishes a regulatory agency, known as the National Data Protection Authority (NDPA). This organization reports directly to the President of Brazil. It will be responsible for imposing sanctions when LGPD provisions are not met.
The LGPD fine may be up to 2% of a company’s revenue in Brazil, not to exceed BRL 50 million per infraction. Beyond this, publication of the violation is allowed and a company’s right to process data – or even remain in operation – may be suspended.