Brazil’s Data Protection Law
(LGPD, Lei Geral de Proteção de Dados)
Brazil joins the EU and US in working to protect individuals and their data. Following the General Data Protection Regulation (GDPR), Brazil passed the Lei Geral de Proteção de Dados (LGPD) in 2018. It is expected to take effect in August 2020.
Data Privacy in Brazil
In 1988, the Brazilian Constitution was rewritten. With its enactment came the first modern stand on personal privacy in Brazil, setting forth:
- the right to secrecy in communications,
- the rights to know what information the government has gathered on an individual and request its amendment, and
- a requirement that the Consumer Protection Code be implemented to outline the rights between consumers and businesses.
While a good first step toward protecting one’s personal data, the use of technology continued to expand which required even broader protection for people. New technologies, like social media, malware, cell phones and Internet access, meant that information about individuals became free flowing. For many years, the government worked to keep pace with evolving needs, enacting more than 40 laws that cover a patchwork of data privacy issues.
Of course, this became unwieldy for individuals, the government and businesses as these laws would often contradict or supersede one another. Thus, the LGPD was passed in 2018. The law is intended to go into effect August 2020.
Components of the LGPD
The LGPD offers a uniform approach to controlling and enforcing personal data protection, including providing clear definitions of various types of data.
The law defines personal data as information that can identify an individual.
It continues to state that sensitive personal data includes the following:
- political views
- union membership, membership in religious, philosophical or political groups
- heath information
- information on one’s sex life
- genetic or biometric data that can be traced back to a person
It also specifies that rights that people have with respect to their data. LGPD gives people the rights to:
- know that their data is being processed,
- access this data
- correct their data
- block or eliminate unnecessary data
- request a copy of and move their data
- withdraw consent to collect data, and
- request a review of decisions made based on automated processing of personal data.
Additionally, the law also specifies when data may be processed without consent, protects the data of children, and requires data controllers to appoint a Data Processing Officer (DPO) to handle data-related requests and complaints. It also requires companies to incorporate Privacy by Design / Privacy by Default practices, meaning that the processing of data is to be considered as part of the creation of any new product or service.