Joining the global trend originating in Europe’s GDPR, Brazil has enacted an omnibus law governing the use of personal data, the LGPD. Similar to EU’s GDPR and California’s CCPA, LGPD regulates the processing of personal data.
Who It Applies To
The LGPD applies to any person or entity, including the government, that processes the personal data of Brazilians, even if the entity is based outside of Brazil. There are some exceptions such as when the processing is done (1) by a natural person exclusively for private and noneconomic purposes; (2) exclusively for journalistic, artistic, or academic purposes; or (3) for purposes of public safety, national defense, state security, or activities or investigation and prosecution of criminal offenses.
What Personal Data Is and How It Can Be Processed
Personal data is defined broadly as information regarding an identified or identifiable natural person. There are special restrictions for the processing of sensitive personal data, which is data that relates to racial or ethnic origin, religious beliefs, political opinion, affiliation to unions or political, philosophical or religious organizations, health information, sexual preference, or genetic and biometric data. Similar to GDPR and CCPA, sensitive personal data may only be processed when the data subject specifically and distinctly consents to the specified purposes.
Personal data may be processed without consent for specific and limited purposes, including (1) to comply with a legal obligation; (2) when it is necessary by public administration for the execution of public policies; (3) when it is a study carried out by a research entity; or (4) to protect the life or physical safety of the data subject or a third party.
Companies can collect and use publicly available personal data under the LGPD only if it is (1) being used for the same purpose that it was originally collected, where consent from the subject is not needed; or (2) for a different purpose, if the controller has identified a valid legal basis for the use of the data.
Data Subjects Rights
The LGPD gives nine fundamental rights to all Brazilian data subjects similar to the eight fundamental rights laid out in GDPR. The ninth comes from a more specific definition of the right to be informed granted in the GDPR. LGPD separates the right to be informed into (1) the right to information about the public and private entities with which the controller has shared data and (2) information about the possibility of denying consent and the consequences of such denial.
This gives the data subject not only a right to request information the organization collects about the data subject, but also to ask what will happen if the data subject does not give the controller consent to process his/her personal data. Data subjects are also entitled to an explanation about any automated decision-making carried out by the controller that affects their interests. When a data subject requests a review, the controller must provide clear and adequate information regarding the criteria and procedures used for an automated decision.
Exemptions
The GDPR has six lawful bases for processing data. LGPD expands that to 10 legal bases for justifying the processing of personal data. The 10 bases listed in the LGPD generally follow those of GDPR, with the exception of the last legal basis in LGPD, giving the ability to process data for the protection of credit. This implies consent is not necessary to process data for credit protection purposes, but there are two other laws that govern personal data for protection of credit purposes.
Like the GDPR and CCPA, under LGPD, data that has been anonymized is generally exempt so long as the process by which the data was anonymized cannot be reversed applying reasonable efforts. The LGPD defines anonymization as the use of reasonable technical means available at the time of processing, by means of which the data loses the possibility of direct or indirect association to a natural person. A key difference is that under LGPD, some anonymized data may be deemed personal data if it is used to formulate behavioral profiles of a particular natural person, if that person is identified. If anonymized data is being used for behavior profiling, it is subject to the restrictions of personal data.
Also, unlike GDPR, LGPD does not necessarily endorse pseudonymization as a best practice. It only addresses pseudonymization once, encouraging public health research bodies to either anonymize or pseudonymize when possible. GDPR frequently references pseudonymization as a best practice to assure compliance.
Other Key Requirements
Aside from having to identify a legal basis for processing data without consent, companies must also create and maintain a map of the personal data that they collect and process. This requirement is not imposed by CCPA but is under GDPR.
Like GDPR, but not CCPA, LGPD requires organizations to hire a Data Protection Officer (DPO). Unlike GDPR, the LGPD does not outline specific cases where a DPO is needed. It only says the controller shall appoint an officer to be in charge of processing personal data. This implies that any organization that processes data of people in Brazil will need a DPO. Both controllers and processors must appoint a DPO.
Enforcement
LGPD creates an enforcement authority called the National Data Protection Authority (ANPD). ANPD can create separate guidelines, rules, and deadlines applicable to small businesses and startups to make sure they comply with LGPD. ANPD guidance on LGDP, will affect how they will be enforced and implemented. LGPD does not give a firm deadline for reporting data breaches to ANPD. It that the controller must communicate to the national authority and to the data subject the occurrence of a security incident in a reasonable time period, as defined by the national authority.
Penalties
LGPD Fines for noncompliance are not as substantial as GDPR. The maximum fine for a violation is 2% of a private legal entity’s, group’s or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reals. The sanctions will be applied only after an administrative procedure where opportunity is given for a full defense, and taking into account the severity of the infraction and other parameters.