The Brazilian General Data Protection Law (the “LGPD”) has had a tumultuous start. The original effective date, August 16, 2020, was delayed by a provisional measure from the Brazilian President that required approval by both houses of Congress to become permanent. On August 26th, 2020, the Brazilian Senate rejected this measure, meaning the law will be effective when the President signs it within fifteen days of the Senate’s decision and will have a retroactive effective date of August 16, 2020. The President has also issued a decree establishing Brazil’s new data protection authority.
What does all of this procedural language mean? Practically, this means that businesses must be compliant with the requirements of the LGPD in their current data processing activities, though the sanctions provision will not apply until August 1, 2021. It also means that we anticipate that the newly-established National Data Protection Authority will be issuing additional details and clarification about provisions of the law in the coming months as the LGPD is applied.
The LGPD applies to any individual, business, or organization (referred to here as a “business”) processing the personal data of Brazilian residents. What LGPD requirements should your business be following? How do they differ from General Data Protection Regulation (“GDPR”) requirements? We address the key requirements and points below.
Key LGPD Components
The LGPD sets forth certain requirements for businesses processing the personal data of Brazilian residents, lists accepted legal bases for processing personal data, establishes data subject rights related to the processing of their personal data, and institutes a dedicated enforcement agency. Note that, for all portions of the LGPD, the data subject must be informed of the purposes of data processing in a manner that the data subjects can understand, meaning they likely must be informed in Portuguese. Each major LGPD component is briefly described below.
Data Protection Officer
The LGPD mandates that both data controllers and data processors operating under the scope of the LGPD must appoint a Data Protection Officer (“DPO”). The DPO will serve as the designated communication point between the business and the newly-established enforcement body – the National Data Protection Authority (“ANPD”). The LGPD notes that the national authority is expected to issue additional definitions and rules outlining the requirements for the DPO, obligations, and possible exceptions.
National Data Protection Authority
The ANPD will serve as the governmental body in charge of regulating, supervising, and applying penalties and sanctions for violations of the LGPD. Previous versions of the LGPD listed penalties that included fines of up to 2% of a business’s revenue in Brazil for the previous fiscal year or suspension of all database operations involving Brazil residents’ data for up to six months. However, the current LGPD version is slightly more vague on penalties, simply granting the ANPD the authority to issue “appropriate sanctions.”
Data Breach Reporting
The current version of the LGPD requires that businesses report data breaches (defined as “a security incident that may create risk or relevant damage to the data subjects”) within a reasonable time period. No guidance has been issued thus far relating to what constitutes a reasonable time period, though the ANPD is expected to issue guidance on this matter.
Data Subject Rights
As under the GDPR, the LGPD established specific rights of data subjects for the collection, processing, and disclosure of their own personal data. The business controlling the processing of personal data must establish policies and procedures for properly responding to data subject requests and addressing data subject rights. These rights have slight variations from the GDPR, but are overall very similar, including:
- The right to confirmation of the existence of personal data processing
- The right to access the personal data
- The right to correct incomplete, inaccurate, or out-of-date data
- The right to anonymize, block, or delete unnecessary or excessive data or data not being processed in compliance with the LGPD
- The right to portability of data to another service or product provider
- The right to delete personal data processed on the basis of consent
- The right to receive information on entities with which the controller has shared data (this is similar to but slightly more specific than the GDPR ‘right to be informed’)
- The right to information about the possibility of denying consent and consequences of such denial
- The right to revoke consent
Bases of Processing
The LGPD’s accepted bases for processing personal data extend beyond those accepted under the GDPR. The full list as published in the LGPD includes:
- Compliance with legal or regulatory obligations
- In order to execute public policies provided in laws and regulations or based on contracts or agreements
- In order to carry out studies by research entities that ensure whenever possible the anonymization of personal data
- In order to execute a contract or as part of preliminary procedures related to a contract which includes the data subject
- Exercise of rights in judicial, administrative, or arbitration procedures
- Protection of life or physical safety of a data subject or third party
- Protection of health (in a procedure carried out by health professionals or entities)
- In order to fulfil legitimate interests of a controller or third party when not outweighed by the data subject’s fundamental rights and liberties
- In order to protect credit (as in a credit score)
LGPD vs GDPR
Both the LGPD and the GDPR share the understanding that personal data refers to any data that could — either alone or in combination — identify a natural person or subject them to special treatment. Both laws also share particular rights held by the data subject with respect to their own personal data. However, there are some key differences between the two.
The GDPR mandates that organizations appoint a DPO in certain circumstances and when processing personal data in a particular way or at a particular volume — outside of these circumstances, a DPO is recommended but not required. The LGPD requires all businesses that fall under the LGPD to appoint a DPO without exception.
In addition, rather than listing a specific deadline for reporting and responding to data breaches like the GDPR, the LGPD mandates reporting within a “reasonable time period” without any specificity of timelines. LGPD fines are also substantially lower than possible fines under the GDPR. Where the GDPR allows for maximum fines of the higher of 20 million euro or up to 4% of annual global turnover, the LGPD maximum fines allow for either 2% of revenue within Brazil for the prior fiscal year (up to 50 million reals total, which is equivalent to approximately 11 million euro).
There will likely be amendments and guidance related to the LGPD issued as the law is enforced. However, being prepared for the key requirements and factors listed above will set you on the road to compliance. Since several of the LGPD’s key requirements closely mirror the GDPR, companies already compliant with the GDPR should be able to focus on the distinctions – such as mandatory appointment of a DPO – and quickly adapt to the LGPD’s requirements. VeraSafe is closely monitoring updates to the LGPD and is happy to assist you with any questions and guidance on compliance.