Privacy in Focus®
Brazil’s long-debated privacy law – the Lei Geral de Proteção de Dados (LGPD) – took effect on August 27, 2020. The LGPD is largely inspired by the European Union’s privacy regulation – the General Data Protection Regulation (GDPR). And like the GDPR, it applies even to companies that do not have a physical presence in the jurisdiction, but handle data from covered individuals. Fortunately, the LGPD’s obligations and rights will be very familiar to businesses also subject to the GDPR, which should facilitate the process to come into compliance with this new law.
A high-level overview of the LGPD’s obligations and rights is provided below.
Scope and Jurisdiction:
The LGPD includes an extraterritorial approach, extending its reach to businesses without a physical presence in Brazil. It applies to a business that (i) collects or processes personal data in Brazil, or (ii) offers goods or services to individuals located with Brazil.
Definition of Personal Data: The law applies broadly to personal data about “any identified or identifiable natural person.”
Sensitive Personal Data: The law imposes additional protections for personal data deemed to be sensitive (e.g., religion, health, political opinion), particularly that data which may be “susceptible to discriminatory practices.”
The LGPD sets out 10 principles that must be evaluated and factored into the processing of personal data, which are:
- Purpose: There must be a legitimate, specific, and explicit purpose to process personal data that is known by the individual.
- Adequacy: The processing must be consistent with the purpose provided to the individual.
- Necessity (data limitation): The data should only be processed to the minimum extent needed for the stated purpose.
- Free access: Individuals must have the right to make free-of-charge requests about their personal data.
- Quality of data: Personal data should be accurate, clear, relevant, and up-to-date as needed for the stated purpose.
- Transparency: Individuals have the right to clear, accurate, and easily accessible information about the use of their data.
- Security: Technical and organizational measures must be used to protect personal data from unauthorized access and accidental and unlawful events.
- Prevention: Use preventive measures to protect against damage from the processing of an individual’s personal data.
- Non-Discrimination: Do not process data for a discriminatory purpose or in an unlawful or abusive manner.
- Accountability: Demonstrate that effective measures have been adopted to comply with data protection requirements.
Basis for Processing:
The LGPD restricts the processing of personal data, absent a valid basis. While the LGPD seems to favor the consent of the individual as the best basis for processing, it provides several other valid bases to process data. These include:
- To comply with a legal or regulatory obligation.
- Based on contracts, agreements, or similar instruments.
- Research studies where whenever possible the personal data is anonymized.
- To execute a contract or preliminary procedures relating to a contract at the request of the individual.
- To exercise judicial or administrative rights.
- To protect the life or physical safety of an individual.
- To protect health, in a procedure carried out by a health professional.
- To fulfill the legitimate interest of the controller or a third party (requires a balancing test to ensure that the individual’s fundamental rights are not outweighed by the controller’s legitimate interest in processing the data.
- To protect credit (credit score).
The LGPD grants a natural person significant rights over their personal data, including the right to:
- Confirm whether personal data has or will be processed.
- Access the individual’s personal data.
- Correct incomplete, inaccurate, or out-of-date data.
- Anonymize, block, or delete unnecessary or excessive data or data that was not processed in compliance with the law.
- Port data to another entity (such as a service provider).
- Delete data that was processed without the consent of the individual.
- Be informed with whom the personal data has been shared.
- Be informed about the consequences of denying consent.
- Revoke consent to the collection or processing of the personal data.
Violations of the law may subject the business to a fine. The maximum fine contemplated by the law is 2% of a company’s revenue in Brazil, up to a maximum of 50 million reals (slightly more than $8 million).
Additionally, the law requires the creation of a data authority agency. This agency has not yet been created, forcing lawmakers to delay administrative sanctions under the law until August 1, 2021. Once established, the agency is charged with providing guidance on compliance with the law. Absent this guidance, the specifics of enforcement remain an open question. Civil actions are also a possibility, with the first lawsuit alleging violations of the LGPD filed against a digital services company based in Brazil in mid-September.
What can companies do now to comply with the LGPD?