Brazil Prepares For Implementation Of Comprehensive Data Privacy Law

King & Spalding

On August 14, 2018, Brazil followed the global trend of governments seeking to enhance consumer data protection by approving its first general law on the subject, the General Data Privacy Protection Law (Law No. 13.709/2018 –  Lei Geral de Proteção de Dados) (“LGPD”).  The LGPD mirrors the EU General Data Protection Regulation (“GDPR”) in several ways, notably by providing a heightened level of protection for personal data and establishing detailed rules for the collection, use, processing, and storage of electronic and physical personal data.  The LGPD will become effective in Brazil in February of 2020.

Once the LGPD goes into effect, consumer consent will be required for any processing of personal information collected or processed in Brazil and for all processing of data for the purpose of offering or providing goods or services in Brazil.  The LGPD represents a marked shift in consumer data privacy protection under Brazilian law, which previously did not provide consumers with any significant level of control over a company’s use of their personal data.  The key elements of the LGPD are as follows:

  • Broad definition of personal data: Personal data under the LGPD is defined as including any information related to an identified or identifiable individual.  The LGPD also includes the concept of “sensitive personal data,” which encompasses all data that could be related to allegedly discriminatory practices, such as racial or ethnic origin, religious belief, political opinions, health, sexual, genetic, and biometric data.  The LGPD provides that processing of sensitive personal data will be subject to more restrictive rules.
  • Scope and extraterritoriality: The LGPD applies to all individuals and entities processing personal data collected or processed in Brazil or to anyone that is processing data for the purpose of offering or providing goods or services in Brazil.
  • Processing principles:Ten general principles apply to the processing of personal data under the LGPD, including, but not limited to, (i) the purpose principle—all processing must be for a specific, legitimate, informed, and explicit purpose; (ii) necessity—limiting the scope of processing data to the minimal extent necessary to achieve the objective; (iii) free access and transparency—providing consumers with broader control and information about their data; and(iv) accountability—requiring the adoption of effective procedures and measures to protect personal data.
  • Legal basis to process data: The LGPD also establishes the legal basis for processing personal data pursuant to three factors: (i) consent, which must be provided in advance and for a specific purpose, and must be free, informed, and unequivocal, and (like the GDPR) can be revoked at any time; (ii) a legal or contractual obligation; and (iii) legitimate interest of the controller or a third party, except when it violates fundamental rights.
  • Best practices: The LGPD requires the implementation of procedures, policies, and controls, and the appointment of a Data Protection Officer, who will monitor the procedures.
  • Data breach notification: In the event of a breach, companies must inform the Data Protection Authority and the owner of the data about the breach in a reasonable timeframe.
  • Cross-border adequacy level:Cross-border transfers of personal data are restricted to countries that have an adequate level of protection that is compatible with the LGPD.

Among the penalties established by the LGPD are fines up to two percent of the company’s or economic group’s revenue in Brazil in the previous fiscal year, limited to R$ 50,000,000 per violation (approx. US$ 13,330,000, as of  November 16, 2018) and the disclosure of the violation.  Both the data controller and the data processor are responsible for complying with the LGPD.

Given that the LGPD will not take effect in Brazil until February 2020, companies have time to take the appropriate steps necessary to comply with the new requirements. Some steps that companies may consider taking to ensure compliance with the LGPD include:

  • Evaluating how the LGPD may apply to their business;
  • Reviewing the legal basis for processing any relevant data;
  • Reviewing current data privacy policies;
  • Reviewing the internal procedures related to data privacy to ensure they provide an adequate level of safety;
  • Implementing internal controls to record all processing data;
  • Reviewing contracts with third parties that address data processing and making any necessary adjustments; and
  • Reviewing or creating procedures and policies related to data breaches and incidents.

The LGPD initially provided for the creation of a National Data Protection Authority (“NDPA”) which would be in charge of the implementation and oversight of the law. President Michel Temer vetoed the articles related to this provision due to a procedural issue. President Temer has, however, acknowledged the importance of the NDPA, and it is expected that the government will submit a bill to Congress to address this gap prior to the LGPD’s effective date.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide