Brazil’s Comprehensive Privacy Law Now in Effect

Sheppard Mullin Richter & Hampton LLP
Contact

Sheppard Mullin Richter & Hampton LLP

Following lots of legislative uncertainty, Brazil has now formally enacted the country’s first general data protection law, Lei Geral de Proteção de Dados, or “LGPD.” While administrative sanctions do not go into effect until August 1, 2021, individuals and public prosecutors can now bring claims for losses and damages. Indeed, at least one public civil action has already been filed. LGPD is the first comprehensive general data protection law in Latin America. It was modeled after the EU’s GDPR. While there are many similarities, LGPD does introduce new concepts. Below are some of the key elements to keep in mind.

  • When does LGPD apply? Like GDPR, LGPD has extraterritorial effect. A company does not need to be based in Brazil or otherwise have any physical presence for the law to apply. Generally, LGPD applies when an organization does any of the following: (i) processes personal data in Brazil; (ii) processes personal data that was collected in Brazil; or (iii) processes personal data to offer goods or services in Brazil.
  • Does LGPD provide rights to individuals? Yes. While many of the rights are similar to those in GDPR, LGPD also introduces additional rights. In addition to GDPR-like rights of access, deletion, portability, LGPD also gives people a right to access information about those with whom an organization has shared the individual’s data. It also calls for individual access to information on whether an organization holds particular data.
  • What are the requirements for transferring data? Organizations may transfer personal data to other countries that provide an “adequate level of data protection.” Brazil has not yet identified which countries it considers as providing an adequate level of protection. All other transfers require a valid legal transfer mechanism. While there are several available transfer methods, the two main ways organizations can transfer data include: (1) with the specific and express consent of the individual, which must be prior and separated from the other purposes and requisitions of consent; and (2) through contractual instruments such as binding corporate rules and standard clauses, committing the organization to comply with the LGPD principles, individual rights, and the Brazilian data protection regime. No specific model clauses or language are available yet.
  • Are there other record keeping requirements? LGPD calls for record of processing requirements. There are also certain requirements for “impact reports.”
  • Do we have to appoint a Data Protection Officer? It depends. Companies that qualify as “controllers” are required to appoint a data protection officer. Unlike GDPR, there are no specific requirements for the qualifications of this individual.

Putting it Into Practice. Many questions remain open as to the interpretation and enforcement of this law. Brazil’s National Data Protection Authority (ANPD), the administrative agency tasked with enforcing administrative sanctions and issuing regulations under the LGPD, has not yet been established. In the meantime, organizations can begin reviewing their global privacy programs to assess any gaps in compliance. They may want to focus on, among other things, the differences between current rights processes and the rights anticipated under LGPD.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP
Contact
more
less

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.