Brazil represents over half of all IT spend in Latin America, has the largest regional market for software outsourcing, employs a sizable IT workforce, manufactures consumer goods (including commercial airplanes and cars) and has an active consumer market of social media operated by global data aggregators. At a time when data privacy is becoming increasingly important to consumers, it seems only fitting that Brazil would adopt comprehensive privacy legislation to protect data privacy rights.
The General Data Protection Law, the first law of its kind in Brazil, is now in effect, and we are already seeing enforcement. Streamlining the legal framework on data protection, the law sets forth a number of requirements addressing legal bases for processing, individual rights, governance and accountability and data transfers. Here’s what you need to know.
The General Data Protection Law (LGPD) is Brazil’s first comprehensive data protection law and is designed to enhance the privacy and protection of personal data of individuals in Brazil. The LGPD heavily resembles the EU General Data Protection Regulation (GDPR).
When did the LGPD take effect?
After a long period of uncertainty regarding LGPD’s implementation, the Federal Senate of Brazil issued an amendment which accelerated the LGPD’s effective date, setting an immediate effective date upon enactment of the amendment on August 27, 2020. On September 17, 2020, the Brazilian president approved the bill, resulting in the LGPD taking effect on September 18, 2020.
While the LGPD’s implementing regulations have yet to be released, and administrative enforcement has been delayed until August 2021, the Constitution of the Federative Republic of Brazil grants a private right of action to all citizens and a public right of action to Brazil’s “Ministério Público” or “MP” (Brazil Public Prosecutors’ Office). Private lawsuits and public prosecutor actions based on the LGPD’s main provisions may be possible now that the law has taken effect. Please review our summary of enforcement below for an overview of the potential penalties for violating the LGPD and the recent public civil action filed just three days after the LGPD took effect.
To whom does the LGPD apply?
Similar to the General Data Protection Regulation (GDPR) in the European Union and European Economic Area, the LGPD has extraterritorial reach. The law generally applies to any organization that processes personal data of individuals in Brazil regardless of where the organization is located, and irrespective of where the data is stored or otherwise processed, if: (i) the processing is carried out or collected in Brazil; (ii) the purpose of the processing is to offer or provide goods or services to individuals in Brazil; or (iii) the purpose of the processing is to process personal data of individuals in Brazil.
What did the LGPD change?
Before the LGPD, Brazil’s data protection legal framework was a patchwork of laws, consisting of a federal constitutional right to privacy and several different sectoral laws and regulations. The LGPD streamlines the legal framework by replacing certain regulations and supplementing others, and sets forth a number of requirements addressing legal bases for processing, individual rights, governance and accountability and data transfers. The most significant requirements of the LGPD include the following:
Legal Bases for Processing
Under the LGPD, organizations must have a legal base to process personal data. They may do so:
- With the data subject’s consent;
- To comply with a legal or regulatory obligation;
- By the public administration, for the processing and shared use of data when necessary for the execution of public policies;
- To carry out studies by research entities;
- Where necessary for the execution of a contract with the data subject;
- For the regular exercise of rights in judicial, administrative or arbitration procedures;
- For the protection of life or physical safety of the data subject or a third party;
- To protect health, in a procedure carried out by a health professional or health entity;
- When necessary to fulfill the legitimate interests of the organization or a third party, except when the data subject’s fundamental rights and liberties outweigh the organization’s interest; or
- To protect an individual’s credit.
Data subjects in Brazil have a number of rights over their personal data, including the rights to:
- Confirm the existence of processing, including whether the organization holds particular data
- Access the data subject’s personal data
- Access information about entities with whom the organization has shared the data subject’s personal data
- Correct incomplete, inaccurate or out-of-date personal data
- Anonymize, block or delete unnecessary or excessive personal data or personal data processed out of compliance with the LGPD
- Port or transfer their personal data to another service or product provider
- Delete personal data processed on the basis of consent
- Request information about the possibility of denying consent and the consequences of such denial and the right to revoke consent.
Governance & Accountability
Generally speaking, organizations subject to the LGPD must take the following steps to meet their compliance obligations:
- Appoint a data protection officer (controllers only)
- Maintain records of processing activities
- Implement and maintain privacy notices
- Report security incidents to the National Data Protection Authority (ANPD) and to data subjects within a “reasonable” time period, if the security incident may create risk or relevant damage to the data subjects
- Perform data protection impact assessments
- Develop products and services using the principle of privacy-by-design
- Adopt security, technical and administrative measures to safeguard personal data from authorized access and accidental or unlawful destruction, loss, alteration, communication or any type of improper or unlawful processing.
Organizations subject to LGPD may export data internationally if:
- The data protection authority issues an adequacy finding for the recipient jurisdiction; or
- The controller is able to guarantee compliance with the principles and rights of the data subject, in the form of:
- Specific contractual clauses for a given transfer;
- Standard contractual clauses;
- Binding corporate rules;
- Regularly issued stamps, certificates or codes of conduct; or
- The organization has obtained the data subject’s specific and express consent, distinct for the transfer.
Violations of the LGPD may result in fines of up to 2% of the organization’s Brazilian revenue for the prior year, up to a total of 50 million reais (or approximately $9.3 million USD) per violation.
Merely three days after the LGPD took effect, the Ministério Público do Distrito Federal e dos Territórios’ (MPDFT) Special Data Protection and Artificial Intelligence Unit filed the first public civil action alleging that violations of the LGPD violate the right to privacy, privacy and image, which are guaranteed by the Constitution of the Federative Republic of Brazil. The MPDFT filed the lawsuit against a data services company that allegedly sold the personal data of 500,000 Brazilian individuals. The complaint also stated that potential buyers of data can purchase categories of personal data, such as data from hairdressers, brokers, dentists, doctors, nurses, psychologists and other professionals from specific states in Brazil. The MPDFT is seeking an urgent preliminary injunction to prohibit the company from disclosing (for sale or otherwise) personal data and to have the company’s website domain be frozen until the courts reach a final decision. This action may encourage other MPs to begin enforcing violations to protect individuals’ data privacy rights.
The LGPD still has a number of significant uncertainties, including when the ANPD’s director and members will be appointed and the timing and content of implementation regulations, which have yet to be issued. However, with the MPDFT filing the first public lawsuit less than one week after the LGPD took effect, it is critical that companies promptly assess their Brazilian operations and take the necessary steps to ensure LGPD compliance. We are monitoring the situation closely and will announce LGPD-related changes on a rolling basis, so check back here for updates.