On August 14, 2018, Brazil’s President, Michel Temer, signed the country’s new data protection legislation into law. Now that the “lei geral de proteção de dados pessoais” (the “LGPD”) has received presidential sanction, it will take effect in February 2020, 18 months after its publication in the Brazilian official gazette, allowing companies time to make the necessary changes to comply with the new rules.
The LGPD was drawn up following an extensive consultation with both public and private stakeholders and is Brazil’s first general data protection law. The LGPD updates and consolidates the rules of Brazil’s existing regime, which is grounded in some 40 different statutes, each applicable to a specific area, such as credit analysis of natural and legal persons and electronic medical records. The LGPD also amends the Brazilian Civil Rights Framework for the Internet, Law No. 12,965 of April 23, 2014.
Previously, on July 10, 2018, the Federal Senate had unanimously approved a draft of the LGPD, which included provisions for the creation of the National Data Protection Authority, a new government agency dedicated to regulating data protection, supervising compliance, and enforcing sanctions. However, President Temer vetoed this section on the grounds that new regulatory bodies can only be established by the Executive Branch, not by a Parliament-approved law. Brazilian science and technology minister, Gilberto Kassab, stated that a new bill to set up a data protection authority would be drafted soon to overcome this obstacle. The president also vetoed certain provisions relating to the requirement to suspend data processing activities in response to a possible data breach, as well as the sharing the data of citizens requesting access to government information with public authorities and private sector organizations.
The LGPD draws heavily on the provisions of the recently introduced European General Data Protection Regulation (the “GDPR”). Similarly, India’s new Personal Data Protection Bill (the “India Bill”) is also inspired by the GDPR. A long-awaited first draft of the India Bill was published on July 27, 2018. It was prepared by a 10-member committee of experts appointed by the government in 2017 to recommend a legislative framework for data privacy, headed by a former judge of the Supreme Court of India, Bellur Narayanaswamy Srikrishna.
Examples of some of the similarities between the GDPR, the LGPD, and the India Bill include:
Consent as the primary legal basis for data processing
Consent of the person subject to data processing will be the primary ground available to most entities. For the purposes of the LGPD, the India Bill, and GDPR, such consent must be free, specific, informed, and unambiguous.
The rules contained in the LGPD and the India Bill will be applicable not only to companies based in Brazil and India but also to businesses outside of those countries that are processing the personal data of Brazilian and Indian citizens, just as GDPR requirements apply to organizations outside of the EU that process the personal data of EU citizens.
Fines for non-compliance
Failure to comply with the LGPD could result in a fine of up to two percent of turnover, or revenue, limited to 50 million reais (approximately USD 12.9 million) per violation. The India Bill imposes fines of up to Rs 15 crore (approximately USD 2.1 million) or 4 percent of turnover, whichever is higher. Fines under the GDPR are set at EUR 20 million (approximately USD 23 million) or 4 percent of turnover, whichever is higher.