The global data protection landscape continues to evolve, and Brazil is the latest country to enact an omnibus law governing how organizations collect, use, disclose and otherwise process personal data. Beginning on February 15, 2020, Brazil’s data protection law, Lei Geral de Proteção de Dados (LGPD) (unofficial English translation available here), will go into effect and require companies to comply with strict requirements related to the processing of personal data.
After years of debate and consultation, the Brazilian Federal Senate approved a final version of the bill on July 10, 2018, which was then sent to the president for review and signature. Although the bill originally included provisions creating a national Data Protection Authority (DPA) to oversee and enforce the law, President Michel Temer vetoed this section before signing the LGPD into law on August 12, 2018. According to the president, under Brazilian law only the executive branch has authority to establish this type of regulatory body. The president has stated publicly that a new bill will be sent to Congress establishing the DPA, but to date no action has been taken.
Once established, the DPA will be charged with enforcing the LGPD and issuing interpretative guidance to the public. These guidelines (and any official translations of the law into English and other languages) will undoubtedly affect how the law’s requirements will be interpreted, implemented and enforced. For now, companies must look to the broad principles set forth in the LGPD as they prepare for February 2020, which are summarized below.
Who must comply with LGPD?
The LGPD applies to any individual or legal entity, whether public or private, with personal data processing activities that:
- are carried out in Brazil;
- are for the purpose of offering or supplying goods or services in Brazil or relate to individuals located in Brazil; or
- involve personal data collected in Brazil.
Like the EU General Data Protection Regulation (GDPR), the LGPD has extraterritorial scope and will apply to global businesses that meet these criteria, regardless of where the company is headquartered. However, the LGPD does not apply to data processing carried out:
- by a person for strictly personal purposes;
- exclusively for journalistic, artistic, literary or academic purposes; or
- exclusively for national security, national defense, public safety or criminal investigation or punishment activities.
Also similar to the GDPR, the LGPD imposes requirements on both data controllers (the entity in charge of making decisions about processing) and data processors (the entity that processes personal data in the name of the controller). Although many of the requirements apply only to controllers, due to existing consumer protection laws in Brazil it is possible that processors could be held jointly and severally liable for any cause of action under the LGPD that involves harm to data subjects.
What type of data is covered?
In effect, the LGPD covers personal data relating to Brazilian data subjects, personal data collected directly from Brazil, or personal data collected through the offering of goods or services to Brazil. Like the GDPR (and the California Consumer Protection Act (CaCPA)), Brazil’s new law broadly defines “personal data” to include all information related to an identified or identifiable natural person. The LGPD also includes special restrictions related to the processing of “sensitive personal data”, which is defined as data relating to an individual’s racial or ethnic origin, religious beliefs, political opinion, affiliation to unions or political, philosophical or religious organizations, health, sex life or genetic and biometric data.
The LGPD includes two key distinctions from the GDPR with respect to personal data:
- Some anonymized data may be considered “personal data” when used for profiling. Anonymized data is generally exempt from the LGPD’s requirements, so long as the anonymization may not be reversed using reasonable efforts (e.g., the cost and time required to identify individuals, available technologies and other appropriate means). However, Article 12 states that even anonymized data may be deemed “personal data” when it is used to enhance, build upon or otherwise create behavioral profiles about individuals.
- No broad concept of “pseudonymized” data. Unlike the GDPR, the LGPD does not provide broad incentives for data controllers to pseudonymize data, which is the process of separating data from direct identifiers to make the process of re-identifying individuals more difficult. Pseudonymization is only addressed under Article 13 of the LGPD, which encourages public health research bodies to anonymize or pseduonymize health data whenever possible.
What about publicly-available personal data?
Under the existing pre-LGPD data protection regime in Brazil, companies can collect and use personal data made available over the internet or from any public source for any reason, including marketing, profiling and big data analytics. Under the LGPD, however, public personal data may only be collected and used in two ways:
- for the same purpose that the data was originally collected or posted, which will not require the data subject’s consent; or
- for a different purpose, but only if the controller has identified a valid legal basis for the use under Article 7, such as legitimate interest (more on this below).
Therefore, the practice of “scraping” or otherwise collecting publicly-available data for marketing, big data or other monetization purposes will in many cases be limited under the LGPD.
What rights do data subjects have under the LGPD?
Article 18 of the LGPD requires controllers to provide for nine distinct rights of data subjects in relation to their personal data, including:
- confirmation of the existence of processing;
- anonymization, redaction or elimination of unnecessary or excessive personal data, or of data that is not being processed in compliance with LGPD;
- deletion of personal data being processed based upon consent;
- disclosure of subprocessors and other third parties with whom personal data is shared;
- information about consent choices and the consequences of refusing consent; and
- revocation of consent.
Under Article 20, data subjects are also entitled to an explanation about any automated decision-making carried out by the controller and to request that a natural person review decisions based exclusively on such processing. Controllers must comply with these requests and provide clear and adequate information about the criteria and procedures used for automated decision-making. Notably, the right to review by a natural person applies to any type of automated decision-making or profiling, regardless of the impact that such decision has on the data subject. Alternatively, under the GDPR controllers are only required to provide a review when the automated decision has a material impact on the data subject.
Depending on how the DPA ultimately interprets these provisions, this requirement may significantly affect companies that engage in profiling for purposes such as advertising or analytics. Under the GDPR, controllers engaging in profiling activities without a material impact on consumers would not need to comply with requests for explanation and review of these practices. Under the LGPD, however, digital media and other companies may face additional obligations to provide individuals with information about the criteria and procedures they use to create profiles, and even conduct manual reviews of their analytics and processing models.
What are the key compliance requirements under the LGPD?
The specific steps necessary to comply with the LGPD are, for now, relatively unclear without a DPA to issue interpretive guidance. Companies must therefore look to the high-level principles set forth in the law as they prepare for the LGPD’s effective date in February 2020. Based upon these principles, the LGPD includes the following key compliance requirements:
- Maintain a record of data processing activity under Article 37. Companies should create and maintain a data inventory or “data map” of the personal data they collect and process. The LGPD does not include specific requirements for the form or content of these records, however they will likely be similar to the data inventories required under Article 30 of the GDPR.
- Define and document legal bases for processing personal data. Companies must identify a legal basis for each processing activity and document the legal basis in their Article 37 records of processing. Under Article 7 of the LGPD, a controller may only process (or direct the processing of) personal data if it has a legal basis to do so. The law enumerates ten legal bases for processing:
- compliance with law,
- by the government for public policy or regulation;
- research (provided that personal data is anonymized whenever possible);
- when necessary for the performance of a contract with the data subject;
- to exercise legal rights in lawsuits, arbitration or administrative proceedings;
- the protection of life or physical safety;
- by medical providers for the protection of health;
- when necessary to meet the legitimate interest of the data controller or third parties; and
- the protection of credit.
Additional restrictions apply to the processing of sensitive personal data, which may only be processed with the data subject’s specific consent or when the processing is essential for certain limited legal bases set forth in Article 11.
- Document and maintain valid consents. Similar to the GDPR, Article 8 of the LGPD places the burden of proof on the controller to demonstrate valid consent. Therefore companies must ensure that internal procedures are in place to track consents and revocations by data subjects to ensure lawful processing under the LGDR. Consent must be obtained in advance and must be free, informed and unequivocal, and provided for a specific purpose. Data subjects may provide their consent in writing or by other means that prove the data subject’s intent (i.e., checking an “unticked box” to demonstrate assent to processing), and may revoke their consent at any time. If consent is the only legal basis for processing, any changes in processing that are incompatible with the original consent must be disclosed to data subjects in advance to provide them with an opportunity to revoke their consent.
- Update privacy notices and consent forms. Companies will also need to update privacy notices and consent forms to ensure compliance with the LGPD’s transparency requirements in Article 9. Privacy notices must clearly, adequately and visibly provide information to data subjects about:
- the specific purpose of the processing, including if the processing is a condition for receiving products or services;
- the form and duration of the processing;
- identification of the data controller, including contact details;
- third parties that will receive the personal data;
- the responsibilities of any third parties processing data on the controller’s behalf; and
- the rights of data subjects enumerated in Article 18, how to exercise those rights, and whether any personal data will be processed to respond to a request to exercise those rights.
Public bodies and government authorities have additional disclosure requirements, such as informing the public when sensitive personal data will be processed for legal, regulatory, or public administration purposes.
- Appoint a data protection officer (DPO). Under Article 41 of the LGPD, companies must appoint a data processing officer to receive complaints and communications from data subjects, communicate with the DPA, train employees and carry out other duties relating to the company’s personal data processing activities. Unlike the GDPR, the LGPD does not provide for any exemption to the DPO requirement – all companies must appoint a “natural person” to act as the DPO. Companies must publicly and clearly display the name and contact information of the individual DPO, preferably on the controller’s website. Although the yet-to-be-formed DPA is expected to clarify the requirements of Article 41, the existing law does not require the DPO to be physically located in Brazil, and also leaves open the possibility that companies may appoint third-party individual consultants to the position of DPO.
- Develop internal policies and procedures for responding to data subject requests. Companies must reasonably respond to data subjects’ requests to exercise their rights under the LGPD, including access, correction, anonymization, deletion and portability.
- Notify security incidents to the DPA and to data subjects. Under Article 48, controllers must notify the DPA of security incidents that may result in relevant risk or damage to data subjects. Notice must be provided in a “reasonable” time after which the DPA may order the controller to notify data subjects, alert the media, and/or take other steps to mitigate the effects of the incident. Additional guidance on the timing and nature of security incident notifications must be provided by the DPA.
- Develop an incident response and remediation plan. Companies must implement an incident response plan pursuant to Article 50 that ensures the controller is able to comply with the mandatory incident reporting requirements of Article 48.
- Implement an information security program. Controllers and processors must adopt security, technical and administrative safeguards designed to protect personal data from unauthorized access, destruction, loss, modification, communication or other types of unauthorized or unlawful processing. The DPA may provide guidelines for minimum technical standards in the future. Other security frameworks under Brazilian law provide additional guidance related to existing standards, such as Brazil’s Civil Rights Framework for the Internet, or Marco Civil da Internet (English translation available here).
- Perform data protection impact assessments (DPIAs). DPIAs may be necessary when a controller relies upon legitimate interest as a legal basis for processing and in other circumstances, such as the processing of sensitive personal data. The requirements for DPIAs are not clear from the plain text of the LGPD, but additional guidance is expected from the DPA once established.
- Privacy by design and default. Companies subject to the LGPD must implement a privacy governance program and adopt internal processes and policies to achieve the law’s principles, such as data protection and transparency.
- Comply with cross-border data transfer requirements. Articles 33 through 36 of the LGPD place restrictions on cross-border transfers of personal data. Such transfers are only permitted in certain situations, including: (i) when the transfer will be made to a country with an adequate level of data protection (as determined by the DPA); (ii) when the data subject has provided express and specific consent to the transfer; and (iii) where the controller effectuates the transfer through use of an approved legal mechanism, such as model clauses approved by the DPA, binding corporate rules, or custom contractual provisions that guarantee the same level of data protection as under the LGPD. Unlike the GDPR, the LGPD does not permit cross-border data transfers based solely upon the controller’s legitimate interest.
What are the penalties and/or fines for noncompliance?
Consequences of noncompliance under the LGPD may include warnings, corrective measures, daily fines, penalties, and suspensions of processing activities that violate the law. For example, the DPA may impose fines of up to 2 percent of a company’s gross revenues in Brazil in the previous year, or R$ 50,000,000 (fifty million Brazilian Reais, or approximately 12,000,000 USD), whichever is greater, per violation. Daily fines for a specific violation are also subject to this cap.
Will our GDPR compliance program cover the requirements of the LGPD?
Without a DPA in Brazil to issue interpretive guidance similar to the Article 29 Working Party in the EU, the specific requirements for compliance with the new law are unknown. However, the law itself contains many similarities to the GDPR. Based upon the text alone, companies that are already complying with the GDPR will likely be able to rely on various compliance activities that are already in place in order to demonstrate compliance under Brazil’s LGPD.
The chart below summarizes the key differences discussed throughout this post between the Brazilian LGPD and the EU GDPR.
|Brazil LGPD||EU GDPR|
|Extraterritorial Scope||Applies to the processing of personal data by companies that (i) conduct processing activities in Brazil, (ii) process personal data collected in Brazil, or (iii) process data for the purpose of providing goods or services in Brazil or to individuals located in Brazil.||Applies to the processing of personal data by companies (i) “established” in the EEA, (ii) that offer goods or services to individuals in the EEA, or (iii) that monitor individuals in the EEA.|
|Registration of Processing||All companies must register.||Exemption for companies with less than 250 employees.|
|Anonymized Data||May be considered personal data when used for behavioral profiling.||Not considered personal data.
|Publicly-Available Personal Data||Permits processing without consent when used for the same purpose for which the data was originally collected; other purposes require consent or another legal basis.||Treated in the same manner as personal data that is not publicly-available.|
|Legal Bases for Processing||Ten enumerated legal bases, including the protection of credit and the protection of health by a health care provider.||Six enumerated legal bases.|
|Legitimate Interest||More flexible; may not be used as a legal mechanism for cross-border data transfers.||More restrictive; sufficient legal basis for cross-border data transfers.|
|Waiver of Consent||Exemption where data subjects have manifestly made public their personal data.||No exemption.|
|DPO Requirement||Mandatory for all companies; DPO must be a natural person.||Exemption for some companies; no requirement for the DPO to be a natural person.|
|Data Subject Rights||Right of anonymization; more expansive rights of deletion, portability and revocation of consent; must be provided to data subjects free of charge.||More limited rights of deletion, portability and restriction of processing; controller may charge a fee in certain circumstances.|
|Potential Maximum Fines||Up to R$50 million (approximately 12 million USD) or 2 percent of total revenue in Brazil, whichever is higher.||Up to €20 million or 4 percent of total global revenue, whichever is higher.|
|Service Providers & Processing Agreements||Processors are bound to the same principles as the controller (no contract requirement set forth in the LGPD’s provisions).||Controllers must execute a written contract meeting the GDPR’s requirements with processors.|
|Data Breach Notification||Within a reasonable time (to be determined by the DPA).||72 hours.|
|Automated Decision-Making||Data subjects have the right to review by the controller of any decision or profiling, regardless of impact.||Data subjects’ right to controller review applies only when the automated processing or profiling causes a legal or significant effect.|