The LGPD is the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais). It was passed into law by the National Congress of Brazil on 14 August 2018 and came into effect in September 2020.
Like other data protection laws, the LGPD creates a legal framework for the governance of the collection and use of personal data. However, it is not merely a replica of the GDPR – differing in several significant ways.
Below we discuss the basics of the LGPD and the implications for businesses functioning in and outside of Brazil.
Previously, Brazil had more than 40 federal statutes governing personal data. The primary goal of the LGPD was to consolidate these various laws into a single overarching legal framework for data protection.
By doing so, Brazilian lawmakers aimed to improve Brazilian citizens' control and rights over their personal data. But also, to simplify the complex web of former statutes, easing the regulatory environment for international and domestic businesses.
Those who are already GDPR compliant will also be compliant with the LGPD. There are key differences, however. The LGPD is organised around nine key rights, which collectively define personal data and create ten legal bases for the lawful processing of personal data.
The Nine Rights are described in Article 18 of the LGPD. It outlines Brazilian citizens' rights to:
These rights are broadly similar to those described in the GDPR.
The GDPR is notable for its "extra-territorial effects," which obligate compliance from all businesses globally that cater to EU citizens. There are similar effects in place in the LGPD.
In Article 3, the LGPD outlines the organizations to whom the LGPD applies:
- Any data processing within the territory of Brazil
- Data processing of individuals who are within the territory of Brazil, regardless of where in the world the data processor is located
- Data processing of data collected in Brazil
For those familiar with the EU GDPR, there are some notable differences. Primarily, the LGPD covers not just Brazilian citizens' personal data but all individuals located inside Brazilian territory.
Furthermore, like the GDPR, the LGPD has a territorial scope beyond the Brazilian borders. Any organisation offering the supply of goods or services to an individual located in Brazil must act in accordance with the LGPD.
Not everyone is regulated by the LGPD. The regulation does not apply if:
- Data is processed solely for personal reasons (refers exclusively to natural persons)
- Data is processed for journalistic, artistic, literary, or academic purposes
- Data is processed for national security, national defense, public safety, criminal investigations, or punishment activities
As discussed, under Article 7 of the LGPD, there are ten legal bases for lawful data processing:
Rather than allowing the broad processing of personal data under the regulation, Brazilian authorities only permit the lawful processing of personal data in the above circumstances.
Failure to follow the letter of the LGPD can result in a maximum fine of up to 50 million reals (approximately €8 million) or 2% of an entity's revenue in Brazil. That's substantially lower than penalties under the GDPR which can reach €20 million or 4% of annual global revenue – whichever is highest.
With over 138 million internet users in Brazil, it is the fourth-largest internet market in the world. Therefore, compliance with the LGPD is often required of organizations with an international reach.
Thankfully, the Brazilian government shadowed the GDPR, meaning, for most organizations, the added work is minimal. Still, it is critical to be aware of the key differences between these landmark regulations. Otherwise, you may face significant fines on both sides of the Atlantic.