The LGPD is the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais). It was passed into law by the National Congress of Brazil on 14 August 2018 and came into effect in September 2020.
Like other data protection laws, the LGPD creates a legal framework for the governance of the collection and use of personal data. However, it is not merely a replica of the GDPR – differing in several significant ways.
Below we discuss the basics of the LGPD and the implications for businesses functioning in and outside of Brazil.
What is the LGPD?
Previously, Brazil had more than 40 federal statutes governing personal data. The primary goal of the LGPD was to consolidate these various laws into a single overarching legal framework for data protection.
By doing so, Brazilian lawmakers aimed to improve Brazilian citizens’ control and rights over their personal data. But also, to simplify the complex web of former statutes, easing the regulatory environment for international and domestic businesses.
Those who are already GDPR compliant will also be compliant with the LGPD. There are key differences, however. The LGPD is organised around nine key rights, which collectively define personal data and create ten legal bases for the lawful processing of personal data.
What are the nine rights of the LGPD?
The Nine Rights are described in Article 18 of the LGPD. It outlines Brazilian citizens’ rights to:
- Confirm the existence of the processing of their data
- Access their data
- Correct incomplete, inaccurate, or out-of-date data
- Anonymization, blocking, or deletion of unnecessary or excessive data or data processed in non-compliance with the provisions of the LGPD
- Portability of data to another service provider or product provider – upon the request of the data subject
- Delete their personal data
- Be informed about the public and private entities with whom the data controller has shared personal data
- Be informed about the possibility to deny consent and the consequences
- Revoke consent
These rights are broadly similar to those described in the GDPR.
Who does the LGPD apply to?
The GDPR is notable for its « extra-territorial effects, » which obligate compliance from all businesses globally that cater to EU citizens. There are similar effects in place in the LGPD.
In Article 3, the LGPD outlines the organizations to whom the LGPD applies:
– Any data processing within the territory of Brazil
– Data processing of individuals who are within the territory of Brazil, regardless of where in the world the data processor is located
– Data processing of data collected in Brazil
For those familiar with the EU GDPR, there are some notable differences. Primarily, the LGPD covers not just Brazilian citizens’ personal data but all individuals located inside Brazilian territory.
Furthermore, like the GDPR, the LGPD has a territorial scope beyond the Brazilian borders. Any organisation offering the supply of goods or services to an individual located in Brazil must act in accordance with the LGPD.
What are the exemptions from the LGPD?
Not everyone is regulated by the LGPD. The regulation does not apply if:
– Data is processed solely for personal reasons (refers exclusively to natural persons)
– Data is processed for journalistic, artistic, literary, or academic purposes
– Data is processed for national security, national defense, public safety, criminal investigations, or punishment activities
What are the ten legal bases for the lawful processing of personal data?
As discussed, under Article 7 of the LGPD, there are ten legal bases for lawful data processing:
- With the consent of the data subject
- For compliance with a legal or regulatory obligation by the data controller
- By the public administration, for the processing and shared use of data necessary for the execution of public policies provided in laws or regulation, or based on contracts, agreement or similar instruments, subject to Chapter IV of the LGPD
- For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data
- When necessary for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject
- For the regular exercise of rights in judicial, administrative, or arbitration procedures, the last pursuant to the Brazilian Arbitration Law
- For the protection of life or physical of the data subject or a third party
- To protect the health, exclusively, in a procedure carried out by health professionals, health services, or sanitary authorities
- When necessary to fulfil the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties which requires personal data protection prevail
- For the protection of credit
Rather than allowing the broad processing of personal data under the regulation, Brazilian authorities only permit the lawful processing of personal data in the above circumstances.
What are the penalties for LGPD non-compliance?
Failure to follow the letter of the LGPD can result in a maximum fine of up to 50 million reals (approximately €8 million) or 2% of an entity’s revenue in Brazil. That’s substantially lower than penalties under the GDPR which can reach €20 million or 4% of annual global revenue – whichever is highest.
With over 138 million internet users in Brazil, it is the fourth-largest internet market in the world. Therefore, compliance with the LGPD is often required of organizations with an international reach.
Thankfully, the Brazilian government shadowed the GDPR, meaning, for most organizations, the added work is minimal. Still, it is critical to be aware of the key differences between these landmark regulations. Otherwise, you may face significant fines on both sides of the Atlantic.