| Insights | Blog

Brazil’s Data Protection Law (“LGPD”) Retroactively Effective

On September 18, 2020, Brazil’s data protection law (Lei Geral de Proteção de Dados Pessoais, or “LGPD”) became retroactively effective August 16, 2020.  Penalties do not begin until August 1, 2021, based on a previous delay passed by Brazil’s legislature. Brazil’s legislature previously rejected a provisional measure which would have postponed applicability of the LGPD.  In addition, Brazil’s president issued a decree creating a new data protection authority, the Autoridade Nacional de Proteção de Dados (“ANPD”).

Ultimately, the LGPD will affect organizations doing business in Brazil in a way none of the previous privacy laws and norms have. General data protection provisions and principles are already found in Brazil’s federal constitution, the Brazilian Civil Code, and laws and regulations addressing consumer protection and employment, particular sectors such as financial institutions, health care providers, or telecommunications services providers, and particular professional activities such as medicine or law. Although the country already had several sectoral privacy laws and more than 40 laws and norms at the federal level, the LGPD is the first law to provide a comprehensive framework regulating the use and processing of all personal data.  In light of today’s digital economy and the perpetually expanding use of personal data, companies in all sectors are going to have to adjust and adapt their data collection practices to Brazil’s LGPD.

Influenced by the GDPR, the law sets forth in 65 articles, the Brazilian conception of personal data and provides the legal basis for authorizing its use. A matchup comparing the LGPD to GDPR provided by the International Association of Privacy Professionals (“IAPP”) can be found here.

By way of summary:

 

Jurisdiction. Like GDPR, the LGPD provides for extra territorial jurisdiction. Under Article 3, a personal data processor is subject to LGPD when either: (1) the data is either collected or processed within Brazil; (2) the data is processed for the purpose of offering goods or services to individuals located in Brazil; or (3) the personal data was collected in Brazil. If one of these conditions is met, the headquarters of the company is irrelevant, and LGPD applies.

Scope of “personal data”.  Personal data is broadly defined to encompass any information regarding any identified or “identifiable” natural person. It also includes any data that can be aggregated to other data to identify the individuals. Given the rapid development of big data, this definition could be broadly interpreted to include almost any kind of data.

Sensitive personal data. Like GDPR, the law includes additional provisions specific to “sensitive personal data”, which is considered vulnerable to discrimination. This includes personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, health or sex life, and genetic or biometric data. Such data may only be processed in limited circumstances.

Consumer Rights.  Article 18 enumerates consumer rights and requires they be made known to consumers in an easily accessible manner. These rights include:

  1. Confirmation of the existence of the processing;
  2. Access to the data;
  3. Correction of incomplete, inaccurate or out-of-date data.
  4. Anonymization, blocking or deletion of unnecessary or excessive data or data processed in noncompliance with the provisions of this law.
  5. Portability of the data to another service or product provider, by means of an express request and subject to commercial and industrial secrecy, pursuant to the regulation of the controlling agency.
  6. Deletion of personal data processed with the consent of the data subject, except in the situations provided in Article 16 of this law.
  7. Information about public and private entities with which the controller has shared data.
  8. Information about the possibility of denying consent and the consequences of such denial.
  9. Revocation of consent.

 

Importantly, the LGPD expands upon the GDPR’s “right to be informed” by including both: (a) the right to be informed as to the entities with which data is shared and (b) the separate right to be informed as to what will happened if they refuse to consent. This provides greater transparency and understanding to consumers of the impact of their choices.

General principlesThe law lays out 10 principles that should be considered when processing personal data. These principles include purpose, suitability, necessity, free access, quality of the data, transparency, security, prevention, non-discrimination and accountability.  Ultimately, the extent of such consideration will assist the ANPD in determining whether a company is compliant.

Grounds for data processing.   Like the GDPR, the LGPD restricts data processing to certain enumerated scenarios as set forth in its text, one of which is after obtaining the valid consent of the data subject. Consent forms must be clear and include the purpose of processing, duration of processing, identity of the data controller, entities to whom the data will be disclosed and rights of the data subject, including their right to deny consent.

In the absence of valid consent, the law permits data processing in limited scenarios, including when processing is necessary to fulfill the legitimate interests of the controller. Importantly, these “legitimate interests” are subject to a balancing test against the data subject’s fundamental rights, in which those rights may ultimately outweigh the legitimate interests articulated.

Data Breaches.  The LGPD does not specify a timeline for data breach notification, but requires notice within a “reasonable time period” and that it contain certain specified information.  Controllers must also notify the ANPD and data subject if they experience a security incident that “may create risk or relevant damage to data subjects.”

Data Protection OfficerThe LGPD does require a data protection officer. However, unlike GDPR and other laws, Executive Order No. 869/18 indicates that the DPO does not have to be a natural person. Rather, companies, committees or other internal groups are able to serve as DPOs. Alternatively, an organization may even outsource the position to a third party, such as a specialized company or law firm.

National Data Protection Authority and Enforcement. Brazil’s ANPD will be responsible for overseeing all compliance and for conducting the aforementioned balancing tests. An initial provisions creating the ANPD was vetoed and, as a result, the ANPD was not officially established until the passage of Executive Order No. 869/18. Therefore, the ANPD is not yet fully operational.  Once it is stood up, the ANPD will have various enforcement tools and administrative penalties available, such as:

  • A formal warning with deadline for corrective measures.
  • Fines of up to 2% of the gross revenue of the company, limited to R$50 million (approximately $9.4 million US) per infraction.
  • Daily fines for noncompliance, cumulatively up to the same limit.
  • Public disclosure of the infraction after proper investigation and confirmation of its occurrence.
  • Blocking of the personal data involved in the infraction until the situation is corrected.
  • Elimination the personal data involved in the infraction.
  • Partial suspension of the database operation involved in the infraction for a maximum 6 month period extendable for the same period, until the activity is compliant.
  • Suspension of the processing activity involved in the infraction, for a maximum of 6 months with 6 month extension
  • Partial or total prohibition of engaging in personal data processing activities.

 

These penalties will only take effect in August 2021, and they must be applied directly by the ANPD. However, this body is not yet up and running since the relevant regulation on its internal structure and staffing by civil servants and political appointees was only issued at the end of August this year. The ANPD will thus be fundamental in regulating and issuing guidance about the various provisions and themes covered by the law.

Conclusion. More will be known once the ANPD is up and running with guidance and interpretation, and begins enforcement activities.  Much like the CCPA’s January 1, 2020 statutory compliance date and subsequent enforcement and regulations, companies are left in the meantime try and determine the best path to compliance.  In the meantime, companies need to be aware that the law is effective, and can be applied by the courts or other competent authorities.