The field of data privacy is getting another installation of data protection laws with the introduction of Brazil’s General Law for the Protection of Personal Data — in Portuguese, Lei Geral de Proteção de Dados (LGPD), Law No. 13.709/2018. The LGPD follows Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Enaction has been in the works since the bill passed in August of 2018. As a consolidation of existing data protection laws (i.e., Brazilian Civil Rights Framework for the Internet (in Portuguese: Marco Civil da Internet, Law No. 12.965), the LGPD aims to create overarching regulations for collecting and processing personal data in Brazil.
Expected to go into effect on August 15, 2020, the Brazil Senate approved a bill on April 3, 2020, to delay implementation until January 1, 2021, and enforcement until August 1, 2021, given the implications of the COVID-19 pandemic. Nonetheless, it’s never too late to prepare for the LGPD’s postponed enactment.
In the interest of early preparations, we’d like to highlight some of the critical aspects of the LGPD and how it differs from the GDPR and CCPA.
Brazilian General Data Protection Act in Practice
Like the GDPR and CCPA, the LGPD applies to both public and private organizations that collect consumer data from site visitors or eCommerce users regardless of their physical location. A company doing any of the following is susceptible to the laws of the LGPD:
- processes personal information in the country of Brazil,
- processes personal data collected in Brazil; or
- collects personal data to market or offer goods/services in Brazil.
Enforcement and Penalties
As opposed to the CCPA, where state laws observe the provisions of the Act, the LGPD is a federal mandate. To provide guidance and enforcement, Brazil’s executive branch created the National Data Protection Authority — in Portuguese, ANPD, Autoridade Nacional de Proteção de Dados.
Violators will incur fines up to 2% of their annual revenue (depending on net taxes from the previous year) with a cap at R$ 50M (or around $9.7M). The ANPD has also suggested daily fines to ensure quick improvements to business security protocols/systems.
Data Processing
The collection/processing of personal information needs to service the organization in legitimate ways without infringing on the individual’s rights and liberties. In that way, the collection of personal data must meet ten requirements (shown below) to be considered valid.
- In one way or another, individuals must consent to the collection of their personal information (i.e., via “cookies banner,” email, or other options).
- Adequate reasons for collecting and processing data include compliance with legal/regulatory requirements, studies in research institutions, individual protection, healthcare reasons, or a person’s credit information.
User Rights
A majority of the data rights Brazilian residents have under the LGPD resemble those in the GDPR and CCPA. However, the LGPD has amplified individuals’ ability to access a) information shared with third-party entities, and b) information on the specific data that an organization has obtained. (For a detailed explanation of individual rights under GDPR and CCPA, click here.)
Governance Under Brazilian Data Protection
Certain stipulations are placing notable administrative and operational responsibilities to guarantee compliance. For instance, organizations need to designate a data “officer” to oversee all data processing and handle violations. The entirety of duties delegated to the officer is yet to be wholly specified, but appointment of these officers is essential. There’s also a requirement for organizations to keep well-documented records of data processes, conduct protection assessments, and notify the government and affected individuals of any data breaches.
As with other data protection regulations, organizations need to implement security measures for their products/services and implement appropriate protocols to protect personal information. For many organizations already affected by the GDPR and the CCPA, these are a staple of their consumer data processing procedures.
It’s important to note that there is a lack of specificity concerning governance policies under the LGPD. While the Brazilian government didn’t skimp on the requirements for organizations, clarification is needed (and undoubtedly coming in the future) around the contents of documentation and data protection impact assessments.
LGPD emerges as another safeguard to user privacy and data protection. Each year, more countries and jurisdictions erect pillars of safety to protect consumer data, not as a trend, but as a commitment to privacy. While technology continues to expand the reach of online buying and digital commerce, the need for regulatory laws and provisions accompanies it. Where there is consumer data, there needs to be security, and thus, privacy.