Brazil’s LGPD Data Privacy Regulation Now in Effect
Since the approval of Brazil’s Lei Geral de Proteção de Dados (LGPD) in August 2018, the effective date of the new data privacy regulation had been up in the air. One of the many factors related to the somewhat continuous change in effective date has been, with little surprise, the COVID-19 pandemic.
Timeline of the LGPD
Below, we provide a short timeline of the major points in recent changes, the current status of when this data privacy regulation became effective and when it will become enforceable.
- On August 24, 2018, the LGPD was approved with an effective date of February 2020. Due to the COVID-19 pandemic, the February 2020 effective date was pushed to allow businesses additional time to comply.
- On August 25, 2020, the Brazilian House of Representatives approved a provisional measure that would postpone the effective date until December 31, 2020, due once again to the COVID-19 pandemic.
- On August 26, 2020, the Brazilian Senate raised a “question of order” and amended the provision within Conversion Bill (PLV) 34/2020 removing the proposed delay of enforcement of the LGPD, meaning the LGPD would become effective almost immediately.
- On August 27, 2020, the Brazilian federal government published a decree that approved the structure of the regulatory authority of the LGPD, the Autoridade Nacional de Proteção de Dados (ANPD). The ANPD will consist of five members who have yet to be appointed.
- On September 17th, the Brazilian president approved the Conversion Bill resulting in the LGPD becoming effective on September 18th, 2020.
- On August 1, 2021, the administrative sanctions (i.e., penalties) provisions of the LGPD should become effective (subject to approval by the Congress of Brazil).
When does the LGPD become effective?
We now have clarity into at least the effective date of the LGPD, which came into effect on September 18th, 2020. There are still some dates in flux when it comes to the LGPD, specifically the administrative sanctions provisions. As of now, the current enforcement date is set for August 1, 2021. However, this is dependent upon approval from the Congress of Brazil. As mentioned above, the LGPD will eventually be enforced by the ANPD once appointed.
What are the requirements?
If your organization has prepared for the General Data Protection Regulation (GDPR), the LGPD will look familiar. The Brazilian data protection regulation mirrors many of the requirements under the GDPR by requiring businesses to comply with specific privacy principles, lawful bases, data transfer mechanisms, and privacy rights, among other obligations. Below is an overview of the key requirements outlined under the LGPD. This list is not a comprehensive breakdown of the regulation but is intended to provide insight into what the main requirements are under the LGPD. To review the full text of the LGPD in English, please click here.
Definitions
Here are some common terms under the LGPD:
- “Personal data” means “information regarding an identified or identifiable natural person.”
- “Data subject” means “a natural person to whom the personal data that are the object of processing refer to.”
- “Controller” means the “natural person or legal entity, of public or private law, that has competence to make the decisions regarding the processing of personal data.”
- “Processor” means the “natural person or legal entity, of public or private law, that processes personal data in the name of the controller.”
Territorial Scope
The LGPD applies to any processing operation carried out, regardless of the location of the business, if any of the following apply:
- The processing is carried out within Brazil;
- The purpose of processing is to offer or provide goods or services to individuals located within Brazil; or
- The personal data processed is collected in Brazil.
Therefore, if your organization is located in Brazil, or is not located in Brazil, but processes personal information from individuals residing in Brazil, the LGPD likely applies. Determining if your organization falls within this scope will be the first step in assessing whether the LGPD obligations apply.
Lawful Basis of Processing
The LGPD outlines that the processing of personal data may only occur under the following specific circumstances (i.e., lawful bases):
- With the consent of the data subject;
- For compliance with a legal obligation;
- For the processing by public administration for the execution of public policies;
- For research purposes;
- When necessary for the execution of a contract;
- For the exercise of rights under the Brazilian Arbitration Law;
- For the protection of life or physical safety of the data subject or others;
- To protect health when processing is carried out by health professionals or entities;
- When necessary to fulfill the legitimate interests of the controller or third party, unless outweighed by the rights of data subjects; or
- For the protection of credit.
Privacy Principles
The LGPD requires controllers to process personal data with ten privacy principles. These privacy principles serve as the backbone of the regulation as they broadly require controllers to be transparent in their processing activities and ensure personal data is only processed for specific purposes, processed securely, and not unnecessarily collected.
- Purpose: Processing must be done for legitimate, specific, and explicit purposes of which the data subject has been informed.
- Suitability: The purposes of processing must be compatible with what the data subject was informed of.
- Necessity: Limit the processing to what is necessary to achieve the purposes of collection.
- Free access: Guarantee data subjects’ free access to their personal data.
- Quality of data: Guarantee the accuracy, clarity, relevancy, and updating of personal data.
- Transparency: Guarantee clear, precise, and easily accessible information about the processing activities.
- Security: Use technical and administrative measures to protect personal data from unauthorized access or accidental or unlawful destruction, loss, altering, communication, or dissemination.
- Prevention: Adopt measures to prevent damages due to processing.
- Nondiscrimination: Ensure the processing is not carried out for unlawful or abusive discriminatory purposes.
- Accountability: Adopt measures to prove compliance with all data protection obligations within the LGPD.
Data Subject Rights
The LGPD provides nine data protection rights to data subjects within Brazil. Controllers must honor these rights free of charge and as soon as possible. Subject to certain exemptions, these rights include:
- Right to know about the processing;
- Right to access the data;
- Right to correct incomplete, inaccurate, or outdated data;
- Right to anonymize, block, or delete unnecessary or excessive data or data processed unlawfully;
- Right to port data to another service or product provider
- Right to delete personal data processed based on a data subject’s consent
- Right to information about public and private entities with which the controller has shared data;
- Right to information about the possibility of denying consent and the consequences of such denial; and
- Right to revoke consent.
The LGPD specifies that requests for the right to know and access must be honored within 15 days. However, the regulation does not provide a specific timeline regarding how quickly the other rights must be honored.
Notice Requirements
As outlined within the privacy principles section, the intent behind the LGPD is to provide data subjects with more transparency and control over their personal data. As such, controllers are required to notify data subjects of the following:
- The specific purposes of processing;
- The type and duration of processing;
- The controller’s identity;
- The controller’s contact details;
- Information regarding any sharing activities with other controllers and the purpose of sharing;
- The responsibilities of the agents carrying out the processing; and
- The data subject rights under the LGPD.
The LGPD does not specify that this must be provided before the collection of personal data. Still, these notice disclosures likely should be included within your organization’s privacy policy if within the scope of the LGPD.
Data Transfer Mechanisms
The LGPD provides for specific circumstances in which personal data may lawfully be transferred outside of the country:
- The country receiving the data has adequate levels of protection;
- The controller has applied one of the following:
- Specific contractual clauses for a given transfer;
- Standard contractual clauses;
- Global corporate rules; or
- Regularly issued stamps, certificates, and codes of conduct.
- The transfer is necessary for international legal cooperation between public intelligence, investigative and prosecutorial agencies, in accordance with the instruments of international law;
- The transfer is necessary to protect the life or physical safety of the data subject or of a third party;
- The national authority authorizes the transfer;
- The transfer results in a commitment undertaken through international cooperation;
- The transfer is necessary for the execution of a public policy or legal attribution of public service;
- The data subject has given her/his specific consent and distinctly for the transfer, with prior information about the international nature of the operation, with this being clearly distinct from other purposes; or
- The transfer is necessary for compliance with a legal obligation, for the execution of a contract, or for compliance with the Brazilian Arbitration Law.
Additional Obligations
In addition to the obligations outlined above, the LGPD also requires organizations to appoint a Data Protection Officer, conduct data privacy impact reports, maintain records of processing activities, comply with specific consent requirements, and implement security, technical, and administrative measures to protect personal data from unauthorized accesses and accidental or unlawful situations of destruction, loss, alteration, communication or any type of improper or unlawful processing.
In the event of a personal data breach, organizations are now required to notify the national authority (i.e., the ANPD once appointed) and affected data subjects of the breach. There is no specific timeline regarding when notification is required under the LGPD.
Lastly, the LGPD specifically states that controllers must implement a privacy governance program, and the regulation outlines what is expected to be included within the program. Overall, the privacy governance program should demonstrate the controller’s overall internal policies and procedures to ensure the protection of personal data.
Penalties for Non-Compliance
As mentioned in the timeline above, the administrative sanctions (i.e., penalties and fines) will likely not become effective until August 1, 2021. Once the sanctions become effective and enforceable by the ANPD, violations of the LGPD may result in fines of up to 2% of the organization’s global revenue for the prior year up to a total of 50 million reais (or approximately USD 9.3 million) per violation. Further, the LGPD also allows for individual data subjects to file civil lawsuits against controllers and processors in violation of their obligations.
Where to Go from Here
Although the administrative sanctions are likely not effective until August 1, 2021, the other obligations under the LGPD are now effective and businesses may be subject to private right of action lawsuits brought by data subjects in the meantime.
Businesses must first determine whether they must comply with the LGPD. For businesses operating within Brazil or processing personal information of individuals located in Brazil, the LGPD likely applies. Next, businesses must determine their role under the LGPD – does the business operate as a controller, a processor, or possibly both? This will determine with which obligations the business must comply.
From there, businesses should begin assessing any current procedures that may have been implemented to comply with the GPDR or other privacy regulations to determine what may need to be altered. For example, the LGPD has additional privacy principles outside of the ones included in the GDPR. Therefore, businesses will need to determine and document how they comply with these additional privacy principles. Another differentiator from the GDPR may be the DPO requirement. The GDPR requires a DPO only in specific circumstances, while the LGPD always requires controllers to appoint a DPO.
For any questions regarding our services, please feel free to reach out to us at connect@compliancepoint.com
Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.