LGPD – General Law of Data Protection [BRAZIL]

On 15 August 2020, the Lei Geral de Proteção de Dados Pessoais (LGPD), or the General Law on the Protection of Personal Data, will enter into force in Brazil. This law has been hailed by many as the first GDPR-like law in Latin-America, helping Brazil to ensure a high level of data protection. From the moment of the law’s publication in August 2018 to its effective date, organizations will have had 18 months to prepare for this new piece of legislation. Many organisations doing business in Brazil, may be wondering how to ensure compliance with the new Brazilian requirements.

Non-compliance with the requirements of the LGPD could result in fines amounting to 2% of gross sales (of the company or a group of companies) or a maximum sum of R $ 50,000,000.00 (Fifty Million Brazilian Real) per infringement, approximately USD 12.9 million.

Key elements of the Bill include:

• Cross-Border Jurisdiction. Similar to the GDPR, the Bill is applicable not only to the organizations headquartered in Brazil and to companies processing personal data in Brazil, but also to cross-border processing of personal data of Brazilian residents.

• Familiar privacy principles and risk-based approach. The new legislation’s clear inspiration by the GDPR is apparent when it states some of its core principles for data processing – including lawfulness, fairness, accountability, non-discrimination, purpose limitation and transparency on the use of personal data. It also sets forth the need for data minimization, accuracy, storage limitation, and security including integrity and confidentiality – all of these principles being already familiar to the GDPR readers.

• New rights for individuals. LGPD has introduced new rights to its residents, including the right of data portability (much discussed in the EU context), along with rights of erasure and a right of access to personal data, which in Brazilian context imposes shorter deadlines for the controllers to comply with data subject requests (15 days instead of the GDPR-imposed 30 days).

• More legal bases for processing of personal data. The Brazilian Bill introduces a sum of 10 bases enabling the controllers to lawfully process individuals’ personal data. In comparison, the GDPR only offers 6 legal bases. Among the Brazil-specific bases are included for example the protection of credit or the protection of health in process carried out by medical institutions. Most of the additional legal bases would fall under the GDPR’s legitimate processing.

• Data-mapping and DPIAs. For organizations that have already undergone the data-mapping and DPIA-drafting exercise, these newly imposed LGPD requirements will not be overly burdensome. For the rest, the rules seem to be fairly similar to the GDPR requirements: both the controller and processor are obliged to maintain data processing records and conduct privacy impact analysis for processing activities which may render higher risk to individuals’ personal data.

• Mandatory breach notification and DPO. The data controllers will be newly obliged to notify personal data breaches to the National Data Protection Authority and to the affected individuals. Furthermore, the controllers will now have to appoint a data protection official, whose responsibilities entail oversight on organization’s data processing activities and facilitation of data subject requests – the similarities with GDPR’s DPO role being apparent. The notable difference is, that so far the obligation to appoint a DPO falls to all the data controllers. the LGPD does not provide any exceptions for small businesses or small-scale processing, however it is expected that the Data Protection Authority (once appointed) may lay down certain exceptions to this very wide-reaching and potentially onerous obligation.

• International Data Transfers. The new Bill imposes restrictions to the cross-border transfer of personal data. Such transfers are allowed (i) to countries to countries deemed by the data protection authority to provide an adequate level of data protection, or (2) where effectuated using standard contractual clauses or other mechanisms approved by the data protection authority.

The Brazilian legislation drew inspiration from the GDPR also when detailing the administrative sanctions. Non-compliance with the requirements of the LGPD could result in fines amounting to 2% of gross sales (of the company or a group of companies) or a maximum sum of R $ 50,000,000.00 (fifty million reais) per infringement, approximately USD 12.9 million.