Alessandra NisticoThe influence of the European Union General Data Protection Regulation (GDPR) n. 2016/679 on international legislation is evident, and it shows how the GDPR impacted worldwide legislation on data protection. On 14th August 2018, Brazil approved its General Personal Data Protection Law, or Lei Geral de Proteção de Dados Pessoais (LGPD), n.13.709/2018, which came into effect in February 2020.
The LGPD will impact companies globally because of its extraterritorial effect, which will require companies across the world dealing with Brazilian personal data to implement LGPD requirements.
What is the LGPD?
The LGPD is focused on processing and collection of personal data in the Brazilian territory area and on data processed by companies that intend to offer goods or services to individuals in Brazil.
The LGPD amended the previous Brazilian Internet Law and the Consumer’s Protection Act. Similar to the GDPR, the LGPD is focused on data subjects’ rights and requires companies to adopt procedures and measures to protect personal data and to process it lawfully under LGPD requirements. In addition, the Data Protection Authority was created to enforce the LGPD provisions.
LGPD vs. GDPR: Similarities and differences
The LGPD was inspired by the GDPR, and there are many similarities between the two legislations, making it easier for GDPR controllers and processors to comply with LGPD requirements. However, there are also some differences that need to be considered.
Similarities
Extraterritorial applicability: Like the GDPR, which can be applied by organisations all around the world [see our article: What is the EU GDPR and why is it applicable to the whole world?], the LGPD has an extraterritorial applicability. It not only applies to personal data processed in Brazil, but also to personal data processed outside Brazil if such data belongs to individuals located in Brazil, or if the data was collected, stored or processed in Brazil.
Data subjects: The GDPR considers a data subject to be “an identified or identifiable natural person,” while the LGPD states that it is “a natural person to whom the personal data that are the object of processing refer to.”
Data subject rights: Individuals have the right to access their data, modify it, correct it or demand erasure – like in the GDPR.
Legal basis for data processing: Processing personal data requires a legal basis; this is one of the most important principles in both the GDPR and the LGPD. It is possible to process personal data without consent, if such processing is necessary in order to fulfil a contractual obligation or a pre-contractual obligation, to comply with a legal order, to defend a right in court or for some other legitimate interest. In all other cases, the data controller needs to have the consent of the data subject. In the LGPD, there are four more bases that are not specified as legal bases in the GDPR, although they could be considered under other legal bases: the carrying out of research by research bodies, ensuring (where possible) the anonymisation; the regular exercise of rights in judicial, administrative or arbitral proceedings; credit protection and the protection of health.
Data breach notification: Both regulations require notification of a Data Protection Authority if a data breach happens and, in certain cases, there is an obligation to inform the data subject. However, while the GDPR requires this data breach notification to be done in the next 72 hours, the LGPD requires notification within a “reasonable time,” leaving to the Brazilian Data Protection Authority to implement such rules.
Differences
Extraterritorial applicability: The LGPD will apply only if data processing activities or collection happens in Brazil, or if the company intends to offer goods or services to individuals in Brazil.
Anonymised data: The LGPD states that anonymised data can be considered as personal data when used to formulate behavioural profiles of a particular natural person, only if that person is identified.
Processors: While the GDPR requires that processors be appointed by a written undertaking having legal effects, under the LGPD there is no obligation to execute a contract or other legal act for the processing conducted by a processor.
Children’s data: With regard to consent to information services, the GDPR sets the minimum age at 16 years old, though Member States may set a lower age, abiding by the minimum of 13 years of age. Under that age, consent must be given by a parent or legal guardian. Under the LGPD, consent might be given by a 13- to 18-year-old natural person, as long as the processing of their personal data is undergone in their best interest. In cases where children are younger than 13 years old, specific and explicit consent must be given by a parent or person responsible for the child.
Data transfers: The LGPD permits the international transfer of personal data to countries or international organisations that provide an adequate level of protection of personal data, which can be assessed by “valid seals of quality,” alongside activities prescribed by the GDPR like contractual clauses, standard contractual clauses and global corporate rules.
Data processing records: The LGPD requires all controllers to keep a record of their processing activities. The GDPR requires it as mandatory in specific situations (more than 250 employees, processing of “sensitive data,” monitoring of behaviour, processing of data referring to criminal convictions).
Data Protection Officer (DPO): While the GDPR requires controllers and processors to appoint a DPO under certain circumstances as indicated in Article 37 of the GDPR, the LGPD requires only controllers to appoint a DPO, and it does not prescribe any circumstances. It is the Brazilian Data Protection Authority’s (ANPD) responsibility to release complementary rules about the situations in which the appointment of such person may be waived.
Fines: While the GDPR has two levels for fines (up to 10 million euros, or up to 20 million euros), the LGPD sets two kinds of fines: fixed and daily fines, both with the same limit of BRL 50,000,000 (approx. €11.5 million). A daily fine is normally used to enforce a previous decision. Depending on the violation, a simple fine of up to 2% of a private legal person’s, group’s, or conglomerate’s revenues in Brazil, for the prior financial year, excluding taxes, up to a total maximum of BRL 50,000,000 per infraction may be issued.
What to expect next?
The lesson arising from the adoption of the LGPD stresses how data protection impacts businesses worldwide, becoming a condition to enter a market either as a provider of service in the digital market or as offering goods and services to individuals. The enforcement of the LGPD from the Brazilian Data Protection Authority will tell us more on how the LGPD and the GDPR will evolve as an international common framework of rules, or how they will diverge.
To learn more about the GDPR documents, and to see if they can be applicable to the LGPD as well, download this free Checklist of Mandatory Documentation Required by EU GDPR.