As documented in Dirceu Santa Rosa’s article for the IAPP’s Privacy Tracker, efforts to delay the effective date of Brazil’s General Data Protection Law – Lei Geral de Proteção de Dados or LGPD – recently failed, and the law is expected to go into force in the coming days. Brazil’s federal government also published a decree approving the regulatory structure of the Autoridade Nacional de Proteção de Dados, i.e., Brazil’s national data protection authority.
LGPD becoming effective this year was a surprise to many as its effective date was expected to be postponed because of COVID-19. However, in a year that started with the CCPA going into effect, descended into chaos with COVID-19 (and its numerous privacy issues), took a “what just happened?” turn with the invalidation of Privacy Shield, and will close with a vote on CCPA 2.0, the unexpected start of LGPD feels like par for the course for privacy professionals.
For U.S. companies trying to comply with these laws, LGPD may seem like another insurmountable task. To facilitate that process, below is a general discussion of LGPD and some of its more notable provisions. For reference, LGPD has been translated into English by Ronaldo Lemos and his team at Pereira Neta Macedo and is available here.
What entities does LGPD apply to?
Similar to GDPR, LGPD purports to have extra-territorial jurisdiction. Article 3 states that the law applies to “any processing operation carried out by a natural person or a legal entity of public or private law, irrespective of the means, the country in which its headquarter is located or the country where the data are located, provided that: (1) the processing operation is carried out in the national territory; (2) the processing activity is aimed at the offering or provision of goods or services, or at the processing of data of individuals located on the national territory; or (3) the personal data being processed were collected in the national territory.” “Data collected in the national territory are considered to be those whose data subject is in the national territory at the time of collection.”
Stated differently, LGPD certainly applies to companies that are present in Brazil. As to companies outside of Brazil, it remains to be seen how broadly LGPD’s territorial scope language will be interpreted and applied. However, those familiar with GDPR will certainly appreciate the similarities between LGPD and GDPR’s territorial scope language.
LGPD does exempt the processing of personal data by natural persons exclusively for private and non-economic purposes, journalistic and artistic purposes, academic purposes (subject to certain exemptions), or processing that is done exclusively for public safety, national defense, state security, or activities of investigation and prosecution of criminal offenses (which processing is subject to separate obligations).
What information does LGPD apply to?
LGPD applies to the processing of “personal data”, which is defined in Article 5 to mean “information regarding an identified or identifiable natural person.” “Processing” is defined as “any operation carried out with personal data, such as collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of the information, modification, communication, transfer, dissemination or extraction.”
Does LGPD require a lawful basis for the processing of personal data?
Yes. Entities subject to the law are required to have a proper basis for processing personal data. Some of the bases identified in Article 7 are (1) with the consent of the data subject (defined as “a natural person to whom the personal data that are the object of the processing refer to”); (2) for compliance with a legal or regulatory obligation by the controller; (3) when necessary for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject; (4) when necessary to fulfill the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties; (5) for the protection of credit.
What is consent?
LGPD defines “consent” as “free, informed and unambiguous manifestation whereby the data subject agrees to his/her processing of personal data for a given purpose.” Consent is not required for personal data that is “manifestly made public by the data subject.” If a controller relies on consent to process data, it also must obtain consent to communicate data to other data controllers.
Further, consent is required to be given in writing or by another means that demonstrates the manifestation of the will of the data subject. If given in writing, consent must stand out from other contractual clauses. Consent also is required to refer to particular purposes. Generic authorizations are void. As with GDPR, consent can be revoked at any time.
LGPD also makes clear that consent is only as good as the basis for which it was given. Consent is void if the information provided to the data subject was misleading or not provided in a transparent, clear and unambiguous way. If the covered entity changes the purposes for which it processes data in a way that is incompatible with the consent it received, it must inform data subjects of the changes and data subjects may revoke their consent.
What about sensitive personal data?
The processing of sensitive personal data is restricted to two situations per Article 11. First, when the data subject has given his/her specific consent for specific purposes. Second, in the absence of consent, when the processing is indispensable for certain specified purposes (e.g., compliance with a legal obligation, protecting life or physical safety, and fraud prevention).
The law defines “sensitive personal data” as “personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political membership, data concerning health or sex life, genetic or biometric data, when related to a natural person.”
What about children’s personal data?
In general, Article 14 requires parental consent to process children and adolescents’ personal data. The requirements of Article 14 are similar to those in the Children’s Online Privacy Protection Act.
What rights does LGPD grant data subjects?
Article 9 provides data subjects with the right to receive notice of: (1) the specific purposes of the processing, (2) the type and duration of the processing, (3) the controller’s identity and contact information, (4) information regarding the shared use of the data by the controller and the purpose, (5) responsibilities of the agents that will carry out the processing, and (6) an explanation of the data subjects rights.
Article 18 allows data subjects to make a request to obtain: (1) confirmation of existence of processing; (2) correction of incomplete, inaccurate or out-of-date data; (3) anonymization, blocking or deletion of unnecessary or excessive data or data processed in noncompliance with the provisions of LPGP; (4) data portability; (5) deletion of personal data processed with the data subject’s consent (subject to certain exceptions); (6) information about public and private entities with which the controller has shared data; (7) information about the possibility of denying consent and the consequences of such denial; (8) revocation of consent.
What about international data transfers?
Similar to GDPR, Article 33 of LGPD regulates the international transfers of personal data. In the absence of an adequacy decision, controllers must look to other means such as “specific contractual clauses for a given transfer”, standard contractual clauses, or binding corporate rules.
What about data breaches?
Article 46 requires processing agents to adopt “security, technical and administrative measures to protect personal data from unauthorized [access] and accident or unlawful situations of destruction, loss, alteration, communication or any type of improper or unlawful processing.”
Controllers must notify the national authority and data subjects if they experience a security incident that “may create risk or relevant damage to data subjects.” The notice must be provided “in a reasonable time period” and contain certain specified information.
What are the penalties for non-compliance?
Among other penalties, Article 52 provides that entities are subject to administrative sanctions by the national authority of up to R$50,000,000 Brazilian real (approximately $9.4 million U.S.).
Notably, the penalties are delayed until August 2021.
This discussion is intended to provide a general overview of some (but certainly not all) of LGPD’s provisions. As with GDPR, LGPD is a complicated law that will require extensive analysis by any U.S. entity subject to its application.