LGPD, Brazil’s New Data Protection Law
What is the LGPD
The implementation of the EU’s General Data Protection Regulation (GDPR) unleashed a tsunami of new and updated privacy laws across the world, reaching across the Atlantic to Brazil. On August 14, 2018, the Brazilian Federal Senate signed the Brazilian Personal Data Protection Regulation, referred to as the “LGPD” (derived from its Portuguese title), into law. The LGPD bears resemblance to the GDPR, though it is lighter and broader in scope.
The LGPD was set to take effect in February 2020, but this deadline was extended another six months to August 16, 2020, giving both Brazilian policy makers and companies operating in Brazil a little more time to prepare for implementation.
Who Does the LGPD Apply To
Much like GDPR, the LGPD has an extraterritorial application, meaning the law applies to any individual or organization, public or private, that collects or processes personal data in Brazil, regardless of where that organization is based. It also applies to organizations that intend to offer services to individuals in Brazil.
What is the Scope of the LGPD
The LGPD’s requirements apply to individuals and public and private bodies that process data subjects’ information (i.e., controllers) or that process data on another’s behalf (i.e., processors). The requirements extend to companies both within and outside of Brazil’s borders. The definition of data subjects under Article 5 of the LGPD, is broad, similar to the GDPR: A data subject is anyone in Brazil whose data is being processed/collected. According to Article 3 of the LGPD, the law covers processing operations that meet any the following criteria: (i) the processing operation is carried out in Brazil, (ii) the purpose of the processing activity is the supply of goods/services to individuals located in Brazil or (iii) the processed personal data has been collected in Brazil.
Are Data Processing Officers (DPOs) a Requirement
The LGPD also requires that data controllers appoint a Data Processing Officer. A Data Processing Officer’s job is to receive complaints and communications from data subjects, communicate with the Supervising Authority, and instruct an organization’s staff on how to best protect data subjects’ privacy. The role of the Data Processing Officer can be thought of as a combination of the GDPR’s DPO and EU Representative roles, as it is responsible for communicating between an organization, data subjects, and Supervising Authorities, and also overseeing the organization’s compliance with the regulation.
However, unlike the GDPR, the LGPD’s Data Processing Officer does not have to be a natural person and can even be performed by a third-party legal entity or individual. Therefore, companies, committees, and working groups are all able to fulfill the responsibilities of a Data Processing Officer, which means an organization could outsource this role.
What are the lawful bases for data processing?
Much like the GDPR, Brazil’s LGPD has set directives for how an organization can legally process an individual’s data. Policy regulators are seeking to increase transparency between an organization and the data subject through this regulation. The lawful basis of consent is preferred by many organizations, because it is the most straightforward way for organizations to legally process data. Article 9 of the LGPD states that consent request forms must be clear and must include:
- Purpose of processing;
- Duration of processing;
- Identification of the data controller;
- To whom the data will be disclosed; and
- The rights of the data subject.
The law provides some examples of acceptable processing where consent is not required, including instances where the data is available for public access or when processing is necessary for any of the following:
- Compliance with a legal or regulatory obligation;
- The fulfillment of a contract or agreement;
- The legitimate interest of the data controller or third parties;
- Performance of historical, scientific and statistical research;
- Protection of life;
- Protection of health (performed by public health authorities); and
- A matter of national security, defense, and investigative activities.
It is essential for organizations to properly process and document their lawful basis for data processing. Processing sensitive data (which includes health information, biometric information, and genetic data) is subject to additional restrictions. Article 11 of the LGPD states that the processing of Sensitive Personal Data is prohibited unless (1) the controller has informed the data subject of the possible risks involved in processing sensitive data, and (2) the data subject has given precise consent that their sensitive data can be processed.
Concerning the processing of the data of minors, the LGPD states that data subjects ranging from the ages of 12 to 18 may provide consent, but must allow for revocation by parents and/or guardians.
Lastly, there are two exceptions to the law’s standard rules for processing and consent. The regulation does not apply when processing is performed by a natural person for personal reasons, or for the purpose of news reporting.
What are the penalties?
The LGPD requires organizations to report data breaches to DPAs, and in some cases to data subjects if the DPAs deem it necessary. Companies who fall under the LGPD’s domain should be aware of the sanctions Brazil plans to impose for non-compliance. Whether related to a breach or another violation of the LGPD, monetary penalties for non-compliance can result in fines of up to 2% of global gross sales, limited to 50 million reias (approximately $12.9 million USD) per violation. Additional consequences include:
- Publication of the violation;
- Suspension of personal data processing for two years;
- Prohibition of processing sensitive data for ten years; and
- Prohibition of operations for ten years.
According to the LGPD, these consequences may be applied cumulatively, resulting in heavy reputational and monetary losses. These penalties will be determined based on the extent of the violation, as well as the effects it has on data subjects.
Relentless Your LGPD Partner of Choice
Relentless Privacy and Compliance Services provides quality, cost-effective compliance, assurance and global privacy maturity assessments to companies of all sizes. Unlike traditional compliance firms, we don’t have four or five layers of management. Through the use of technology and our centralized, streamlined structure, we are able to serve our clients in the timeliest manner and with the highest level of efficiency. And because of our unique model and approach, we are able to deliver this exceptional service at highly competitive rates.
We have 20+ years of compliance and assurance experience and are committed to providing a personalized and responsive service.
With a tailor made approach, we work with our clients in executing each project to their specific need and help maximize the long term business value of their compliance and privacy assurance strategies ensuring their global operations remain within the law.
Relentless LGPD Service What's Included?
Our LGPD Service Includes the Following
- LGPD Assessment
- Dedicated DPO
- Unlimited Support Calls
- Unlimited Email Support
- Data Mapping
- Record of Processing Activities
- Subject Access Request Service
- Data Risk Assessments
- Data Breach Support
The GDPR also introduced new accountability and transparency requirements, meaning that processors must be able to show that they have a lawful basis for each processing operation, and must inform individuals which lawful basis if being relied upon. Furthermore, under GDPR the interpretation of legitimate interests is now broader, encompassing the interests of any third party, including wider societal benefits.