On December 28, 2018, the Provision Measure no. 869/2018 was published, which amended certain LGPD provisions and created the National Data Protection Authority (ANPD). Among other modifications, the LGPD will go into full force in August 2020, rather than February 2020 as required when the LGPD was first published. The LPGD, as amended, will take effect in August 2020.
Data Collection and Processing
Under LGPD collection and processing is referred to as data treatment, and defined as all operations carried out with personal data, such as:
The treatment of personal data may only be carried out based on one of the following legal bases, which largely align to the GDPR:
With data subject consent
To comply with a legal or regulatory obligation by the controller
By the public administration, for the processing and shared use of data which are necessary for the execution of public policies provided in laws or regulations or contracts, agreements or similar instruments
For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data
For the execution of a contract or preliminary procedures related to a contract of which the data subject is a party
For the regular exercise of rights in judicial, administrative or arbitration procedures
As necessary for the protection of life or physical safety of the data subject or a third party
For the protection of health, in a procedure carried out by health professionals or by health entities
To fulfil the legitimate interests of the controller or a third party, and
For the protection of credit
Notwithstanding the above, personal data processing shall be done in good faith and based on the following principles:
Quality of the data
As for the processing of sensitive personal data, the treatment can only occur when the data subject or her or his legal representative consents specifically and in highlight, for specific purposes; or, without consent, under the following situations:
As necessary for the controller’s compliance with a legal or regulatory obligation
Shared data processed as necessary for the execution of public policies provided in laws or regulations
For studies carried out by a research entity
For the regular exercise of rights, including in a contract or in a judicial, administrative and arbitration procedure
Where necessary to for the protection of life or physical safety of the data subject or a third party
The protection of health, carried out by health professionals or by health entities, or
ensuring the prevention of fraud and the safety of the data subject
The controller and operator must keep records of the data treatment operations they carry out, mainly when the processing is based on a legitimate interest.
In this sense, the ANPD may determine that the controller must prepare an Impact Report on Protection of Personal Data, including sensitive data, referring to its data processing operations, pursuant to regulations, subject to commercial and industrial secrecy. The report must contain at least a description of the types of data collected, the methodology used for collection and for ensuring the security of the information, and the analysis of the controller regarding the adopted measures, safeguards and mechanisms of risk mitigation.
The Relentless Privacy and Compliance Services provide a wide range of LGPD, GDPR services
On May 25th 2018, the EU General Data Protection Regulation came into force, requiring companies based and operating in the European Union to comply with updated regulation about how they handle third party data.
Other countries have taken similar approach to data protection, with Brazil adopting a law governing how organisations collect, use and share customer data. The LGPD (Lei Geral de Proteção de Dados) will go into effect in August 2020, leaving companies with less than a year from now to make sure they are compliant with the strict requirements related to processing and managing personal data.
Lawfulness of Processing
Article 7 LGPD on the lawfulness of data processing contains the ten legal bases that allow organisations to process personal data in Brazil, at least one of which should apply to any data processing operation. The legal bases are:
compliance with a legal or regulatory obligation
execution of public policies (only for the public administration)
research (anonymity, if possible)
execution of a contract (or the pre-contractual phase)
exercising of rights in judicial, administrative, or arbitration procedures
protection of life or physical safety
protection of health
protection of legitimate interests
protection of credit, according to the pertinent legislation
Many of these legal bases are similar to what can be found in laws like the GDPR, although some of the formulations are slightly different, and some additional criteria have been set. Additionally, the LGPD contains specific criteria on how to deal with sensitive data, stipulating that those data cannot be processed unless with a specific legal basis, including the individual’s consent.
When looking at consent, the LGPD seems a little less strict than the GDPR, citing in article 8 that consent needs to be provided in writing or by another means that demonstrates “the manifestation of the will of the data subject.” The burden to prove that consent was validly obtained is on the data controller, and consent should be clearly distinguished from other items, such as contractual clauses. Consent can be revoked at any time and at no cost. Also, consent needs to refer to “particular purposes.” In other words, it needs to be specific.
Legitimate interest under the LGPD is further explained in article 10 of the law. It is rather similar to legitimate interest as we know it from the European Union. It includes the need for data controllers to identify the specific activities for which they process data, as well as the way the rights of the data subject are protected. Also, the data controller needs to make sure the data subject will not be surprised by the fact that his/her data will be processed, i.e. that there is a reasonable expectation of data processing. Some level of transparency is expected from the data controller. The supervisory authority can request that a privacy impact assessment (PIA) be performed when a data controller wants to rely upon legitimate interest.
The LGPD is yet another data protection law that is built on the accountability principle, which means that organisations are required to adopt measures that help to demonstrate compliance. One of those measures is the obligation to maintain a register of processing activities, similar to the one that is required under the GDPR. However, the LGPD does not spell out which elements need to be documented as part of the register. The same is true for the obligation to complete privacy impact assessments. The obligation is part of the law, but it needs to be further specified by the supervisory authority, including in which situations PIAs are mandatory and how they need to be completed. Based on the law, it seems private sector organisations may only need to complete impact assessments when processing personal data on the basis of legitimate interest, and a broader obligation would be imposed on the Brazilian public sector.
Data Subject Rights
Chapter III LGPD is devoted to data subject rights. Brazil will extend several rights to individuals, including a right of confirmation that an individual’s data are being processed, as well as the more traditional rights of access, correction, blocking, and deletion. Under the LGPD, an individual can also request the anonymisation of their data. Requests can be filed at any time, and organisations are bound to respond within 15 days (for the right of access, at least). Data subject rights can be exercised at no cost to the data subject.
LGPD guarantees a number of rights and guarantees to holders of personal data, which may be exercised upon request the holder or their legal representative: • Right to information • Right of access • Right of rectification • Right of data deletion • Right of opposition • Portability right
Contraventions under the LGPD can be sanctioned with a fine of up to 2% of the annual turnover of an organization, with a maximum of 50 million real (US$ 12.85 million). Also, a warning can be issued. The enforcement notice can furthermore contain the order to block or delete the data to which the infraction refers. Other sanctions, which were part of the draft law, including the possible suspension of processing, were vetoed by Brazilian president Temer when the LGPD was presented to him for his signature. Similarly, the provisions on the creation of an independent supervisory authority were vetoed. Therefore, it is not clear how the LGPD will be enforced. Previously, the Brazilian government had announced that the supervisory authority would be established by a different act, although a bill to this end has not yet been published.
How Relentless Helps
Like the GDPR, the LGPD is an omnibus law. This means that it covers many principles of data protection law, unlike, for example, the California Consumer Privacy Act which focuses on data subject rights. Relentless has identified 24 provisions of the LGPD that contain accountability requirements for which some form of evidence would be required. These 24 provisions map to 43 privacy management activities from the Relentless Privacy Management Maturity Framework. For comparison, the GDPR contains 55 mandatory privacy management activities.
Brazil passed the General Data Protection Law in 2018, and it will come into effect August 2020. This article examines the GDPR vs. the LGPD, how it differs, and what business owners globally need to do to prepare.
Brazil’s Lei Geral de Proteção de Dados (or LGPD) brings sorely needed clarification to the Brazilian legal framework. The LGPD attempts to unify the over 40 different statutes that currently govern personal data, both online and offline, by replacing certain regulations and supplementing others. This unification of previously disparate and oftentimes contradictory regulations is only one similarity it shares with the EU’s General Data Protection Regulation, a document from which it clearly takes inspiration.
Another similarity is that the LGPD applies to any business or organization that processes the personal data of people in Brazil, regardless of where that business or organization itself might be located. So, if your company has any customers or clients in Brazil, you should begin preparing for LGPD compliance. Fortunately, you still have time before the law takes effect. And if you are already GDPR compliant, then you have already done the bulk of the work necessary to comply with the LGPD.
While the LGPD does not have a single definition for personal data, if you read the entirety of the text, you can see echoes of the GDPR’s definition of personal data. The LGPD states in various places that personal data can mean any data that, by itself or combined with other data, could identify a natural person or subject them to a specific treatment. While this definition will likely be clarified as Brazil nears implementation of the LGPD, as currently stated, the LGPD takes a broad view of what data qualifies as personal data, even more expansive than the GDPR.
Data subject rights
Article 18 is another section of the LGPD that will look familiar to businesses that have dealt with GDPR compliance. It explains the nine fundamental rights that data subjects have, which include:
The right to confirmation of the existence of the processing;
The right to access the data;
The right to correct incomplete, inaccurate or out-of-date data;
The right to anonymise, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD;
The right to the portability of data to another service or product provider, by means of an express request
The right to delete personal data processed with the consent of the data subject;
The right to information about public and private entities with which the controller has shared data;
The right to information about the possibility of denying consent and the consequences of such denial; and
The right to revoke consent.
While the GDPR is known for granting its data subjects eight fundamental rights, they are essentially the same rights the LGPD mentions. It seems the LGPD split “The right to information about public and private entities with which the controller has shared data” out of the GDPR’s more general “Right to be informed” to make it more explicit.
Differences between the LGPD and the GDPR
Despite their similar goals and the apparent influence the GDPR had on Brazilian lawmakers, there are some key differences to note between the two pieces of legislation.
Data protection officers
Both acts require businesses and organisations to hire a Data Protection Officer (DPO). However, while the GDPR outlines when a DPO is required, Article 41 in the LGPD simply says, “The controller shall appoint an officer to be in charge of the processing of data,” which suggests that any organization that processes the data of people in Brazil will need to hire a DPO. This is another area that will likely receive further clarification, but as written, it is one of the few areas where the LGPD is more stringent than the GDPR.
Legal basis for processing data
Possibly the most significant difference between the LGPD and the GDPR concerns what qualifies as a legal basis for processing data. The GDPR has six lawful bases for processing, and a data controller must choose one of them as a justification for using a data subject’s information. However, in Article 7, the LGPD lists 10. They are:
With the consent of the data subject;
To comply with a legal or regulatory obligation of the controller;
To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments;
To carry out studies by research entities that ensure, whenever possible, the anonymisation of personal data;
To execute a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject;
To exercise rights in judicial, administrative or arbitration procedures;
To protect the life or physical safety of the data subject or a third party;
To protect health, in a procedure carried out by health professionals or by health entities;
To fulfil the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties, which require personal data protection, prevail; or
To protect credit (referring to a credit score).
Having the protection of credit as a legal basis for the processing of data is indeed a substantial departure from the GDPR.
Reporting data breaches
While both the GDPR and the LGPD require organisations to report data breaches to the local data protection authority, the level of specificity varies widely between the two laws. The GDPR is explicit: an organization must report a data breach within 72 hours of its discovery (although different organisations are already testing that deadline).
The LGPD does not give any firm deadline: Article 48 merely states that “the controller must communicate to the national authority and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects… in a reasonable time period, as defined by the national authority.” Since the national data protection agency has not, as yet, been established, there is no guidance for what constitutes a “reasonable time period.”
A regulation is only as strong as its teeth. That is why the maximum GDPR fines are substantial, requiring organisations that commit grave GDPR violations to pay to up to €20 million or 4% of annual global revenue, whichever is higher.
The fines under the LGPD are much less severe. Article 52 states that the maximum fine for a violation is “2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reals” (this works out to roughly €11 million). The LGPD fines are in line with GDPR’s fines for less egregious infractions, but €11 million is not going to concern the world’s largest data processors.
This is not an exhaustive overview of the LGPD, but it should reassure business owners that, in most respects, if you have achieved GDPR compliance, you are already well on your way to complying with the LGPD. Data protection laws are beginning to be considered all around the world, from India to the USA. Relentless privacy and Compliance will be here to help you keep up with the latest developments and assess and attain compliance.
On July 10, 2018, the Brazilian Federal Senate approved a General Data Protection Regulation (“Lei Geral de Proteção de Dados” or “LGPD”). The bill, was largely inspired by the European General Data Protection Regulation (“GDPR”). Although several LGPD provisions were vetoed by Brazil’s president in August 2018, a December 2018 executive order reinstated many of the vetoed provisions. Most significantly, the executive order reinstated sections establishing an agency tasked with enforcing Brazil’s data protection laws.
This alert summarises the key provisions of the bill and addresses its applicability to US-based clients.
Territorial Scope and Definition of Personal Data
In a similar way to the GDPR, the LGPD defines “personal data” as any information relating to an identified or identifiable natural person. Additionally, in order to prevent the use of personal data for discriminatory practices, the LGPD establishes additional restrictions applicable to the processing of sensitive data. Article 5, II defines “sensitive data” as any data pertaining to racial or ethnic origin, religious beliefs, political opinions, membership of syndicates or religious, philosophical or political organisations, data relating to health or sexual life, and genetic or bio-metric data when linked to a natural person.
The LGPD applies broadly to any data processing operation occurring in Brazil, regardless of the location of the entity conducting the operation or holding the data. Further, the LGPD aims to broadly protect personal data, whether obtained by electronic or physical means, or by the public or private sector.
Under the LGPD, there are situations where anonymised data may be considered to be personal data. Specifically, when the anonymisation process to which the data has been submitted is reversible by the use of “reasonable efforts”, the data will be deemed personal data and thus subject to the LGPD rules. Similarly, if anonymised data is used for the purposes of establishing behaviour profiles, the LGPD will also apply.
Consent and Rights of Data Subjects
Article 7 of the LGPD sets forth a limited number of situations where the processing of personal data is allowed. Notably, the LGPD provides that the collection, use or processing of personal data may be conditioned upon first obtaining the explicit consent of the data subject.
Further, consent must be given in writing, in a clear and separate provision from other contractual provisions, or by “any other means that demonstrate the data subject’s consent.” The data processor or controller bears the burden of proof of showing that consent was given according to the terms of the LGPD.Additionally, any generic, blanket authorisation regarding the use of personal data is expressly prohibited. Similarly, data subjects may revoke their consent at any time, making consent a less reliable basis for processing.
The LGPD confers extended rights upon data subjects. Specifically, pursuant to the LGPD, data subjects have the right to access, rectify, cancel or exclude their data. Further, data subjects may also oppose the processing of their data. The LGPD also sets forth a right to data portability, pursuant to which an individual may request a copy of his or her data in a transferable format. Individuals may then opt to transfer their data to other service providers of their choice.
Legal Bases for Processing and Transfer
Similarly to the GDPR, organisations must identify a specific legal basis for any data processing. As mentioned above, the LGPD provides several legal bases in addition to consent, some of the more significant of which include:
Fulfilment the controller’s legitimate interests, or the legitimate interests of a third party; or
For research purposes, but the personal data should be anonymised.
The LGPD also restricts cross border transfers. Companies must ensure that personal data receives adequate protection when transferred. Therefore, data transfers are allowed under a number of circumstances, including if any of the following bases are met, the specifics of which will be further developed by the regulator:
transfers to countries offering adequate protection;
transfers pursuant to specific contractual clauses for a given transfer; standard contractual clauses; and global corporate rules;
where the regulator specifically approves the transfer; or
after obtaining the specific consent of the data subject.
Data Protection Officers (DPO)
The LGPD requires companies to appoint a DPO seemingly without exception. The law also mandates that the DPO perform the following duties: accepting complaints and communications from data subjects; providing explanations and adopting measures; receiving communications from the national authority and adopting new measures; training the entity’s employees and contractors regarding best practices; and carrying out other duties as determined by the controller or set forth in complementary rules. Unlike in the GDPR, the DPO does not have to be a natural person and can be performed by a third party, which means that the DPO role may be outsourced to a third party legal entity or individual. Therefore, entities such as companies or working groups can fulfil the DPO’s responsibilities.
Civil Liability and Administrative Sanctions
Pursuant to the LGPD, the processor and the controller may be held jointly and severally liable for any damage resulting from a violation of the terms of the LGPD. The processor may also be held liable for failure to comply with the controller’s clear and legal instructions.
In addition to civil liability, failure to comply with the LGPD may also result in administrative penalties. Article 52 of the LGPD sets forth a number of penalties, which include warnings, fines, suspension or even prohibition of the activity related to the data processing. Fines are calculated based on a company’s annual net revenue, and are limited to a total amount of fifty million Brazilian reais (R$ 50,000,000), nearly thirteen million dollars (US$ 13,000,000). It must be noted that the fines are applied separately to each violation, resulting in a significant risk to data controllers and processors in the event of non-compliance.
The National Data Protection Authority
Article 55 of the LGPD establishes the creation of an independent federal agency named Autoridade Nacional de Proteção de Dados (“ANPD”). The ANPD will be responsible for the regulation of all matters related to data protection and for monitoring and enforcing the LGPD. Although initially vetoed by the Brazilian President, the ANPD was reinstated by executive order in December 2018. However, in order to remain effective, that executive order must be converted into law by the Brazilian congress in 2019. The ANPD does not have the power to audit companies, but may request information pursuant to an investigation.
The LGPD will come into effect 24 months following the original publication of the law.Therefore, enforcement is now set to begin in February 2020. Accordingly, US-based clients with operations in Brazil must plan to comply with the new regulation. Initial compliance steps include:
Identify to which data the LGPD applies;
Establish and document legal bases for processing;
Review data subject rights and establish processes for meeting those rights, including data subject requests;
Establish and document legal bases for international data transfers; and
Appoint a data protection officer.
Relentless Global Privacy Services have you covered