Brazil’s New Data Protection Law: The LGPD
On July 10, 2018, the Brazilian Federal Senate approved a General Data Protection Regulation (“Lei Geral de Proteção de Dados” or “LGPD”). The bill, was largely inspired by the European General Data Protection Regulation (“GDPR”). Although several LGPD provisions were vetoed by Brazil’s president in August 2018, a December 2018 executive order reinstated many of the vetoed provisions. Most significantly, the executive order reinstated sections establishing an agency tasked with enforcing Brazil’s data protection laws.
This alert summarises the key provisions of the bill and addresses its applicability to US-based clients.
Territorial Scope and Definition of Personal Data
In a similar way to the GDPR, the LGPD defines “personal data” as any information relating to an identified or identifiable natural person. Additionally, in order to prevent the use of personal data for discriminatory practices, the LGPD establishes additional restrictions applicable to the processing of sensitive data. Article 5, II defines “sensitive data” as any data pertaining to racial or ethnic origin, religious beliefs, political opinions, membership of syndicates or religious, philosophical or political organisations, data relating to health or sexual life, and genetic or bio-metric data when linked to a natural person.
The LGPD applies broadly to any data processing operation occurring in Brazil, regardless of the location of the entity conducting the operation or holding the data. Further, the LGPD aims to broadly protect personal data, whether obtained by electronic or physical means, or by the public or private sector.
Under the LGPD, there are situations where anonymised data may be considered to be personal data. Specifically, when the anonymisation process to which the data has been submitted is reversible by the use of “reasonable efforts”, the data will be deemed personal data and thus subject to the LGPD rules. Similarly, if anonymised data is used for the purposes of establishing behaviour profiles, the LGPD will also apply.
Consent and Rights of Data Subjects
Article 7 of the LGPD sets forth a limited number of situations where the processing of personal data is allowed. Notably, the LGPD provides that the collection, use or processing of personal data may be conditioned upon first obtaining the explicit consent of the data subject.
Further, consent must be given in writing, in a clear and separate provision from other contractual provisions, or by “any other means that demonstrate the data subject’s consent.” The data processor or controller bears the burden of proof of showing that consent was given according to the terms of the LGPD.Additionally, any generic, blanket authorisation regarding the use of personal data is expressly prohibited. Similarly, data subjects may revoke their consent at any time, making consent a less reliable basis for processing.
The LGPD confers extended rights upon data subjects. Specifically, pursuant to the LGPD, data subjects have the right to access, rectify, cancel or exclude their data. Further, data subjects may also oppose the processing of their data. The LGPD also sets forth a right to data portability, pursuant to which an individual may request a copy of his or her data in a transferable format. Individuals may then opt to transfer their data to other service providers of their choice.
Legal Bases for Processing and Transfer
Similarly to the GDPR, organisations must identify a specific legal basis for any data processing. As mentioned above, the LGPD provides several legal bases in addition to consent, some of the more significant of which include:
- Performance of a contract;
- Fulfilment a legal or regulatory obligation;
- Fulfilment the controller’s legitimate interests, or the legitimate interests of a third party; or
- For research purposes, but the personal data should be anonymised.
The LGPD also restricts cross border transfers. Companies must ensure that personal data receives adequate protection when transferred. Therefore, data transfers are allowed under a number of circumstances, including if any of the following bases are met, the specifics of which will be further developed by the regulator:
- transfers to countries offering adequate protection;
- transfers pursuant to specific contractual clauses for a given transfer; standard contractual clauses; and global corporate rules;
- where the regulator specifically approves the transfer; or
- after obtaining the specific consent of the data subject.
Data Protection Officers (DPO)
The LGPD requires companies to appoint a DPO seemingly without exception. The law also mandates that the DPO perform the following duties: accepting complaints and communications from data subjects; providing explanations and adopting measures; receiving communications from the national authority and adopting new measures; training the entity’s employees and contractors regarding best practices; and carrying out other duties as determined by the controller or set forth in complementary rules. Unlike in the GDPR, the DPO does not have to be a natural person and can be performed by a third party, which means that the DPO role may be outsourced to a third party legal entity or individual. Therefore, entities such as companies or working groups can fulfil the DPO’s responsibilities.
Civil Liability and Administrative Sanctions
Pursuant to the LGPD, the processor and the controller may be held jointly and severally liable for any damage resulting from a violation of the terms of the LGPD. The processor may also be held liable for failure to comply with the controller’s clear and legal instructions.
In addition to civil liability, failure to comply with the LGPD may also result in administrative penalties. Article 52 of the LGPD sets forth a number of penalties, which include warnings, fines, suspension or even prohibition of the activity related to the data processing. Fines are calculated based on a company’s annual net revenue, and are limited to a total amount of fifty million Brazilian reais (R$ 50,000,000), nearly thirteen million dollars (US$ 13,000,000). It must be noted that the fines are applied separately to each violation, resulting in a significant risk to data controllers and processors in the event of non-compliance.
The National Data Protection Authority
Article 55 of the LGPD establishes the creation of an independent federal agency named Autoridade Nacional de Proteção de Dados (“ANPD”). The ANPD will be responsible for the regulation of all matters related to data protection and for monitoring and enforcing the LGPD. Although initially vetoed by the Brazilian President, the ANPD was reinstated by executive order in December 2018. However, in order to remain effective, that executive order must be converted into law by the Brazilian congress in 2019. The ANPD does not have the power to audit companies, but may request information pursuant to an investigation.
The LGPD will come into effect 24 months following the original publication of the law.Therefore, enforcement is now set to begin in February 2020. Accordingly, US-based clients with operations in Brazil must plan to comply with the new regulation. Initial compliance steps include:
- Identify to which data the LGPD applies;
- Establish and document legal bases for processing;
- Review data subject rights and establish processes for meeting those rights, including data subject requests;
- Establish and document legal bases for international data transfers; and
- Appoint a data protection officer.