In August, 2018, just three months after the European Union’s General Data Protection Regulation (GDPR) became law, another new legal framework governing the use of personal data was approved.
6,000 miles from Brussels, with a population of more than 212 million, Brazil is considered to be the most populated country in the world to have a national data protection law.
The country’s new privacy law, Lei Geral de Proteção de Dados (LGPD) began its legislative process in 2010. At that time Brazil already had more than 40 legally binding regulations governing privacy and personal data in a sector-based system. However, the LGPD will replace and/or supplement the sectoral regulatory framework, which was often criticised for being considered conflictive and devoid of legal certainty. In an increasingly data-driven society, this hampered the country’s efforts to be competitive on the world stage.
After 8 years of internal debate and some 18 adaptations, the LGPD replaces Brazil’s previous patchwork of sector-specific regulations, and creates a new legal framework for the use of personal data, both online and offline. The unification of previously disparate regulations is just one similarity the LGPD shares with the GDPR, from which it clearly takes inspiration.
Another similarity is in respect to the LGPD’s reach. The new law applies to any business or organization that collects and/or processes the personal data of individuals residing in Brazil, irrespective of the location of that business or organization. To be clear, any organization that has customers in Brazil will be required to comply with the LGPD.
Companies with experience of achieving compliance with the GDPR have an advantage, as they will already have done most of the work required to comply with the LGPD.
While the new law comes into effect in February of this year, the compliance period has been extended to August 15, 2020. This gives businesses that are not yet compliant a much needed ‘period of grace’ before the LGPD is enforced.
New Rights for Residents of Brazil
Like most other privacy laws, Brazil’s LGPD aims to guarantee new rights to the country’s residents. Brazilians’ basic rights, which are expanded under the new law, must be guaranteed in an accessible and effective manner.
It will also foster technology and economic development through “clear and comprehensive regulations for the adequate use of personal data”. This nation-wide data protection law is expected to enable Brazil to join more than 120 countries that are considered to have appropriate levels of privacy protection for the use of personal data.
Article 18 of the LGPD will undoubtedly appear familiar to organizations that have achieved compliance with the GDPR. There are nine basic rights afforded to data subjects, including:
the right to information (confirming the existence and extent of the data processing);
the right of access to data;
the right of data rectification related to incomplete, inaccurate or outdated data;
the right of anonymization, blocking or elimination of excessive or unlawfully processed data;
the right of data portability from one controller to another;
the right of elimination of data processed with the data subject’s consent;
the right to be informed which recipients did the controller share the data with;
the right to be informed of the possibility of refusing a consent and the related consequences; and
the right to request a review of decisions taken solely on the basis of automated personal data processing that affect the data subject in certain ways.
Personal Data: Concepts and Definitions
The LGPD has a broad concept of what it defines as ‘Personal Data’ relating to an identifiable natural person. Any data, whether in isolation or aggregated to other data, that can be used to identify a natural person or subject them to a certain behaviour.
We are living in the age of ‘Big Data’ that allows the interrelationship of large, structured and unstructured data sources. It is now possible for almost any data to eventually be considered personal. Therefore it is subject to data privacy laws.
Sensitive personal data
Sensitive Data is a sub-category of Personal Data within the LGPD and is defined as data that may subject the data subject to discriminatory practices. Such types of data include:
racial or ethnic origin;
religious beliefs or political opinions;
trade union or religious, philosophical or political organization membership
data concerning health or sex life; or
data that allows unequivocally and persistent identification of the data subject, such as:
genetic data (with both facets, discrimination and identification);
Such data should be treated in a differentiated manner, with additional security layers, and with different legal bases, such as the express consent of the data subject.
Anonymized data is defined as personal data that cannot be identified considering the use of reasonable time, cost and technical means available. In this case, anonymized data would be considered outside the scope of the LGPD, unless the anonymization process can be reversed, or if the data is used purely for the purposes of behavior profiling. Anonymized data is essentially used for technologies within the scope of the internet of things, machine learning, artificial intelligence, development of smart cities and large behavioral analyses.
There has been much discussion concerning limitation of the use of publicly accessible personal data, such as information stored in databases administered by local authorities, official publications and public records —or those expressly made public by the data subjects themselves, such as personal profiles on social media platforms.
The LGPD deals with these situations by treating them in different ways, and imposing limitations, such as limiting their use to the specific purposes that led to the disclosure of the publicly accessible personal data.
Who does the LGPD apply to?
Article 3 of the LGPD makes it clear that the law applies to:
Data processing within the territory of Brazil;
Data processing of individuals who are within the territory of Brazil, regardless of where in the world the data processor is located; and
Data processing of data collected in Brazil
This means the LGPD provides protection not only for Brazilian citizens, but any individual whose data has been collected or processed while in Brazil.
Covered organizations are required to document all processing of personal data, from collection to deletion, and provide a full description of what data is collected, as well as the purpose of collection and processing, data retention times and who the data is shared with. Liability for non-compliance and data security incident can lie jointly or separately with data controllers or processors.
The LGPD does not apply in cases where:
personal data is processed by a person strictly for personal purposes;
personal data is used exclusively for journalistic, artistic, literary or academic purposes; or if
personal data is exclusively used for national security, national defense, public safety, criminal investigations or punishment activities.
Legal Basis for Processing
When collecting and processing personal data, covered organizations are required to establish a specific legal basis. The LGPD lists ten precedents that authorize the use of personal data —four more than the six provided under the EU’s GDPR.
The 10 legal bases in the LGPD (Article 7) for the lawful processing of personal data are:
With the consent of the data subject,
To comply with a legal or regulatory obligation of the controller,
To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments,
To carry out studies by research entities that ensure, whenever possible, the anonymization of personal data,
To execute a contract or preliminary procedures related to a contract of which the data subject is a party,
To exercise rights judicial, administrative or arbitration procedures,
To protect the life or physical safety of the data subject or a third party,’
To protect health, in a procedure carried out by health professionals or by health entities,
To fulfill the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties which require personal data protection prevail,
To protect credit.
It is notable that Consent is number 1 on the list of the LGPD’s lawful bases for processing. For many businesses this is particularly important due to its implications for how websites are allowed to set cookies, process user data and share that data with third parties.
Article 8 of the LGPD is very clear that consent must be explicit and not obtained through “generic authorization”. In simple terms; the consent given must refer to a particular purpose.
This means that companies and the websites they operate must first obtain the specific, unambiguous consent of the data subject before any processing of personal data is permitted to take place.
Furthermore, data subjects must be able to withdraw their consent at any time and must do so “in writing or by other means”, For example, a consent banner on a website.
When processing personal data, company, organization or website must present a specific legal basis.
The legal basis known as “legitimate interest,” —#9 on the list, was absent from Brazil’s previous data protection legislation. This provides for the use of personal data for purposes other than those originally authorized by data subjects, or those that preceded the disclosure of the data.
Legitimate interest is explained in Article 10 of the LGPD. Similar to legitimate interest provided under the GDPR, data controllers are required to identify the specific activities for which they process personal data. They must also disclose the way data subjects’ rights are protected.
Data controllers’ must ensure that data subjects are fully aware that their personal data will be processed, i.e. there must be a reasonable expectation of data processing on te part of the data subject. Data controllers are required to demonstrate a level of transparency, and the supervisory authority can request that a Privacy Impact Assessment (PIA) be performed when a data controller is relying upon legitimate interest.
ANPD: Brazil’s Data Protection Authority
The final version of the LGPD, sanctioned by Brazil’s president Jair Bolsonaro in July 2019, established a new data protection authority, formally known as Autoridade Nacional de Proteção de Dados (ANPD).
The core objectives of the ANPD are to establish technical standards, educate about the LGPD and its correct applications, supervise and audit, respond to notifications of data breaches and enforce the law’s sanctions.
The ANPD is directly tied to the Office of the Presidency and has two bodies —the Board of Directors, which consists of 5 members with knowledge and expertise in privacy and data protection, and the National Council, an advisory board of 23 members representing government, civil society, research institutions and the private sector.
Cross-Border Data Transfers
Just like the GDPR, the LGPD requires that personal data may only be transferred:
to counties the ANPD has deemed as having an acceptable level of data protection; or
in situations where ANPD sanctioned mechanisms, such as standard contract clauses, are present
The LGPD introduces a number of measures that allow for the cross-border transfer of personal data. Interestingly, data transfer recipients can even include countries that are not considered to have an adequate level of protection. The new law makes it possible to transfer data across borders based on the express consent of the data subject, which must be given in-advance and separate from other purposes and requisitions of consent.
Data may also be transferred if a guarantee is given by the data controller, through contractual agreements and standard clauses, that it will comply with the principles, data subject rights and the data protection regime provided by law.
Similar to the GDPR, Brazil’s law allows for transfer via the adoption of seals, certificates and codes of conduct issued and authorized by the ANPD.
Enforcement and Penalties for non-compliance
Violations of the LGPD can result in a fine of up to 2 percent of the offending company’s annual turnover, with a maximum of 50 million Real (US$ 12.25 million or €11 million). The ANPD can also include in the enforcement notice an order to block or delete the data relating to the violation. In certain cases the ANPD may issue a warning.
Unlike the GDPR, Brazil’s new law is rather vague when it comes to notifications. LGPD Article 48 states that a breach notification must be submitted “within a reasonable time, to be defined by the national authority.”
The notice must contain, at the very least, the following information:
Description of the nature of the affected personal data
Information regarding the data subjects involved
Indication of the security measures used
The risks generated by the incident
The reasons for delay of communication (if any)
The measures that were or will be adopted
The ANDP will verify the seriousness of the breach and, if necessary to safeguard the data subject’s rights, may order the data controller to adopt measures, to reverse or mitigate the effects of the breach.
There is no doubt that the LGPD provides a complete new legal framework for data protection that goes way beyond Brazil’s previous sector-based legislation. The new law includes provisions for all data collection and processing affecting the country’s residents, and could very well reach an adequacy decision with the European Union, based on the LGPD’s close similarity with the GDPR.
New data protection laws are always bound to hit business communities with the financial cost and resources required to achieve compliance. However, there is some good news…
Companies and organizations that have already done the work required to comply withthe GDPR are more than likely to be already operating in a manner that is compliant with LGPD as well.
That said, affected companies should consult their own data privacy practitioner and legal counsel prior to August 16, 2020 in order to be confident of their compliance with Brazil’s new law.
NOTE: This article is provided for informational purposes only and does not constitute legal or professional advice. The Data Privacy Group recommends that businesses engage the services of an experience data privacy/data protection practitioner as well as legal counsel, when preparing for compliance with data protection and privacy laws.