LGPD, Brazil’s New Data Protection Legislation

Collecting and processing consumer data is a new requirement for businesses to succeed. However, to collect and use this data for business operations, organizations must adhere to a growing list of data protection regulations. Brazil has recently enacted its data protection regulation, the General Data Protection Law (LGPD), which became effective in 2020.

There are significant similarities between Brazil’s LGPD and the GDPR, as well as some key differences that businesses serving Brazilian citizens, or doing business in Brazil, should be aware of.

This blog will compare Brazil’s LGPD and the GDPR, with an emphasis on the distinguishing characteristics of Brazil’s new data privacy law. For a more in-depth understanding of the EU’s GDPR, check out our GDPR Compliance Guide Ebook.

LGPD | Historical Basis for Brazil’s Data Privacy Law

Before passing the LGPD, Brazil had over 40 different statutes governing personal data. Conforming to so many different laws and regulations was a compliance nightmare for businesses. Brazil’s LGPD is a big and effective step to unify these varied legal schemes and provide needed clarity to the Brazilian data privacy law framework. The process of consolidating different—and sometimes contradictory—regulatory schemes is never easy, but Brazil’s LGPD does a nice job of it.

LGPD and GDPR Compared

Applicability

Jurisdiction

LGPD, like GDPR, has extraterritorial jurisdiction. That is, processors of personal data are subject to the law when the data is either processed or collected within Brazil, or being processed for the purpose of offering goods or services to individuals in Brazil. If any of these conditions are met, the LGPD is fully applicable.

Scope

Both regulations have few exceptions and apply to nearly all controllers and processors of personal data. However, LGPD exempts certain data collected in the general interest of the public, such as information used for journalistic, academic, public safety, or national defense purposes.

Types of Data Protected

Personal Data

Brazil’s data protection law doesn’t singularly define “personal data,” though it takes direction from the GDPR’s definition: as any information “related to an identified or identifiable natural person.” It instead states on several occasions that personal data can mean “any data that, by itself or combined with other data, could identify a natural person or subject them to a specific treatment.” This is an even broader view of personal data than the GDPR’s.

Sensitive Personal Data

The LGPD includes provisions specific to “sensitive personal data” that are considered susceptible to discriminatory practices. The LGPD includes personal data including racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, health or sex life, and genetic or biometric data in this category.”

Unlike in the GDPR, “sensitive personal data” must be actually related to an individual. Due to the sensitive nature of this data, such data may be processed only in limited circumstances.

Compliance

The Rights of Data Subjects

Organizations that have dealt with GDPR compliance will see strong similarities regarding the fundamental rights data subjects have. They are all practically the same, though there are nine fundamental rights under LGPD while the GDPR has eight. It appears the LGPD simply broke out “The right to information about public and private entities with which the controller has shared data” from the GDPR’s broader “Right to be Informed” in order to be more explicit.

1. The right to confirmation of the existence of the processing.

2. The right to access the data.

3. The right to correct incomplete, inaccurate, or out-of-date data.

4. The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD.

5. The right to move or duplicate data to or in another service or product provider by means of an express request.

6. The right to delete personal data processed with the consent of the data subject.

7. The right to information about public and private entities with which the controller has shared data.

8. The right to information about the possibility of denying consent and the consequences of such denial.

9. The right to revoke consent.

Grounds for Processing and Consent

Like GDPR, the LGPD restricts data processing to specific scenarios in which an organization can demonstrate a legal basis for the desired processing. An example of such a legal basis is the valid consent of a data subject. To obtain consent, the LGPD requires that consent forms must be clear, and include the “particular purpose” of processing, the duration of the processing, the identity of the data controller, entities to whom the data will be disclosed, and the rights of the data subject, including their right to deny and revoke consent. For categories of special data, consent must be specific, listing the reason for processing and other particulars. The “legitimate interest of the controller” is never a “legal basis” for categories of special data.

If a valid consent form is not obtained, LGPD permits data processing only in limited scenarios, such as when processing may be necessary to fulfill the legitimate interests of the controller. However, processing on its own interests could be superseded by the data subject’s fundamental rights.

There are three bases available for processing “personal data” that cannot be used to process “sensitive personal data. These are: the pursuit of the controller’s legitimate interests; protecting credit; and, at the data subject’s request, executing contracts to which the data subject is a party. Interestingly, “prevention of fraud” is one legal basis for processing “sensitive personal data” that is not available for personal data. Thus, while general consent can serve as the legal basis for processing both types of personal data, consent may only be used as a legal basis for processing “sensitive personal data” where it is given for a “specific purpose” and the terms themselves are “distinct and specific.”

Cross Border Data Transfers

The Brazilian Data Protection Authority is the Autoridade Nacional de Proteção de Dados (ANPD). Its members are political appointees and therefore presumed not independent. Accordingly, its level of protection of personal data will likely be found inadequate under GDPR standards.

Data Protection Officers

Another critical piece of LGPD regarding compliance is the requirement for a data protection officer (DPO) for every controller, including both public and private entities, that processes personal data (note the omission of processors). This is unique among other international data protection laws except the GDPR. A DPO need not be a natural person. Instead, companies, committees, or other internal groups can serve as DPOs. Organizations may also outsource the position to external companies or firms.

Enforcement

The National Data Protection Authority, once established, will have this responsibility. However, enforcement sanctions are effective only after Aug. 1, 2021.

The Future of Privacy Laws

As the use of personal data expands, the requirements of new regulations will be the norm, not the exception. Add the LGPD to a growing list of these data protection regulations to which organizations operating internationally will have to adapt.

TokenEx has existing customers in Brazil and is thus both familiar and compliant with Brazil’s new data regulation. TokenEx can assist organizations in complying with their data protection obligations worldwide by de-identifying sensitive data and removing it from an organization’s internal systems. As a result, organizations utilizing TokenEx tokenization protocols reduce risk and simplify compliance while better positioning their organizations to anticipate and respond to current and future regulatory standards.