Following a year of uncertainty regarding the 40 laws and norms at the federal level, the LGPD is the country’s first law to provide a comprehensive framework regulating the use and processing of all personal data.
Greatly influenced by the EU General Data Protection Regulation, the LGPD will be familiar to those who have worked with the GDPR (the IAPP published a past coverage from the IAPP, here is an update and recap of what is in this comprehensive law.
To whom does the LGPD apply?
Scope
Unlike its predecessors, such as the GDPR and California Consumer Privacy Act, the LGPD’s applicability is not limited only to businesses and organizations above a particular size. Rather, the law is applicable to businesses of all sizes and provides exceptions only in a few enumerated instances, such as where data are collected exclusively for journalistic, artistic and academic purposes, or public safety and national defense.
Jurisdiction
Furthermore, as does the GDPR, the LGPD provides for extraterritorial jurisdiction. Under Article 3, a personal data processor is subject to the law when the data are either collected or processed within Brazil or the data is processed for the purpose of offering goods or services to individuals in Brazil. Accordingly, so long as one of these conditions is met, the nation in which the company is headquartered is irrelevant, and the LGPD is fully applicable.
What type of data is protected?
Personal data
At the core of any data protection law is the definition assigned to each key term. Among the most important of these is the definition of "personal data." Under the LGPD, personal data is defined broadly in that it encompasses any information regarding any identified or identifiable natural person. The key attribute of this definition is that it includes identifiable data. Thus, not only does the definition encompass data that can actually identify an individual independently, but it previously seen in the GDPR). It does so by splitting the “right to be informed” into both the right to be informed as to the entities with which data is shared and the separate right to be informed as to what will happen if they refuse to consent. While this distinction appears minor, this right provides individuals with greater transparency and understanding of the impact of their choices.
General principles
The desire to provide increased transparency is in line with the general principles of the LGPD. Outlined in Article 6, the law lays out 10 principles that should be considered when processing personal data. Ultimately, the extent of such consideration will assist the Brazilian data protection authority, Autoridade Nacional de Proteção de Dados, in determining whether a company complies with the law. These general principles are purpose, suitability, necessity, free access, quality of the data, transparency, security, prevention, non-discrimination and accountability.
Grounds for processing and consent
Another way to monitor compliance with the law is by examining an organization’s stated grounds for processing. Much like the GDPR, the LGPD restricts data processing to scenarios in which a company can point to an enumerated category of processing as set forth in its text. The most popular and straightforward of these categories requires the organization to obtain the valid consent of the data subject. To obtain such consent, Article 9 of the LGPD states that consent forms must be clear and include the purpose of processing, duration of processing, identity of the data controller, entities to whom the data will be disclosed and rights of the data subject, including their right to deny consent.
In the absence of valid consent, the law permits data processing in limited scenarios, including when processing is necessary to fulfill the legitimate interests of the controller. One important thing to note here is that where the controller is basing its grounds for processing on its own legitimate interests, that interest is subject to a balancing test against the data subject’s fundamental rights, in which those rights may ultimately outweigh the legitimate interests articulated.
National DPA
Eventually, Brazil's ANPD will be responsible for conducting the aforementioned balancing test, as well as overseeing all compliance. However, following an issue with the LGPD’s legislative process, Brazilian President Jair Bolsonaro vetoed the initial provision of the LGPD that created a national authority. As a result, the ANPD was not officially established until the passage of Executive Order no. 869/18. Considering this delay, the ANPD is not yet fully operational.
However, once up and running, the ANPD will be responsible for both enforcement, as well as providing vital guidance to companies regarding interpretation and compliance. Ultimately, until the ANPD is fully functional and provides interpretive guidance, there is still much that we don’t know about LGPD enforcement. Until then (and likely for some time after), we are left to comb through the law and attempt to piece together a workable picture of what is required of organizations to comply.
DPO
One last and important aspect of the LGPD critical for compliance is its requirements for a data protection officer. Unlike previous data protection laws we’ve seen in the international sphere, Executive Order no. 869/18 indicates the DPO required for each organization need not be a natural person. Rather, companies, committees or other internal groups are able to serve as DPOs. Alternatively, an organization may even outsource the position to a third party, such as a specialized company or law firm.
Ultimately, the LGPD will affect organizations doing business in Brazil in a way none of the previous 40 Brazilian privacy laws and norms have. In light of today’s digital economy and the perpetually expanding use of personal data, companies in all sectors are going to have to adjust and adapt their data collection practices to Brazil’s LGPD.
Photo by Mateus Campos Felipe on Unsplash
