Following a year of uncertainty regarding the date of implementation, Brazil’s General Data Protection Law has officially come into effect. Although Brazil is no stranger to sectoral privacy laws and already had more than 40 laws and norms at the federal level, the LGPD is the country’s first law to provide a comprehensive framework regulating the use and processing of all personal data.

Greatly influenced by the EU General Data Protection Regulation, the LGPD will be familiar to those who have worked with the GDPR (the IAPP published a GDPR matchup with the LGPD here). Comprising 65 articles, the law sets forth the Brazilian conception of personal data and provides the legal bases authorizing its use. In line with past coverage from the IAPP, here is an update and recap of what is in this comprehensive law. 

To whom does the LGPD apply?

Scope

Unlike its predecessors, such as the GDPR and California Consumer Privacy Act, the LGPD’s applicability is not limited only to businesses and organizations above a particular size. Rather, the law is applicable to businesses of all sizes and provides exceptions only in a few enumerated instances, such as where data are collected exclusively for journalistic, artistic and academic purposes, or public safety and national defense.

Jurisdiction

Furthermore, as does the GDPR, the LGPD provides for extraterritorial jurisdiction. Under Article 3, a personal data processor is subject to the law when the data are either collected or processed within Brazil or the data is processed for the purpose of offering goods or services to individuals in Brazil. Accordingly, so long as one of these conditions is met, the nation in which the company is headquartered is irrelevant, and the LGPD is fully applicable.

What type of data is protected?             

Personal data

At the core of any data protection law is the definition assigned to each key term. Among the most important of these is the definition of "personal data." Under the LGPD, personal data is defined broadly in that it encompasses any information regarding any identified or identifiable natural person. The key attribute of this definition is that it includes identifiable data. Thus, not only does the definition encompass data that can actually identify an individual independently, but it also includes any data that can be aggregated to another to identify the individual. Given the rapid development of big data, under this definition of personal data, effectively any data can be categorized as personal data.

Sensitive personal data

The LGPD also includes additional provisions specifically applicable to sensitive personal data that are considered particularly susceptible to discriminatory practices. Under the LGPD, where related to a natural person, this type of data includes personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, health or sex life, and genetic or biometric data. Given the delicate nature of this data, such data may only be processed in limited circumstances enumerated in Article 11.

Compliance

Finally, and perhaps of most interest to privacy professionals, the LGPD compliance requirements are based in the desire to support the Brazilian general principles of data protection, as well as to protect the individual rights outlined in the law.

Rights

Article 18 of the LGPD lays out the rights and holds they are exercisable by individuals and requires they be provided in an accessible manner. These rights are:

  1. Confirmation of the existence of the processing.
  2. Access to the data.
  3. Correction of incomplete, inaccurate or out-of-date data.
  4. Anonymization, blocking or deletion of unnecessary or excessive data or data processed in noncompliance with the provisions of this law.
  5. Portability of the data to another service or product provider, by means of an express request and subject to commercial and industrial secrecy, pursuant to the regulation of the controlling agency.
  6. Deletion of personal data processed with the consent of the data subject, except in the situations provided in Article 16 of this law.
  7. Information about public and private entities with which the controller has shared data.
  8. Information about the possibility of denying consent and the consequences of such denial.
  9. Revocation of consent.

Of note is the fact that while many of these rights have been seen in the data protection legal sphere before, the LGPD expands upon the familiar “right to be informed” (previously seen in the GDPR). It does so by splitting the “right to be informed” into both the right to be informed as to the entities with which data is shared and the separate right to be informed as to what will happen if they refuse to consent. While this distinction appears minor, this right provides individuals with greater transparency and understanding of the impact of their choices.

General principles

The desire to provide increased transparency is in line with the general principles of the LGPD. Outlined in Article 6, the law lays out 10 principles that should be considered when processing personal data. Ultimately, the extent of such consideration will assist the Brazilian data protection authority, Autoridade Nacional de Proteção de Dados, in determining whether a company complies with the law. These general principles are purpose, suitability, necessity, free access, quality of the data, transparency, security, prevention, non-discrimination and accountability.

Grounds for processing and consent

Another way to monitor compliance with the law is by examining an organization’s stated grounds for processing. Much like the GDPR, the LGPD restricts data processing to scenarios in which a company can point to an enumerated category of processing as set forth in its text. The most popular and straightforward of these categories requires the organization to obtain the valid consent of the data subject. To obtain such consent, Article 9 of the LGPD states that consent forms must be clear and include the purpose of processing, duration of processing, identity of the data controller, entities to whom the data will be disclosed and rights of the data subject, including their right to deny consent.

In the absence of valid consent, the law permits data processing in limited scenarios, including when processing is necessary to fulfill the legitimate interests of the controller. One important thing to note here is that where the controller is basing its grounds for processing on its own legitimate interests, that interest is subject to a balancing test against the data subject’s fundamental rights, in which those rights may ultimately outweigh the legitimate interests articulated.

National DPA

Eventually, Brazil's ANPD will be responsible for conducting the aforementioned balancing test, as well as overseeing all compliance. However, following an issue with the LGPD’s legislative process, Brazilian President Jair Bolsonaro vetoed the initial provision of the LGPD that created a national authority. As a result, the ANPD was not officially established until the passage of Executive Order no. 869/18. Considering this delay, the ANPD is not yet fully operational.

However, once up and running, the ANPD will be responsible for both enforcement, as well as providing vital guidance to companies regarding interpretation and compliance. Ultimately, until the ANPD is fully functional and provides interpretive guidance, there is still much that we don’t know about LGPD enforcement. Until then (and likely for some time after), we are left to comb through the law and attempt to piece together a workable picture of what is required of organizations to comply.

DPO

One last and important aspect of the LGPD critical for compliance is its requirements for a data protection officer. Unlike previous data protection laws we’ve seen in the international sphere, Executive Order no. 869/18 indicates the DPO required for each organization need not be a natural person. Rather, companies, committees or other internal groups are able to serve as DPOs. Alternatively, an organization may even outsource the position to a third party, such as a specialized company or law firm.

Ultimately, the LGPD will affect organizations doing business in Brazil in a way none of the previous 40 Brazilian privacy laws and norms have. In light of today’s digital economy and the perpetually expanding use of personal data, companies in all sectors are going to have to adjust and adapt their data collection practices to Brazil’s LGPD.

Photo by Mateus Campos Felipe on Unsplash