In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you work to comply with multiple privacy and data protection laws worldwide and help you focus your efforts. In this installment, Bruno Bioni, Maria Cecília Oliveira Gomes and Renato Leite Monteiro, CIPP/E, CIPM, compare Brazil's General Data Protection Law, or LGPD, and the GDPR.

In August, Brazil approved a bill that comprehensively regulates data protection. The General Data Protection Law, federal law 13.709/2018, received the LGPD acronym in Portuguese. The law will enter into force in February 2020. 

First of all, it is important to highlight that LGPD has a different normative technique when compared to the GDPR. The Brazilian law is less prescriptive and has no recitals as guidelines to interpret the legal text.

Scope of the law

Personal data vs. anonymized and pseudonymized data

In the same way as the GDPR, LGPD has established that anonymous data falls outside the scope of the law. Both laws have employed the same criteria: to set forth whether information can no longer be attributed to a natural person and, therefore, cannot make a person identifiable: Reasonable means. There is a high level of convergence between the two regulations, since they prescribe the same objective factors to ascertain what to be reasonable means: cost, time and the available technology.

On the other hand, the LGPD left room to consider subjective factors to conclude if a data subject is no longer identifiable. The Brazilian law explicitly sets forth that the “uses of own resources”— without specifying if those resources are of the controllers or processors — should be taken into account to verify if the anonymization process is reversible and, therefore, such anonymous data could fall within the scope of the law. As a consequence, the Brazilian law may also consider the computational power of specific controllers or processors to determine if a data subject is identifiable, which is very relevant in the scenario of data monopolies.

In contrast to the GDPR, LGPD does not differentiate anonymous data from pseudonymous data. If the conceptual difference between such categories is related to reasonable risks of re-identification of the data subject, the Brazilian law does not relax legal obligations for controllers that employ pseudonymisation techniques when compared to the EU regulation. However, LGPD refers so many times to anonymization procedures that it may be possible to interpret these as tools to reduce the risks to data subjects, which, ultimately, could lead to very similar normative results when contrasting the regulations.

Anonymous data and profiling

Similar to the GDPR, LGPD calibrates several legal obligations depending upon what is at stake, e.g., automated decision making. However, different from the EU regulation, the Brazilian law has a specific provision by which anonymous data may fall within the scope of the law if it is used to evaluate certain aspects of a natural person (e.g, price discrimination methodologies).

In few words, LGPD’s normative rationality focuses on how data processing may impact the lives of data subjects, instead of only considering if the anonymized data is reasonably reversible. This has been called a consequentialist approach of personal data concept, which protects the “free personality development” of data subjects — one of the foundations of the Brazilian Law — regardless if the data processing involves anonymous data.

Lawful legal basis

Quantitative analysis: An overview

One of the main points of consideration when it comes to comparing the GDPR with its Brazilian equivalent is the comparison of the pillars of both laws: their legal bases. In the GDPR there are six. In the LGPD, regardless of the fact that its basis is the text of the GDPR, four more were also agreed upon, thus reaching ten legal bases, which are: (i) consent; (ii) legal obligation; (iii) implementation of public policies by the public administration; (iv) research by public study entities; (v) contractual performance; (vi) exercise of rights in legal proceedings; (vii) life protection; (viii) health protection; (ix) legitimate interest; and (x) protection to credit.

It should be noted, therefore, in the Brazilian legislation, there are more legal authorizations for data processing, making it possible to interpret the LGPD as more flexible and less restrictive than GDPR in relation to the processing of personal data.

In Brazil, the term jabuticaba (a Brazilian fruit) is used to express things that only exist there. To the best of our knowledge, the Brazilian law is the first to contain a specific hypothesis for the protection of credit. In the GDPR, protection of credit may rely on legitimate interest as a legal basis. Its inclusion occurred in the context that Brazil is also currently discussing the reform of one of the laws that regulates credit scoring, the Positive Credit History Law (Law n. 12.414/2011) .

In such sense, there are significant adjustments in the context of legal bases between the laws, making this aspect one of the main differentials.

Consent

There is a high level of convergence between GDPR and LGPD by qualifying consent as freely given, informed and unambiguous indication of the data subjects’ agreement for processing data as a general rule. On the other hand, LGPD diverges from GDPR by using the adjective "specific" instead of "explicit" as an additional criteria for a valid consent in specific situations: sensitive data and international data transfers.

Furthermore, both regulations are concerned not only with an extensive qualification of consent, but also empowering data subjects with meaningful control and choice regarding their personal information:

  • If the consent is given through a written declaration, such declaration should be distinguishable from others.
  • The information should be clear, ostensive, adequate, easily accessible, consequences of the principle of transparency by which data subjects should be properly informed about the processing of their personal data.
  • When processing of personal data is a condition for providing a product or a service, it is necessary to ensure the data subject means to exercise their realm of control over their data. As a consequence, the LGPD and GDPR have opened space for the so-called granular.

In few words, the GDPR and the LGDP allocate consent as just one of the phases by which data subjects can control their personal information. A holistic and systematic interpretation of both legislations demonstrates that there should be effective decision-making from data subjects with regarding their personal information flow.

Legitimate interests

It should be noted that the "legitimate interest" legal basis did not exist in the prior Brazilian legal data protection framework. It could allow for the use of the data for purposes other than those originally authorized by its data subjects or those that led to its disclosure. Through a proportionality test that takes into account the interests of the controllers and the rights of the data subject, this hypothesis would allow for new uses for the data, making it essential in times of big data, artificial intelligence, machine learning and innovative business models based on the use of personal data. In comparison to the GDPR, the Brazilian legitimate interest will possibly be more flexible, since it can used for “promotion” of controller’s activities. The balancing test provided by the law, and it needs to be documented.

Protection of credit

As of today, processing of personal data for protection of credit purposes is based on two main laws: (i) the Federal Consumer Code (Law 8.078/1990), which allows for collection and inclusion of consumer data in consumer and in debt databases without the need for consent, as long as the data subject is informed of such inclusion; and (ii) the Positive Credit History Law (Law n. 12.414/2011), which sets forth the need for express and prior consent to collect consumer payment data. This law also regulates the use of personal data for the credit score purposes. Therefore, the LGPD should be read in context of these two sectoral laws that have specific provisions for the protection of credit.

As one of the lawful basis for data processing, it may be construed that consent is not necessary to process data for credit protection purposes, when the data is not related to timely payments, since there is specific sectoral law with a more adequate legal basis. This innovative legal basis, isolated, can function as an open check that would may be allow of any personal data to be processed for credit purposes. Therefore, it should be interpreted restrictively, together, for instance, with the limitations imposed for profiling and automated decision making, which expressly encompasses credit modeling.  

Data subject rights and data controllers' and processors' duties

Right to portability

One of the data subject rights that represents the most change in the GDPR is the right to portability, which has also been imported into the Brazilian law. Such right mandates the controller to transfer, at the request of the data subject, their personal data to other controller. In Brazil, this right is not limited to data provided based on data subjects' consent, making it different from the GDPR. Despite being a "new" right in relation to the context of general laws of personal data protection in the world, the right to portability already existed in sectoral contexts. In Brazil, since 2007 it has been possible to request the portability of personal data related to a telephone number, a right created by Resolution 460/07 better known as the General Portability Regulation of Anatel.

It is also worth noting that this resolution determined what would be the personal data that should be carried and its format, as well as how the interoperability of such data would take place between companies. This demonstrates that, most likely, when the Brazilian DPA emerges, it will also have the task of setting standards to enable the data subjects' to exercise such a right, but with the challenge of doing so not only for one single sector, but for all, in a transversal manner.

Automated individual decision-making

The right to a review by a natural person of automated decision making that impacts data subjects (Art. 22) is not new to the Brazilian legal system. It was provided in regard to credit scoring models by the Positive Credit History Law together with the right to explanation, which would include not only the data used by the algorithm, but also the criteria used for processing, limited to business secrecy and taking into consideration intellectual property rights. This structure was entirely copied by the LGPD, but applicable for data processing for any purpose. However, compared to the GDPR, the impact on the data subject is presumed when automated decision making is based on profiling, and there is no limitation to situations when the data was provided by consent. Therefore, such right provided for the LGDP may be considered broader (more protective) than the right as set forth by the GDPR.

Data breach notification

In its Article 48, the LGPD provides that the communication of an incident must take place within reasonable time, to be defined by the national authority, as well as mentioning at least:

  • A description of the nature of the personal data affected.
  • Information on the stakeholders involved.
  • Indication of the technical and security measures used for data protection, observing commercial and industrial secrecy.
  • Risks related to the incident.
  • The reasons for the delay, if communication was not immediate.
  • The measures that were or will be taken to reverse or mitigate the effects of the injury.

There is a somewhat unique scenario in Brazil, when it comes to reporting incidents. Brazil does not yet have an authority, and many LGPD provisions relate to the existence or creation of such an authority. In view of the absence of an actual authority, how and to whom should an incident be reported?

In this dull scenario, it appears that indirectly, there are Brazilian agencies already monitoring the rights of data subjects, as well as instituting investigations and applying fines and other punitive measures for incidents involving personal data violation, as is the case of the Ministério Público do Distrito Federal e Territórios , the Public Prosecutor Office of the Federal District. The MPDFT has created a portal dedicated to the reporting of incidents, which can be performed by the company itself or by third parties, and upon receipt of such report, the MPDFT may initiate a civil investigation.

Furthermore, in the GDPR, the deadline for notifying the incident is determined at 72 hours; however, in the LGPD, the deadline is referred to as "reasonable time," which could be better defined by the Brazilian authority itself. As it can be seen, the subjective analysis of this provision of law may generate some legal uncertainty, since in the case of an incident, notification is urgent in nature, which must be understood as immediate, and cannot be conducted within flexible periods, such as weeks or months.

Data protection officer

The DPO in the LGPD must be a natural person, nominated by the controller, who acts as a communication channel between the controller, data subjects and the data protection authority. It it not mandatory to be an employee of the controller, it can be outsourced. It is not mandatory to be located in Brazil. In addition, the DPO should be responsible within the institution for the company's compliance with the rules provided by law and guide employees and contractors of the entity regarding the practices to be taken in relation to the protection of personal data. An initial reading of the LGPD allows one to conclude that any entity that treats personal data must indicate a DPO, but the data protection authority may establish complementary norms on the definition and the attributions of the person in charge, including hypotheses on which companies will not need to nominate a DPO. Therefore, the DPO maybe mandatory to all controllers, regardless of the size, type and volume of the data processed and risks to data subject.

Regarding the representative of controllers not established in Brazil, there is no need for the controller or the processor to designate one, an obligation set forth by the GDPR.

Regulatory rationality

If a true comparison must be established between LGPD and GDPR, it is necessary to take into consideration whether the new regulatory rationality of the EU regulation inspired the Brazilian regulation. This new rationality is what the literature has a risk-based and responsive regulation. Giving concrete examples, it is necessary to analyze what is the importance of data protection impact assessment and code of conducts.

Data protection impact assessment

The privacy impact assessment, provided for in Directive 45/96 and now indicated as DPIA in the GDPR, is also present in the new Brazilian law, described as, "Report on the Impact on Personal Data Protection," which comes with a description of processes for processing personal data which may pose risks to civil liberties and fundamental rights, as well as measures, safeguards and risk mitigation mechanisms.

Unlike the European Union, Brazil had no provision for drafting PIAs on the protection of personal data. Brazil has a new provision which, in fact, modifies the way processing agents dialogue with data protection. The absence of an authority, at this point, is even more worrisome, as it is an authority that should determine who defines the methodology to use in the report, the procedure to make such an assessment, and general guidelines on this procedure. Without this, Brazil is still in a grim scenario in regard to application of data protection laws.

While the issue of the authority has yet to be resolved, a solution has been to follow the development of discussions on the DPIA in the EU, either through Article 29 Working Party, or through the guidelines on the DPA methodologies, or, still through the guidelines which the EDPB will formulate in the EU on this matter. Nevertheless, the positive aspect of this is that it serves to raise the awareness of processing agents in Brazil of the fact that compliance is a process by which mechanisms are necessary to assimilate an entire data protection culture in the company, from the low levels to the board.

Codes of conduct

The GDPR and the LGPD clearly encourage the adoption of codes of conduct. Both regulations dedicate a specific chapter to specify how controllers and processors could contribute for the proper application of the law. When compared to the European regulation, the Brazilian law: a) does not calibrate this regulatory tool based on the size of enterprises (micro, small and medium), but takes into account the category of data, the purpose and scope of the data processing and, mainly, what are the risks at stake against the data subjects; b) is less prescriptive than GPDR by exemplifying what kind of elements should be addressed by the codes of conduct. The EU regulation has 11 examples in comparison to the eight of the LGDP.

Conclusion

The Brazilian General Data Protection Law is very similar to the GDPR in context, structure and ultimate rational — to protect the fundamental rights and freedoms of natural persons, especially the development of natural persons' personality. However, its differences make the law unique and, in a way, more advanced than the GDPR, e.g, the inclusion within the scope of the law of anonymous data used for profiling purposes, a provision that it is in the heart of behavior analysis business models of all kinds. Nonetheless, Brazil has much to learn from European data protection history and perspectives. Undoubtedly, EU lessons will be necessary to carefully read and interpret the Brazilian law.

Topic GDPR LGPD
Exceptions to the law Data processed by a natural person in the course of a purely personal or household activity; and data processed by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Data processing by a natural person exclusively for private and non-economic purposes; data processing if undergone exclusively for journalistic and artistic purposes; for academic purposes; or for purposes of: a) public safety; b) national defense; c) state security; or d) activities of investigation and prosecution of criminal offenses.
Territorial scope Any company that has a branch in the EU or offers services to the EU market and collects and treats personal data of data subjects located in the EU, regardless of the nationality, will be subject to the new law. Any company that has a branch in Brazil or offers services to the Brazilian market and collects and treats personal data of data subjects located in the country, regardless of the nationality, will be subject to the new law.
Data flows that are merely transmitted into Brazil, but not further processed, do not fall within the scope of the law.
Personal data Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Any information relating to an identified or identifiable natural person. There are no examples on the definition brought by the law.
Anonymized data Outside of the scope of the law, taken into consideration reasonable steps to re-identify. Outside of the scope of the law, taken into consideration reasonable steps to re-identify. Might be considered personal data if used for profiling purposes.
Pseudonymized data Within the scope of the law, since it should be considered to be information on an identifiable natural person. Not defined by the law, except for research undergone by public health agencies.
Health Data (sensitive data) Legitimate activities (not-for-profit) and public interest are legal basis. Performance of a contract is deemed as a legal basis for processing.
Data manifestly made public by the data subject Legitimate activities (not-for-profit) and public interest are legal basis. Performance of a contract is deemed as a legal basis for processing.
Lawful processing Six lawful legal bases: (i) consent; (ii) legal obligation; (iii) life protection; (iv) public interest; (v) contractual performance; (vi) and legitimate interest. Ten legal bases, which are: (i) consent; (ii) legal obligation; (iii) implementation of public policies by the public administration; (iv) research by public study entities; (v) contractual performance; (vi) exercise of rights in legal proceedings; (vii) life protection; (viii) health protection; (ix) legitimate interest; and (x) protection to credit.
Legitimate interest More restrictive, need for a balancing test, provided by the recitals. Possibly more flexible, since it can used for “promotion” of controller’s activities. Balancing test provided by the law and need to be documented.
Consent Should be an informed, unambiguous and free indication of the data subjects’ agreement for processing data as a general rule.
Should be explicit for processing sensitive data and for international data transfer.
Should be an informed, unambiguous and free indication of the data subjects’ agreement for processing data as a general rule.
Should be specific for processing sensitive data and for international data transfer.
Data subject access requests Up to 30 days, gratuity is optional. Right of access, up to 15 days. Other rights, reasonable time, gratuity is mandatory (free of charge).
Review of automated decisions Necessary when impacts, has a material legal effect, on the data subject. Limited to data provided by consent. Impact on the data subject is presumed when automated decision making is based on profiling, therefore there is a right to review. Not limited to data provided by consent.
Data protection officer Not mandatory to all controllers. Conditions are established by the regulation, such as volume and type of data processed, of use new technologies and risks to data subjects. Size of the data controller is not a condition.
Not mandatory to be a natural person or an employee of the controller, it can be a legal entity. It can be outsourced, not mandatory to be located at the European Union.
Mandatory to all controllers, regardless of the size, type and volume of the data processed and risks to data subject (provision can be adjusted by the DPA).
Mandatory to be a natural person. Not mandatory to be an employee of the controller, it can be outsourced. Not mandatory to be located in Brazil.
Representative of controllers not established in the region The controller or the processor shall designate in writing a representative in the Union. There is no need for the controller or the processor to designate a representative in Brazil.
Registration of processing activity Not mandatory for companies with less than 250 employees. Mandatory for all companies (provision can be adjusted by the DPA).
Registration of database at the DPA Not necessary. Not necessary.
Mandatory Data Breach Notification Controllers need to notify DPAs within 72 hours. Controllers need to notify both DPAs and data subjects within a reasonable time (provision can be adjusted by the DPA).
Codes of conduct There is a specific chapter that: a) makes reference to the specific needs of micro, small and medium-sized enterprises as guidelines for drafting the codes of conducts; b) lists eleven examples of what should be addressed by the them. There is a specific chapter that: a) makes reference to the category of data, the purpose and scope of the data processing and, mainly, what are the risks at stake against the data subjects and the benefits for them as guidelines for drafting the codes of conduct; b) lists eight examples of what should be addressed by them.
Data protection impact assessment There is a specific chapter and duty to carry out a DPIA in the case that data processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. There is no specific chapter or duty to carry out a DPIA. However, a DPIA may be mandatory in situations already characterized as risky or, at the request of the authority, where the processing of data is based on legitimate interest.
Fines Up to 4 percent of global revenue of the economic group, up to 20 million euros. 2 percent of the revenue from Brazil, up to R$50 million per infraction. Possible daily penalty to enforce compliance.
Data protection authority Defined and established at the national level. Undefined and yet to be established by new president, at the national level.
International data flow Need for adequacy decision to freely transfer data to other countries. In case of lack of adequacy, legal instruments are provided by the regulation. Lawfully performed based on legitimate interest, if unusual. Need for adequacy decision to freely transfer data to other countries. In case of lack of adequacy, legal instruments provided by the regulation. Cannot be based on legitimate interest, express consent maybe a legal basis.
Adaptation period 24 months 18 months, February 2020. The DPA will have the say on how to legitimize old databases.

Photo credit: Artur Rodrigues via Flickr, "GO Brazil!!!"

Photo credit: MPD01605 EU Flagga via photopin (license)