This is the first installment of a five-part series aimed at helping global privacy professionals better understand the operational impacts of the new Brazilian data protection law, the Lei Geral de Proteção de Dados. The series addresses the LGPD in its current form, taking into account that, once formed, the national authority—the Autoridade Nacional de Proteçãode Dado—is authorized under various articles of the law to issue guidance on interpretation and expand upon certain provisions.

Part one of the series addresses the types of data within the scope of the law along with data subject rights and processing obligations. Part two of the series continues by considering the areas of accountability, security, secrecy of data, good practice and governance within the LGPD. Part three will cover the conditions necessary to enable international transfers of personal data, including the mechanisms for such transfers, under the law. Part four will investigate the obligations of personal data processing agents, including DPOs, controllers and processors. Lastly, part five will explore the LGPD’s sanctions and enforcement mechanisms, as well as the private right of action and litigation issues within Brazilian data protection regime more broadly.

Types of personal data under the LGPD

Like the EU General Data Protection Regulation before it, the LGPD applies only to personal data and provides different levels of protection depending on how the personal data is classified. This classification is broken into two main categories, “personal data” and “sensitive personal data.”

Most LGPD applicable data falls under the general “personal data” definition. Such data is defined as “information regarding an identified or identifiable natural person.” Thus, like its international predecessor, this definition applies not only to information that has been directly linked to an individual, but also any information that could be aggregated to identify an individual. In other words, is not necessary that the data actually be used to identify the individual so long as is it has the potential to contribute to identification. 

In addition to the protections afforded to “personal data,” the LGPD provides heightened protections where data is of a particularly sensitive nature. Such data is aptly called “sensitive personal data” and is defined as data that concerns “racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data.” Unlike “personal data” however, the data mentioned above only qualifies as “sensitive personal data” where it is actually related to an individual.

Legal bases for processing

Operationally, the primary difference between these two classifications of data is the set of legal bases upon which the data may be processed. Requiring a legal basis for processing is a concept borrowed from the GDPR that requires any controller processing data to identify a legal basis for doing so from an enumerated list provided within the text of the law. In the case of the LGPD, controllers processing “personal data” must choose from a list of ten legal bases and controllers processing “sensitive personal data” must choose from a list of eight.

While there is some overlap between the bases, there are important distinctions between the two classifications of data. Namely, there are three bases available for processing “personal data” that cannot be used to process “sensitive personal data.” These are: the pursuit of the controller’s legitimate interests; protecting credit; and, at the data subject’s request, executing contracts to which the data subject is party. There is also one legal basis for processing “sensitive personal data” that is not available to serves as the basis for the processing of “personal data” and that is processing for the prevention of fraud. The final difference between the two is that while general consent can serve as the legal basis for processing both types of personal data, consent may only be used as a legal basis for processing “sensitive personal data” where it is given for a “specific purpose” and the terms themselves are “distinct and specific.”

These full lists of legal bases are as follows: 

Legal Bases for Processing
"Personal Data"
Processing of “personal data” may only be carried out under the following circumstances:
"Sensitive Personal Data"
Processing of “sensitive personal data” may only occur in the following situations:
• With the consent of data subject • With the data subjects distinct and specific consent for a specific purpose.
• To comply with a legal or regulatory obligation. • To comply with a legal or regulatory obligation
• To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments. • Where processing is done by the public administration for the execution of public policy.
• To carry out studies by research entities that ensure, whenever possible, the anonymization of personal data. • To carry out studies by research entities that ensure, whenever possible, the anonymization of personal data.
• To execute a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject. • To exercise rights in judicial, administrative or arbitration proceedings.
• To exercise rights in judicial, administrative or arbitration procedures. • To protect the life or physical safety of the data subject or a third party.
• To protect the life or physical safety of the data subject or a third party. • To protect the health, exclusively, in a procedure carried out by health professionals, health services or sanitary authorities.
• To protect the health, exclusively, in a procedure carried out by health professionals, health services or sanitary authorities. • To prevent fraud and the safety of the data subject.
• To fulfill the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties, which require personal data protection, prevail.  
• To protect credit.  

Consent under the LGPD

As we’ve seen with the GDPR, one of the most popular legal bases is that of consent. Clarity on what consent must look like under the LGPD can be found in Article 8. It states that where processing is pursuant to consent given in writing, it must appear highlighted so as to stand out from the other contractual clauses. Additionally, “the burden of proof is on the controller to show that consent was obtained in compliance” with the LGPD. Failure to comply with the law renders the consent defective. For consent to be valid, it must refer to “particular purposes.” Any form that purports to gain consent through generic authorizations is defective and may not be considered a legal basis for processing. Finally, consent may be revoked at any time by the data subject. The procedure for doing so must be free of charge. However, so long as the data subject does not make a deletion request, any processing done under previously given valid consent remains valid.

Additionally, Article 7 §3 of the law states that consent is not required where the data is made manifestly public by the data subject. However, the law further stipulates that any processing of such public data must “consider the purpose, the good faith and the public interest that justify its being made available.” Thus, while this provision is not strictly enforceable per se, organizations should be on notice that where they are processing publicly available information without any other legal basis, clear failure to consider the context in which the data was made public will almost certainly be a factor considered during an enforcement investigation.

Children’s data under the LGPD

Despite the legal bases listed above, children’s and adolescents’ data are subject to the heightened protection that any processing of such data must always be done pursuant to the individual’s best interest. Additionally, children’s data may only be processed in instances where a parent or legal representative of the child has given “specific and highlighted consent” or where the data are collected in order to contact the parent or legal representative. Adolescents’ data are notably not subject to any parental or legal representative consent requirement.

Curiously, while the LGPD is clear about making this distinction with respect to children’s and adolescents’ data, it never actually defines what ages are to be considered children and adolescents. However, by looking to other Brazilian laws such as the Child and Adolescent Statute—in which such terms were legally defined—we can infer that the LGPD intended to borrow age limit definitions from other laws. It follows that the term “adolescent” likely refers to individuals between 12 and 18 years of age whereas “children” likely refers to anyone who is 11 or younger. However, given the vagueness in the text of the law, this definition is subject to change and future clarification.

Data subject rights under the LGPD

Where the processing activities are lawfully conducted pursuant to one of the enumerated legal bases outlined above, the organization must then be aware of certain individual rights held by the data subject. These are the rights to confirm the existence of the processing; access the data; correct incomplete, inaccurate or out-of-date data; anonymize, block or delete unnecessary or excessive data or data processed in noncompliance with the law; export the data to another service or product provider; delete personal data that were processed pursuant to consent; obtain information about public and private entities with which the controller has shared data; obtain information about the possibility of denying consent and the consequences of such denial; the right to request a review of decisions made solely based on automated processing of personal data affecting her/his interests.

Data subject access requests under the LGPD

Like most of the LGPD, this list is heavily influenced by the GDPR to the extent that most of the rights are substantially similar. However, there is one large operational difference between the two and that is the way controllers must respond to a data subject access request.

The law states that upon request by the data subject or their legally constituted representative, the controller must provide the individual with a copy of all their personal data which the data subject may elect to receive either by electronic means or in a printed form.

Again, while this concept isn’t new, the LGPD is unique in that it dictates how a company may respond. Pursuant to Article 19, a company may decide to respond to the data subject in one of two ways: they may respond in a simplified format but they must do so immediately, or they may take up to 15 days to respond but must provide a “clear and complete declaration” of the data.

Regarding the “simplified format” option, it would appear that opting for this and responding immediately would permit the company to provide the individual with less information and fewer details. However, what qualifies as a “simplified format” is not outlined anywhere in the law. Furthermore, what qualifies as an “immediate” response is similarly never defined.

Alternatively, the company may opt for the second option and take up to 15 days to respond “by means of a clear and complete declaration that indicates the origin of the data, the nonexistence of record, the criteria used and the purpose of the processing.” This requirement on its face is not particularly remarkable, but it becomes significantly more noteworthy when it is compared to its international counterparts. This timeframe to access requests is significantly shorter than other laws currently in effect (45 days for the California Consumer Privacy Act and 30 days for the GDPR). Furthermore, where these other laws allow a company to extend that deadline if needed, the LGPD provides no such flexibility irrespective of the size or complexity of the request. Whether this rigidness was fully intended by the drafters or not is unclear.

Ultimately, any clarity or extension on this timeframe will have to come from the national authority—the Autoridade Nacionalde Proteçãode Dado—which is authorized under Article 19(4) to modify the response timeframe for specific sectors. However, although the Brazil senate recently approved the presidential appointment of the ANPD directors, the authority is not yet fully operational. Until it is, it clearly cannot issue guidance and it appears that for the time being, controllers are currently left with two options: they may either attempt to respond immediately in a simplified format without knowing what “immediately” means or what a “simplified format” is, or they may take 15 days to respond to the requests in substantial detail with no leniency in the timeframe. 

Photo by Mateus Campos Felipe on Unsplash