August 14, 2018, Brazil approved the General Data Protection Law (in Portuguese). The law will come into effect after its 18th adaptation period, in early 2020.

The LGPD creates a new legal framework for the use of personal data in Brazil, both online and offline, in the private and public sectors. It is important to note that the country already has more than 40 legal norms at the federal level that directly and indirectly deal with the protection of privacy and personal data in a sector-based system. However, the LGPD is replacing and/or supplementing this sectoral regulatory framework, which was sometimes conflictive, marshy, without legal certainty and made the country less competitive in the context of an increasingly data driven society.

The text, the result of a broad discussion, aims not only to guarantee individual rights, but also to foster economic, technological and innovation development through clear, transparent and comprehensive rules for the adequate use of personal data. By having a General Data Protection Law, Brazil enters the roll of more than 120 countries that today may be considered to have an adequate level of protection of privacy and the use of personal data.

What the law says

The LGPD has transversal and multi-sectoral application, both in public and private sectors, online and offline. It deals with the concept of personal data and lists the legal bases that authorize its use — and consent is only one of them — highlighting the possibility of processing personal data based on the legitimate interests of the data controller in addition to data protection general principles; basic rights of the data subject— such as right to access, exclusion of data and to explanation; and the obligations and limits that should be applied to any entity that processes personal data.

These are the main points of the new law:

  • Scope of application: The LGPD will have transversal, multi-sectoral application to all sectors of the economy, both public and private, online and offline. With few exceptions, such as national and public security; pure research, artistic and journalistic purposes; any practice that process personal data will be subject to the law.
  • Extraterritorial application: In a similar way to the European Union's General Data Protectin Regulation, theLGPD will have extraterritorial application, that is, the duty of compliance will exceed the geographical limits of Brazil. Any foreign company that has at least a branch in Brazil, or offers services to the Brazilian market and collects and treats personal data of data subjects located in the country, regardless of the nationality, will be subject to the new law. 
  • Concept of personal data: The LGPD provides for a broad concept of what should be deemed personal data related to an identified or identifiable natural person. That is to say: any data, isolated or aggregated to another, that may allow the identification of a natural person or subject them to a certain behavior (interpretation possible from an integrative reading of the text). In this time of big data, which allows the rapid correlation of large, structured and unstructured databases, virtually any data can eventually be considered personal, therefore subject to the law.
  • Concept of sensitive personal data: Sensitive personal data is data that, by its very nature, may subject the data subject to discriminatory practices, such as data on racial or ethnic origin, religious belief, political opinion, health or sexual life data; or allows unequivocally and persistent identification of the data subject, such as genetic data (this with both facets, discrimination and identification) or biometric. Such data should be treated in a differentiated manner, with additional security layers, and with different legal bases, such as the express consent of the data subject.
  • Anonymized data: Anonymized data refers to data on a data subject that cannot be identified considering the use of reasonable time, cost and technical means available at the time of the data treatment. In this way, anonymized data would be outside the scope of application of the law, except if the anonymization process can be reversed or if the data is used for behavioral profiling purposes. Effectively, anonymized data is essential for technologies within the scope of internet of things, artificial intelligence, machine learning, smart cities and analysis of large behavioral contexts.
  • Public data: There has been a great deal of discussion about the limits on the use of publicly accessible personal data, such as those contained in databases managed by public bodies, official publications and notarial records, or those expressly made public by their data subjects, such as public profiles on social networks. The LGPD deals with such situations, treating them in different ways, and imposing certain limitations, such as limiting the use to the purposes that led to the disclosure of the publicly accessible personal data. That does not mean that public data can no longer be used for other purposes, only that business models that rely on this type of data will have to adapt.
  • Legal grounds for data processing — consent and legitimate interests: In order to treat personal data, which includes the practice of collecting it, it is always necessary to have a legal basis. The LGPD lists 10 hypotheses that authorize the use of personal data, and unambiguous consent is only one of them. It should be noted that the legal basis known as "legitimate interest," which did not exist in the prior Brazilian legal data protection framework, would allow the use of the data for purposes other than those originally authorized by its data subjects or those that led to its disclosure. Through a proportionality test that takes into account the interests of the controllers and the rights of the data subject, this hypothesis would allow for new uses for the data, making it essential in times of big data, artificial intelligence, machine learning and innovative business models based on the use of personal data. 
  • General principles of data protection: The LGPD lists 10 principles that should be taken into account in the processing of personal data, such as purpose limitation, necessity, transparency, security, non-discrimination and — the new — principle of accountability, which makes it mandatory for the data controller and data processor to fully and transparently demonstrate the adoption of effective measures capable of proving compliance with the rules for the protection of personal data. This can be done through data protection assessments, methodologies also provided for by law.
  • Data subjects basic rights: Data subjects will have their basic rights expanded, and they must be guaranteed in an accessible and effective manner. Among the listed rights, it is important to highlight the right to access to data, rectification, cancellation or exclusion, opposition to treatment, right to information and explanation about the use of data. The great novelty is the right to data portability, which allows the data subject not only to request an entire copy of their data, but also to have them provided in an interoperable format, which aims to facilitate their transfer to other services, even for competitors. Due to its nature, this new right has been seen as a strong element of competition between different companies offering similar services based on the use of personal data.
  • Liability: The different agents involved in data processing — the controller and the processor — can be jointly and severally liable for information security incidents and/or improper and unauthorized use of the data or for non-compliance with the law. However, the liability of the processor, that is who practices data processing on behalf of the controller, may be limited to its contractual and information security obligations if it does not violate the rules imposed by the LGPD. It is therefore important to define whether a company should be viewed as a controller or a processor, or both, to set the limits of its liability.
  • Mandatory data breach notification: Data breach notifications to the data protection authority becomes mandatory, and must be performed within a reasonable time frame, which may, based on the severity of the case, determine the notification to all data subjects involved and the widespread publicity of the incident. 
  • International data transfers: LGPD brings a series of legal instruments that allow for the international transfer of personal data, even to countries that are not considered to have an adequate level of protection. It will be possible to transfer personal data internationally based on the specific and express consent of the data subject, which must be prior and separated from the other purposes and requisitions of consent. It will also be possible to carry out the transfer if there is a guarantee, by the controller through contractual instruments such as binding corporate rules and standard clauses, that it will comply with the principles, data subject rights and the data protection regime provided by law. Similar to the GDPR, the law allows for transfer by means of the adoption of seals, certificates and codes of conduct issued and authorized by the Data Protection Authority.
  • Data protection officer: The DPO is the natural person, nominated by the controller, who acts as a communication channel between the controller, data subjects and the data protection authority. In addition, the DPO should be responsible within the institution for the company's compliance with the rules provided by law and guide employees and contractors of the entity regarding the practices to be taken in relation to the protection of personal data. An initial reading of the LGPD allows one to conclude that any entity that treats personal data must indicate a DPO, but the data protection authority may establish complementary norms on the definition and the attributions of the person in charge, including hypotheses on which companies will not need to nominate a DPO.
  • Data protection impact assessment: Considered as an impact assessment on the protection of personal data, it refers to the controller documentation that contains the description of data processing activities that may create risks to data subjects, as well as measures, safeguards and mitigation mechanisms implemented. The DPIA may be mandatory in situations already characterized as risky or, at the request of the authority, where the processing of data is based on legitimate interest. The DPIA methodology is widely adopted by the GDPR and allows, in addition to risk mapping, an effective photograph of the entity's regulatory compliance status.
  • Record data processing activities: Any and all personal data processing activities must be recorded, from their collection to their exclusion, indicating what types of personal data will be collected, the legal basis that authorizes its use, purposes, retention time, the information security practices implemented in the storage and with whom the data can be eventually shared, methodology known as data mapping.
  • Information security standards: Both data controller and data processor should take appropriate technical, security and administrative measures to protect personal data. The data protection authority may provide for minimum technical standards, considering the nature of the data handled, the specific characteristics of the treatment and the current state of technology.
  • Privacy by design and by default: It is mandatory to adopt from the design of services, products and business models the practice of guaranteeing privacy and data protection rights. The general principles of LGPD and safety standards should therefore be observed from conception to execution and offering of the product and service. Also, privacy controls, popularly accessible through dashboards in online platforms, should by default be the most protective, and it is up to the data subjects to make them flexible if they so wish.
  • Codes of conduct and certification bodies: The LGPD clearly encourages the adoption of industry codes of conduct and certifications bodies that can ensure compliance with the data protection rules. Certain sectors of society may create their own codes of conduct in the use of data, which may even be higher than the law. These must be previously authorized by the authority and provide methods that demonstrate compliance. Furthermore, entities may qualify before the authority to certify that other institutions are in compliance with the general law. 
  • Penalties: Administrative sanctions may be applied by authority in case of violation of LGPD. Among the sanctions, there are notices and fines, that may vary from 2 percent of the company's, group's or conglomerate's turnover in Brazil in its last fiscal year, limited in total to R 50,000,000.00 (fifty million reais) per infraction. There is also the possibility of daily fine to compel the entity to cease violations.
  • Transition and adaptation period: The LGPD will enter into force 18 months after its publication. Therefore, public and private entities will have until February 2020 to adapt. In addition, the national authority, when created, may establish rules on the progressive adaptation of databases created up to the date of entry into force of the law, considering the complexity of the processing operations and the nature of the data. 

Vetos

The national data protection authority, one of the most relevant points established by the law, was vetoed due to legal aspects related to which branch of the government should have triggered the new law. However, the president already mentioned that the authority will be created through a separate law.

The president also vetoed three articles of the bill, which dealt with the protection of personal data of access to information requests, the transfer of personal data between public authorities and private entities — such transfer will not be prohibited, but they will be based on other legal basis, and transparency on the use of data shared between public entities.

Articles VII, VIII and IX of Article 52 were also vetoed, which provided for penalties for suspending and prohibiting — total or partial — the activities of processing and storing personal data in cases of violation of the legislation. In this way, only the penalties of warning, fine, blocking or elimination of data and disclosure of the infraction are provided.

Next steps

The DPA, when created, will be an independent public authority responsible for the supervision of the law and enforcement. Its format has not yet been defined, but it should work in the same way as other regulatory agencies or supervisory bodies. The authority may establish guidelines for the promotion of protection of personal data in Brazil. In summary, it should ensure the protection of personal data; elaborate on the "National Policy on Data Protection and Privacy," as defined by law; monitor and apply sanctions in case of violation of the relevant laws; fulfill data subjects' requests against those responsible for the processing of their data and regulatory matters on data protection, among other activities. The law that will create the DPA will probably provide for the creation of the National Data Protection Council, a consultative body with a multi sectoral composition, which can propose guidelines and strategies, conduct studies and disseminate knowledge on data protection in Brazil. 

In short, the LGPD will have an impact on society as few laws have had before — since today practically every practice of society deals with the use of personal data. Companies from all sectors will have to adapt and a new culture about the appropriate use of data has to be formed, something difficult to achieve considering that Brazil, unlike other regions of the world (mainly in Europe), is still in its infancy with regard to this topic.

In this sense, the protection of personal data should and can be seen not as a cost, but as a competitive advantage, a market differential. In a time of major information leaks and scandals over misuse of data, complying with clear, transparent and harmonic rules can restore or increase consumer confidence in companies and the marketplace. Therefore, companies need to conform to today's rules and understand that anticipating future regulation is an investment and a competitive advantage.

photo credit: Brazil 2014 via photopin