The Brazilian General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”), passed by Congress on 14 August 2018, will come into effect on 15 February 2020. The new data protection law significantly improves Brazil’s existing legal framework by regulating the use of personal data by the public and private sectors. Very similar to the General Data Protection Regulation (“GDPR”) implemented in the European Union, the LGPD imposes strict regulations on the collection, use, processing, and storage of electronic and physical personal data. In conjunction with the passing of the LGPD, the National Data Protection Authority will be created in order to adequately implement the new legislation.
What is the LGPD?
The LGPD seeks to prevent the misuse of personally identifiable information (PII) and of sensitive PII, affording a level of privacy not seen in Brazil to date. The primary aspects of the new law include:
- Compliance by organizations headquartered in Brazil and by those who process personal data in Brazil;
- Broadly defines “personal data” as any information related to an identified or identifiable individual;
- Provides special treatment for “sensitive personal data,” defined as the personal data related to one’s racial or ethnic origin, religious and political views, union, religious, philosophical or political affiliations, health, sexual orientation or history, biometric or genetic data;
- Establishes separate obligations and liabilities for data controllers and data processors;
- Introduces a legal basis to collect and process personal data;
- Creates data subject rights, such as the right to be forgotten and access to information; and
- Provides mechanisms for cross-border data transfers to countries that are not considered to have an adequate level of protection.
Only data that is processed exclusively for personal use, for artistic, journalistic or academic work or for national security purposes is exempted from LGPD application.
With this enactment, Brazil moves away from a sector-based regulation model to one that affords legal certainty to companies and individuals nationwide. It also joins more than 100 countries that have similar laws in place.
Who is Affected by LGPD?
The LGPD applies to all private companies, government entities, and individuals that process personal data, regardless of location, provided that:
- Data is processed or collected in Brazil; or
- The processing operations have the purpose of offering or providing goods or services in Brazil.
For those not in compliance, the LGPD establishes administrative and civil sanctions ranging from a warning or a fine of up to 2% of an entity’s revenue in Brazil, limited to BRL$50 million (approximately US$13 million), to public disclosure of the violation or deletion or freezing of personal data until the violation has been resolved.
Are You Ready?
Compliance with the LGPD will be dependent on the robustness of your current data protection compliance program. To be compliant, parties affected will need to meet certain requirements, including:
- Appoint a Data Protection Officer;
- Promote a Data Protection Impact Assessment when processing activities create risks to data subjects;
- Monitor record and data processing activities;
- Ensure appropriate technical, security, and administrative measures are implemented to protect personal data; and
- Communicate any data breach through a mandatory notification.