Brazil is one of the largest digital markets in the world. Until recently its data protection landscape comprised around 40 sector-specific laws covering areas such as medical and financial services - but no general framework protecting all personal data. That changed with the advent of the General Data Protection Law (LGPD). Here, we explore the background to the LGPD, explain what it means for business – and look at further developments on the horizon
When did the LGPD come into force?
The law itself took effect on 18 September 2020, although its administrative sanctions only became applicable on 1 August 2021. A constitutional amendment has recently promoted personal data protection to the same level of legal protection as the rights to privacy and private life.
Who enforces it?
After some political debate, Brazil’s National Data Protection Authority (ANPD) was created on 26 August 2020 to develop guidelines and apply administrative sanctions for non-compliance with the LGPD. The ANPD is formally a government body tied to the Presidency Office, and contrasts with other regulatory agencies in Brazil which are independent legal persons. Since it was established, the ANPD has focused mainly on structuring its operations, and although it has published a couple of guidelines, it hasn’t yet tackled any major data protection issue.
How does the LGPD compare to Europe’s GDPR?
The LGPD was inspired by major structural features of the GDPR, such as the data controller/processor role, data protection officers (DPOs), the principles and legal grounds for processing personal data, and a list of the rights of data subjects.
The Brazilian law, however, was drafted in line with Brazilian rather than European legislation, and is therefore shorter, less prescriptive and has no recitals as guidelines to interpret the legal text. More than 50 details have been left for the ANPD to clarify, so there is plenty of anticipation surrounding the start of the ANPD’s regulatory activity.
Alongside the different drafting approach, the rules have been adapted in many points to the Brazilian legal and social context – as the points below demonstrate.
When and where does it apply?
The LGPD applies to: (i) personal data processed in Brazil; (ii) processing activity aimed at the offering of goods or the provision of services to individuals in Brazil or at processing personal data of individuals in Brazil; and (iii) the processing anywhere of personal data collected in Brazil, meaning of any data subject present in Brazil when the collection takes place. The third scenario could affect the business of foreign companies in Brazil, although there is legally no requirement for foreign controllers to appoint a representative in Brazil.
The law defines personal data as any information relating to an identified or identifiable natural person and excludes anonymized data from its scope. In this regard it tracks closely to the GDPR, but it also explicitly extends to anonymous data when used for profiling purposes. It seems therefore that the LGPD is concerned with how data processing may affect the lives of data subjects, rather than considering whether the anonymization is reasonably reversible.
The LGPD also lists a few interesting exceptions for its applicability, such as for personal data that is transferred to Brazil from outside the national territory, but is not further processed there, ie, that is not shared, nor transmitted inside Brazil or to other countries.
How is the lawfulness of processing evaluated?
As with the GDPR, any processing activity needs to be evaluated according to certain principles and is only justified if certain criteria are met.
Principles are considered a legal norm in Brazilian law. They not only guide the interpretation of the specific rules but can be applied directly to decide unforeseen situations. In terms of principles, the LGPD is aligned to the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, reinforced by two further considerations: the principles of prevention (which requires the active prevention of data breaches, probably to avoid the mere adoption of formal measures), and of non-discrimination (prohibiting processing for any discriminatory ends).
In terms of specific lawfulness criteria, the LGPD contains a few more than the GDPR, including health protection (especially relevant to the work of health professionals during the pandemic), and for credit protection. The latter was included in the context of discussions on the reform of Brazil’s Positive Credit History Law, one of the instruments that regulates credit scoring.
A few details of criteria brought across from the GDPR are also different, such as that consent for the processing of sensitive data and for international data transfers must be specific and that the legitimate interests of the controller might include supporting and promoting the controller’s activities. It will be interesting to see how flexible the legitimate interests can be, especially considering the rise of the internet of things, big data and widespread use of machine learning.
The LGPD requires, furthermore, that all processing activities be registered with the ANPD and that all controllers name a data protection officer (DPO), which can be a natural or legal person. Both requirements can still be otherwise regulated by the ANPD.
What rights do data subjects have?
The LGPD gives data subjects several rights which must be exercised free of charge. These include the right to confirm the existence of the processing; the right of access, correction, erasure or anonymization; the right of portability; the right to review decisions based on automated processing; the right to object to processing not based on consent; and the right to file a complaint with the ANPD and to request full electronic copies of any personal data in case of processing based on consent or performance of a contract, with the last right regulated by the ANPD. A few additional rights seem to be designed to foster a data protection culture, including the right to withdraw consent and the right to be informed of the possibility of not providing consent and the consequences of this decision.
Under the LGPD, controllers have just 15 days to confirm the existence of the processing and provide access to the data. This tight deadline can be amended by the ANPD, but, until it is not, it will demand a high level of organisation from controllers regarding their processing of personal data.
Some of these rights were already covered by Brazil’s existing sector-specific legislation but have been extended in their scope under the LGPD. For example, a right to data portability has existed for phone numbers since 2007 but has been now extended to any personal data and is not limited to processing based on consent or performance of a contract like in the GDPR.
The right to a review by a natural person of automated decision making that impacts data subjects was already provided regarding credit scoring models by the Positive Credit History Law. This right was coupled with the right to be informed about the data used by the algorithm and criteria used for deciding, with the exception of trade or industrial secrets. The LGPD adopted a similar structure, making it applicable for personal data processing for any purpose. The LGPD presumes an impact on data subjects when automated decision making is based on profiling, even in consent-based processing.
What liabilities exist for LGPD violations?
Controllers are by law jointly and severally liable for material and immaterial damages caused to data subjects, be it individually or collectively. They are also responsible for communicating data breaches to both the ANPD and affected data subjects within a reasonable period (as defined by the ANPD). The adoption of appropriate security measures will be is considered by the ANPD in evaluating the liability of the controller(s).
Processors might also be jointly responsible if they don’t comply with data protection legislation or with the controller’s instructions.
Procedurally, the LGPD also establishes the possibility of inverting the burden of proof (an established practice introduced by Brazilian consumer legislation), and of collective actions.
The ANPD can apply many different sanctions, including fines up to 2 percent of group revenue in Brazil or a maximum of R$50m (approx. €8.5m) per infraction, which can be imposed on a one-time or daily basis.
What’s next for Brazilian data protection?
The development of the ANPD’s regulation and the activity of the courts will be the next big thing to watch in Brazilian data protection. With that in mind, here are five key issues to track closely.
- Deadlines and formalities for data breach notifications and responses to the exercise of rights by data subject.
- Exemptions to registration of processing activities and appointments of DPOs.
- The applicability of the LGPD, especially in relation to data collected in Brazil and the use of anonymous data for profiling.
- The use of legitimate interests and specific consent as a basis for processing, including processing of sensitive data and international data transfers.
- Legitimizing old databases.