Brazil’s New Privacy Law: What Your Business Needs To Know
The Lei Geral de Proteção de Dados (LGPD) is Brazil’s General Data Protection law that creates a legal framework for the use of personal data that is processed or related to individuals in Brazil. The LGPD is largely aligned with the EU’s General Data Protection Regulation (GDPR), one of the toughest privacy and security laws in the world that imposes obligations on organizations that target and collect data from subjects in the EU. Similarly, the LGPD is a comprehensive approach to personal data protection for individuals in Brazil. The LGPD goes into effect on August 16, 2020.
Does the LGPD Apply to My Business?
The LGPD applies to any business, regardless of its location in the world, that processes personal data of the people of Brazil, personal data collected in Brazil, and personal data associated with the offering of goods or services in Brazil. Personal data is broadly defined by the LGPD to include any information related to an identified or identifiable natural person. Personal data can include names, identification numbers, online identifiers and locators, or can extend to psychological, mental, or economic facts. Anonymized data is not considered personal data. Similar to the GDPR, an organization must have a valid basis for processing personal data under the LGPD. The LGPD also grants Brazilian residents a number of rights over their personal data including access to personal data, deletion of personal data processed with consent, and access to information about entities with whom the organization has shared the individual’s personal data.
There are a few exceptions to the LGPD, namely:
1. Data processed by a person strictly for personal reasons,
2. Data processed exclusively for journalistic, artistic, literary, or academic purposes, and
3. Data exclusively processed for national security, national defense, public safety, a criminal investigation, etc.
Other fundamental rights under the LGPD include:
• Right to confirmation of the existence of the processing
• Right to correct incomplete, inaccurate, or out-of-date data
• Right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD
• Right to the portability of data to another service or product provider, by means of an express request
• Right to information about possibility of denying consent and consequences of such denial, and
• Right to revoke consent.
Similar to what we have seen under other privacy paradigms such as the GDPR, CCPA and NY Shield Act, the LGPD requires controllers and processors to adopt technical and administrative security measures to protect personal data from unauthorized access. Organizations, in most cases, must appoint a data protection officer responsible for receiving complaints and communications. Additionally, organizations are responsible to report data breaches to the Brazilian authorities and notify the data subject in a “reasonable amount of time” if the breach is likely of risk or harm. If necessary, the National Data Protection Authority can order the controller to adopt privacy protection measures to mitigate the effects of the incident.
The LGPD is not as punitive as the GDPR in sentiment and financial penalties. The LGPD establishes fines of up to 2% of a company’s sales revenue of up to 50 million Brazilian Real, equaling $12,894,500 USD, or 11.2 million Euros. This is compared to the GDPR’s 4% of revenue, up to 20 million Euros per violation.
Brazil’s newly implemented law, reminiscent of the GDPR, requires compliance with strict requirements related to the processing of personal data. Octillo’s team of highly experienced attorneys can work with your business to evaluate whether, and to what extent, privacy laws such as the LGPD, GDPR, CCPA and NY Shield Act apply. Understanding what data your business is collecting, how it is being processed, and with whom that data is being shared are just some of the critical questions that need to be explored with counsel. Our Octillo team can help you align with the LGPD’s business requirements while implementing controls and mitigating risk.
*Attorney Advertising. Prior results do not guarantee a similar outcome.