Brazilian Data Protection Law | Lei Geral de Proteção de Dados Pessoais – LGPD Brazil
Wednesday, June 24, 2020
In 2018, Brazil enacted its long-awaited Data Protection Law – 13,709/2018, known as Lei Geral de Proteção de Dados or LGPD. Applicability of Brazil LGPD – General Personal Data Protection Law LGPD, has been delayed to May 03 2021, as per Provisional Measure #959/2020 issued on April 29, 2020, by the Brazilian President. Applicability is differed due to crisis occurred because of Covid 19.
Here in this Article, we’ll discuss about Brazil LGPD law, LGPD definition, its meaning, decoding of LGPD Brasil 2018, LGPD – privacy by design, Data Principles, Guidelines, Disciplines, People’s Privacy Rights, Key definitions, LGPD compliance, LGPD brazil English version and LGPD requirements for companies. This LGPD article is for dummies as well as for experts, for a better understanding of Data Protection Law of Brazil. All your queries like What is LGPD, LGPD meaning and its applicability, where to start etc will also be covered here.
Introduced: Early 2018
Signed into law / Enacted in: August 15, 2018
Effective date: Yet to come into effect, expected May 2021 (Delayed due to COVID19 calamity)
Lei Geral de Proteção de Dados Pessoais
LGPD stands for Lei Geral de Proteção de Dados.
It is a Personal Data Protection law for Brazilian people and applies to any business or organization that processes the personal data of people in Brazil, regardless of where that business or organization itself might be located.
Inspired by EU’s General Data Protection Regulation, Brazil has come-up with its own consolidated and unified privacy law – Lei Geral de Proteção de Dados (or LGPD); which attempts to unify over 40 different statutes that currently govern personal data, both online and offline, by replacing certain regulations and supplementing others. Prior to the LGPD, data privacy regulations in Brazil consisted of various provisions & articles spread across Brazilian legislation. For example, Federal Law no. 12,965/2014 and its regulating Decree no. 8,771/16.
If your company has any customers or clients in Brazil or if you are working with personal data of Brazilian citizens; you should prepare yourself for LGPD compliance. Fortunately, you got additional time of approx. 1 year, before the law takes effect. And if you are already GDPR compliant, then you have already done the bulk of the work necessary to comply with the LGPD and it would be an easy journey to become LGPD compliant.
LGPD Compliance / Applicability
The LGPD applies to any private or public individual, or company with personal data processing activities that:
- are carried out in Brazil.
- personal data is collected in Brazil or of Brazilian citizens.
- involve offering and supplying goods or services in Brazil or relate to data subjects who are geographically located in Brazil.
The LGPD has an extra-territorial scope and will apply to all global businesses that meet these criteria. Tt does not matter where these companies are headquartered.
LGPD is a standard that does not apply to data processing by:
- A person, who is processing data for personal purposes.
- For journalistic, artistic, literary, or academic purposes.
- For national security, national defence, public safety, a criminal investigation, etc.
The new law affects companies in all sectors that do business or engage in data processing activity in or with Brazil. Financial, Customer Facing entities, Call/contact Centres, Information Technology Sector, healthcare, Insurance, airline, and hotel companies are among those that will likely face substantial compliance obligations for lawful processing of customer data.
The LGPD is applicable to all organizations – from MNC to start-ups. It does not provide any exceptions for small/medium businesses or small-scale processing units.
Whether your infrastructure is hosted on Microsoft Azure or AWS or Google Cloud – GCP, LGPD is applicable to all. Being a data controller/processor, you have to make sure about the necessary precautions and security of the data & compliance. Despite the fact, how big like Google, Facebook, WhatsApp, tinder etc or how small i.e. a milk delivery grocery start- up store app, your application is; If you are processing data for Brazilians, LGPD is applicable to you.
LGPD Personal Data Principles:
As per LGPD Law, activities of processing of personal data shall be done in good faith and be subject to the following ten principles:Purpose: processing done for legitimate, specific and explicit purposes of which the data subject is informed
Suitability: compatibility of the processing with the purposes communicated to the data subject
Necessity: limitation of the processing to the minimum necessary to achieve its purposes
Free access: guarantee to the data subjects of facilitated and free of charge consultation about the form and duration of the processing
Quality of the data: guarantee to the data subjects of the accuracy, clarity, relevancy and updating of the data
Transparency: guarantee to the data subjects of clear, precise, and easily accessible information about the carrying out of the processing and the respective processing agent
Security: use of technical and administrative measures which are able to protect personal data from unauthorized accesses and accidental or unlawful situations of destruction, loss, alteration, communication or dissemination
Prevention: adoption of measures to prevent the occurrence of damages due to the processing of personal data
Non-discrimination: impossibility of carrying out the processing for unlawful or abusive discriminatory purposes
Accountability: demonstration by the agent of the adoption of measures which are efficient and capable of proving the compliance with the rules of personal data protection, including the efficacy of such measures
LGPD discipline of personal data protection act is grounded on the following:
- Respect for privacy.
- Informed self-determination.
- Freedom of expression, information, communication, and opinion.
- Inviolability of intimacy, honour, and image.
- Economic and technological development and innovation.
- Free enterprise, free competition, and consumer Défense.
- Human rights, free development of personality, dignity, and exercise of citizenship by natural persons
LGPD – Key definitions
Some key definitions defined under LGPD clauses are as below:
Personal data: information regarding an identified or identifiable natural person. It is also known as PII or Personal Identifiable Information.
Sensitive personal data: personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical, or political organization membership, data concerning health or sex life, genetic or biometric data, when related to a natural person.
Anonymized data: data related to a data subject who cannot be identified, considering the use of reasonable and available technical means at the time of the processing.
Data subject: a natural person to whom the personal data that are the object of processing refer to.
Controller: natural person or legal entity, of public or private law, that has competence to make the decisions regarding the processing of personal data.
Processor: natural person or legal entity, of public or private law, that processes personal data in the name of the controller.
Consent: free, informed, and unambiguous manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose.
LGPD Sanctioned on / lei geral de proteção de dados sancionada
LGPD was introduced in early 2018 and enacted in August 15, 2018. It was sanctioned under section 13,709/2018 and expected to be effective from May 2021.
Certain LGPD provisions were already amended since its enactment, including the postponement of its enforceability to August 2020 and the creation of the National Data Protection Authority (ANPD).
LGPD – Who all are covered
LGPD applies to approx. 211 million Brazilians who are the permanent residents of Federative Republic of Brazil. All the Brazilians will be benefitted from this data protection law.
LGPD is to safeguard personal and sensitive data of Brazilians.
Note: Anonymized/anonymous data should not be considered personal data, except when the process of anonymization has been reversed or if it can be reversed by applying reasonable efforts.
People’s Privacy Rights / Intentions of LGPD
The personal data subject has the right to obtain the following from the controller, regarding the data subject’s data being processed by the controller, at any time and by means of request:
- The right to confirmation of the existence of the processing.
- The right to access the data.
- The right to correct incomplete, inaccurate, or out-of-date data.
- The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD.
- The right to the portability of data to another service or product provider, by means of an express request.
- The right to delete personal data processed with the consent of the data subject.
- The right to information about public and private entities with which the controller has shared data.
- The right to information about the possibility of denying consent and the consequences of such denial.
- The right to revoke consent.
LGPD guidelines on International data transfer:
International transfer of personal data is only allowed in the following cases:
- When the data subject has given her/his specific consent and distinct for the transfer
- The receiving country or organization provides a level of data protection comparable to the LGPD’s
- The non-Brazilian data importer is bound by a contract or by global corporate policy to provide and demonstrate a level of data protection comparable to the LGPD’s.
- International legal cooperation between government agencies
- when the transfer is necessary to protect the life or physical safety of the data subject or of a third party
LGPD Penalties & fines / lei geral de proteção de dados penalidades
LGPD fines are not as punitive as the GDPR, both in sentiment and financial penalties. Article 52 of LGPD states that the maximum fine for a violation is “2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reals” – Approx. 10M USD.
The LGPD is a new standard that adds the new principles similar to GDPR requirements and will come into effect in May 2021. It will be useful (mandatory if you want to continue business with Brazilian nationals) to know the details of new personal data protection laws if your company is operating or planning to open a branch in Brazil. You must be LGPD compliant if you want to possess and process Brazilian’s personal or sensitive data.
LGPD – Companies Responsibilities and Accountabilities:
The LGPD sets out a set of general principles and legal bases of the processing of personal data, similar to GDPR requirements. As per LGPD, a data controller (any organization or entity that process personal data) must choose one of the below lawful bases as a justification for using a data subject’s information:
- With the consent of the data subject (parents or the legal representative consent in case of child)
- To comply with a legal or regulatory obligation of the controller.
- To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments.
- To carry out studies by research entities that ensure, whenever possible, the anonymization of personal data.
- To execute a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject.
- To exercise rights in judicial, administrative or arbitration procedures.
- To protect the life or physical safety of the data subject or a third party.
- To protect health, in a procedure carried out by health professionals or by health entities.
- To fulfil the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties, which require personal data protection, prevail; or
- To protect credit (referring to a credit score).
While the LGPD focuses mostly on data privacy, the ten principles also require serious data security options. For example, companies must adopt technical measures such as encryption as well as administrative strategies to guarantee the physical safety of personal data from unauthorized access or illegal destruction.
LGPD – Impact to Companies:
Almost all the companies that holds/process personal data of Federative Republic of Brazil are impacted by LGPD. Companies subject to LGPD are likely to be most affected by below provisions because of their relative difficulty to implement:
- Take consent, Inform, correct, anonymize, delete or provide a copy of the data if requested by the data subject.
- Delete customer data after the relevant relationship terminates.
- Adopt technical and administrative data security measures to protect personal data from unauthorized access, accidents, destruction, loss etc.
- Appoint a DPO officer (mandatory in LGPD) responsible for receiving complaints and communications.
- Provide a data breach notification to both the data subjects and local authorities in case of a breach (but no mandatory timelines here, alike GDPR).
How to become LGPD compliant
The LGPD will come into force in May 2021, giving companies time to get ready. In this period of time, the appropriate steps should be done, including:
- Have a dedicated legal team to keep an eye on local law as well as LGPD law for handling the data in protected way as well as for new law updates.
- Taking Consent (and have proofs of same) from Data Subject, for Data processing and storage. Consent must
- A diligence process to identify what personal data processing activities, if any, the company is engaged in (including via vendors) that are covered by the LGPD.
- Pay close Attention to your tools, website, and applications. Cookies, opt-ins, data storage, network etc, must be a part of compliance checklist.
- A gap analysis to identify where any of these data processing activities do not satisfy the LGPD’s compliance requirements.
- A remediation process to close any identified gaps.
- Revision, implementation and testing of internal policies and procedures needed to comply with LGPD.
- Vendor agreements/contracts should be revised or created as appropriate with Data protection law.
- Implement security guidelines around vulnerabilities, threats, risks; and use proper security tools and techniques like Encryption, Data Leak Prevention etc.
- Designate a data protection officer that will build a data protection program to meet LGPD requirements.
How LGPD will impact a website
In case you are dealing with Brazil citizen’s personal data and you fall under any of the LGPD compliance thresholds defined under LGPD recitals & Law definitions, then you must modify your website to become complaint with LGPD. The LGPD focuses on national specifics, the principles of data protection law are being based on accountability, purpose limitation, data minimization as well as security and privacy by design. Companies/organizations processing personal data are encouraged to implement protective measures like consent collection & maintenance, Security by design, Implementing necessary security tools and technologies etc.
Few checks which you need to do on your website before you go ahead and modify the things:
- Are you dealing with Personal data which falls under LGPD compliance?
- Tracking technologies being used and 3 rd party plugins, i.e. cookies, pixels, and tags, to advertise, collect statistics and perform marketing campaigns, Location tracking
- Gathering consent in appropriate manner and maintaining evidences?
- Updated your data and privacy policies?
- What all data you are collecting and for how long?
- How data is processed? Is security in place?
- Have you made it easy to withdraw consent?
- DPO details shared on website to handle Data Privacy queries?
- All your mailing list and customer details are up to date and with proper consent?
- Only collecting the required information (or too much information) as per Brazilian LGPD law along with other applicable laws like GDPR, PDP India, CCPA etc.
Based on all above checks, follow the security guidelines of LGPD to implement the security in design and policies. Some guidelines are as below:
- Obtain proper consent from data subjects:
- Consent should be affirmative, specific and unambiguous
- Details of recipients and data controller
- Purpose of processing and notification of profiling
- Withdraw consent
- Link to complain, correct and transfer data
- Can decline
- Apply security in design wherever possible. Include security tools and utilities like Encryption, SSL/TLS, Masking, DLP, Firewalls etc wherever possible to protect the data.
- Privacy banners must clearly identify each party for which the cookie consent is being granted.
- Your company should provide a means for data subject requests to be made electronically. The data protection officer’s contact information should be publicly available, and their tasks should include communication with the data subjects and regulatory authority.
- Update your data and privacy policies under the Brazilian data privacy law
- Collect only minimum required information and for a specific time
- Clean-up your data regularly
Data Protection Officer to become LGPD complaint
The data controller shall appoint and publicise the information of an officer to be in-charge of processing personal data. Data protection officer or DPO’s activity consists of:
- Accepting complaints and communications from data subjects, providing explanations, and adopting measures.
- Receiving communications from the national authority and adopting measures.
- Orienting entity’s employees and contractors regarding practices to be taken
- in relation to personal data protection
- Carrying out other duties as determined by the controller or set forth in complementary rules.
The law also provides that the Brazilian “National Authority” may further establish complementary rules about the definition and the duties of the DPO, including the situations when the appointment of such person may be waived, according to the nature and the size of the covered entity or the volume of data processing operations.
The National Authority for Protection of Data (“ANPD”)
The Brazilian ex-President Michel Temer vetoed the provision under LGPD articles number 55, 56 & 57; that would have created an independent National Data Protection Authority. Until a data protection authority is created it is uncertain how the enforcement of LGPD compliance will be carried out. As per LGPD Law the National Authority for protection of Data which will be known as ANPD, will have all the governance authorities and powers. Major functions of the authority will be to:
- Enforce LGPD throughout and encourage people to comply with same.
- The national authority shall issue technical opinions or recommendations regarding the exceptions
- The national authority may provide for standards and techniques to be used in processes of anonymization, and carry out security checks, with opinions from the National Board for the Protection of Personal Data.
- The personal data subject has the right to petition, regarding her/his data, against the controller before the national authority.
- The national authority may provide minimum technical standards to make the provisions of the lead sentence of this article applicable, taking into account the nature of the processed information, the specific characteristics of the processing and the current state of technology.
- The national authority shall encourage the adoption of technical standards that facilitate data subjects’ control of their personal data.
LGPD Applicability / When LGDP will come in effect?
The National Congress of Brazil only passed the LGPD in August 2018. It was originally scheduled to come into effect on 15 August 2020. As on June 2020, Brazilian President Provisionally Delays LGPD Applicability to May 03 2021, as per Provisional Measure(temporary urgent measures issued by the Executive Power) #959/2020 issued on April 29, 2020. Usually Provisional measures are valid for 60 days and can be extended further for 60 days. To make these measures permanent, they have to be approved by the Brazilian Congress within this timeframe – otherwise, the measures are invalidated.
Update (June 2020) – Due to COVID-19, on March 20, 2020, the Brazilian Congress has approved a simplified and expedited process for approval of provisional measures, which now has to happen within 16 days.
The Chamber of Representatives approved, on 14 May 2020, a substitute for Bill 1179/2020 (‘the Substitute Bill’) which sought to postpone the entry into force of the provisions of Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) (‘LGPD’) for 2021. In particular, the Substitute Bill only approved the delay of the entry into force of the provisions of the LGPD in relation to sanctions, which are expected to be delayed until 1 August 2021 as Provisional Measure 959/2020 which seeks to postpone the LGPD to 3 May 2021 is still pending before Congress.
LGPD Brazil law in English (PDF)
LGPT Act Information (translated in English) can be seen here.
LGPD law in Portuguese
LGPT Act in Portuguese can be seen here.
Some Relevant Laws / Acts:
General Data Protection Regulation (GDPR)– for European Citizen. This is also known as lei geral de proteção de dados Europa.
Personal Data Protect Bill (PDP) – India – For Indian Citizens.
California Consumer Privacy Act (CCPA) – California, United States – For Citizens of California.
Data Privacy – Everything you need to know.
External References / Citations:
This Website/document does not constitute any professional advice. The information in this document has been obtained or derived from different sources believed by dataprivacyacts.com to be reliable but dataprivacyacts.com does not represent that this information is accurate or complete. Any opinions or estimates contained in this document represent the judgment of Dataprivacyacts.com at this time and are subject to change without notice. Readers of this publication are advised to seek their own professional advice before taking any course of action or decision, for which they are entirely responsible, based on the contents of this publication. Dataprivacyacts.com neither accepts or assumes any responsibility or liability to any reader of this publication in respect of the information contained within it or for any decisions readers may take or decide not to or fail to take.
© dataprivacyacts.com. All rights reserved.