On August 15, 2020, Brazil is set to enforce its data protection policy titled Lei Geral de Proteção de Dados Pessoais commonly called LGPD. The law was passed on August 14, 2018 followed by official sanctioning by President Bolsonaro in July 2019.
LGPD is closely modeled on the European Union’s GDPR, albeit with some distinct dissimilarities. The official enforcement of LGPD will make organizations responsible for appointing a Data Protection Officer (DPO) who will manage all data processing queries.
In this post, we explain what LGPD is and its similarities with the GDPR.
An Insight Into Brazil’s Internet User Penetration
Approximately 66% of Brazil’s entire population has access to the Internet and spend about 26 hours a week online. In fact, Brazil’s Internet user penetration has been forecasted at 169 million by the end of 2023. The country is also the fourth largest in the world in terms of Internet user count.
With such a large Internet user base, Brazil already has approximately 40 legal norms at the federal level that regulate privacy of users online. However, these are sectoral laws providing only partial protection to individuals. An all-embracing framework such as the LGPD will help users in all sectors of the economy including both private and personal.
What Is A Data Subject?
Before we jump into the key features of LGPD, it is important to understand what data subjects are. Though data subjects have already been comprehensively defined in the GDPR, LGPD also explicitly states their definition.
Any individual whose data is being collected and/or processed is a data subject.
Under LGPD’s Article 18, data subjects are empowered with nine different rights over their personal data including:
- Access to their data
- Confirmation of their data’s processing
- Rectification of outdated or incorrect data
- Anonymize or delete data that is not LGPD-compliant or has been used out of context
- Portability: Permission to handover their data to another processor
- Deletion of personal data
- Disclosure of information about other processors to whom personal data has been shared
- Revoking consent on personal data
- Information regarding denial of consent and its consequences
Key Features Of The LGPD
Who Does LGPD Apply To
Similar to the GDPR, LGPD has extraterritorial application. By this we refer to companies and websites that process data from individuals in Brazil regardless of where they operate from. These companies need to be LGPD-compliant.
Under Article 3, extraterritorial application is further defined as:
- Data processing of data collected inside Brazil.
- Data processing of individuals in Brazil regardless of the data processor’s location. They can be located anywhere in the world.
- Data processing within the territory of Brazil.
It is also important to note that LGPD is also transversal and multi-sectoral. This means that it will be applied to sectors both private and personal, online and offline.
How Is Data Defined Under LGPD
LGPD broadly defines data in three categories. They are:
|Personal||“Personal data is information regarding an identified or identifiable naturalperson.”||LGPD does not explicitly define criteria under personal data. However, it can include name, gender, address, ID numbers, etc.|
|Sensitive||“Sensitive data is personal data concerning racial or ethnic origin,religious belief, political opinion, trade union or religious, philosophical or politicalorganization membership, data concerning health or sex life, genetic or biometric data,when related to a natural person.”||This is essentially a sub-category of personal data. Under Article 11 of the LGPD, distinct consent is further defined.|
|Anonymized||“Data related to a data subject who cannot be identified.”||Important to note that if anonymized data can be used in any way for behavioral profiling, it is reversible and does not qualify under this category.|
Additional Definitions Under LGPD
Some of the other important definitions under LGPD for getting more clarity are:
- Processor: Controller (can be a person or a legal entity) who performs operations using personal data.
- Processing: Any operation that is carried out with personal data. These operations can include collection, production, receipt, classification, use, access, reproduction, transmission, distribution, and others.
- Controller: Any person or legal entity who has the authority to make decisions on processing of personal data.
- Consent: Consent is defined as ‘free, informed and unambiguous manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose.’
Similarities Between LGPD and GDPR
As mentioned above, LGPD is closely modeled on the GDPR, thus also being called Brazil’s GDPR. Both the frameworks have several similarities including:
|Territorial Scope||Irrespective of where data processing is taking place, any business or individual processing their personal data within their respective jurisdiction need to be either LGPD or GDPR-compliant according to their region.|
|Data Subject Access Requests||Data subjects have the complete right to request access to their data or the right to be forgotten.|
|Appointment Of A Data Protection Officer (DPO)||Both LGPD and GDPR require organizations to appoint a DPO if the company:|
* Is a public entity.
* Uses large-scale data processing and monitoring of persons.
* Core operations require data processing of unique individuals linked to criminal offenses.
Despite the necessary criteria, both frameworks still urge organizations not falling under the above categories to appoint a DPO.
Differences Between LGPD and GDPR
|Legal Bases For Data Processing||Companies are subject to six legal basis under which personal data is processed. These are:|
Consent, ContractLegal, Obligation, Vital Interests, Public Task, Legitimate Interests
|Companies are subject to ten legal basis under which personal data is processed. These are: Consent, Contract, Legal Obligation, Life Protection, Health Protection, Legitimate Interest, Public Task, Protection to Credit, Exercise of Rights in Legal Proceedings, Research by Public Study Entities|
|Penalties Imposed||Fines can total upto 4% of yearly revenue or 20 million euros, whichever is higher.||Fines can total upto 2% of yearly revenue or 50 million Brazillian Reals, whichever is higher.|
|Data Breach||Notification of data breach is compulsory and companies have to follow a stringent policy of reporting a breach within 72 hours.||Notification of data breach is compulsory and companies have to report breaches within a ‘reasonable’ timeframe.|
For publishers active in Brazil or using data of Brazillian individuals, following links will help in providing more clarity: