After a number of postponements and many discussions about further delay, the Brazilian Lei Geral de Protecção de Dados Pessoais (General Data Protection Law, LGPD) is on the verge of entering into force. In a surprise move, the Brazilian Senate on Wednesday 26 August decided not to agree to a further postponement, but to let the law enter into application immediately. Enforcement of the law will start in August 2021. Possibly, the only remaining wait is for the signature of president Bolsonaro, which is due within 15 days of the vote*. Immediately after the vote, the decree establishing the Brazilian data protection authority was already published.
While waiting for the official start sign of the law, this seems to be the right moment to take another look at what the LGPD requires from organizations doing business in Brazil. When looking at the new Brazilian law, it is immediately clear that there is a fair amount of overlap between the LGPD and the GDPR. This is no surprise – the LGPD is an omnibus data protection law as well, modeled after the GDPR. It explicitly recognises that data protection is linked to the respect for privacy, to informed self-determination and human rights, but also to free enterprise and free competition.
The LGPD stipulates in Article 6.X that accountability is one of the key principles to which data processing operations by controllers and processors shall be subject. According to the provision, this requires the controller or the processor to be able to demonstrate “the adoption of measures which are efficient and capable of proving the compliance with the rules of personal data protection, including the efficacy of such measures”. A similar requirement can be found in Chapter IV, Section II, for public authorities. Both requirements are rather similar to the accountability requirement that can be found in the EU GDPR, and also comes with an obligation in Article 37 to maintain a processing activities register. The rules related to mandatory impact assessments, as well as to any exceptions to the mandatory appointment of a data protection officer, will be defined by the DPA.
Article 7 et seq. of the LGDP contain the legal bases for data processing in Brazil. These include compliance with a legal obligation, the processing in a public interest, or to protect health, but also consent and legitimate interest. For the latter two, the burden of proof is on the data controller – this means an organization will have to properly document what consent was received, or how the company’s interests are balanced against the rights of the individual. For sensitive data, which is defined as personal data concerning racial or ethnic origin, as well as for children’s and adolescent’s data, additional requirements apply.
A large part of the LGPD is dedicated to the rights of individuals. According to Article 17, each “natural person is assured ownership of her/his personal data, with the fundamental rights of freedom, intimacy and privacy being guaranteed”. Everyone therefore has the right to get confirmation that their data are being processed. In addition, the law foresees the rights of access, correction, deletion, and data portability, as well as the possibility to block the processing of contested data. Controllers and processors are furthermore obliged to provide transparent information on their data processing activities.
The deadlines for dealing with individual requests are short. A simplified response (which is not defined in the law, but could for example include the statement that no data is held on the individual) needs to be provided immediately. For a more detailed response “that indicates the origin of the data, the nonexistence of record, the criteria used and the purpose of the processing, subject to commercial and industrial secrecy” the law foresees 15 days.
Chapter V LGPD contains the rules related to international data transfers from Brazil to third countries. Transfers may take place to countries that have been declared as adequate by the Brazilian DPA, on the basis of sufficient guarantees the data will be protected (which includes the use of standard contractual clauses or ad hoc agreements, but also “global corporate rules”, which would likely include BCRs and CPBRs). Also transfers for a range of public interests, on the basis of consent or following approval by the DPA are allowed.
Controllers and processors that do not meet the requirements of the LGPD may be confronted with serious fines. Apart from possible warnings, the blocking of processing activities and the publication of the contravention, the law foresees fines of up to 2% of the company’s revenue in Brazil in the previous year (either at company, group or conglomerate level), with a maximum of 50 million reais (~ $9 million). In more serious situations, that maximum would apply to a daily fine, which could likely be imposed until the contravention is ended.
* Brazilian scholars do not yet agree on whether an additional signature from the president is required. The Senate initially stated the LGPD would apply as of 28 August, but later indicated that was not necessarily the case.