Lei Geral de Proteção de Dados Pessoais (LGPD or General Personal Data Protection Law) is Brazil’s data protection and privacy law that is closely modeled on the General Data Protection Regulation (GDPR) in the European Union. LGPD was passed by the National Congress of Brazil on July 10, 2018, in an effort to unify and enhance 40+ data privacy instruments within the country into a single piece of legislation. LGPD went into effect on September 18, 2020. Like the GDPR, the law impacts global organizations beyond Brazil’s borders.
The extent to which LGPD applies to your organization will depend on the specific nature of your business, so you should always seek skilled legal counsel to help you navigate compliance requirements. However, if your organization does business in Brazil or collects/processes the data of any individual within Brazil, you should familiarize yourself with LGPD’s requirements (summarized below) to understand what impact these regulations may have on you.
Why LGPD Was Passed
LGPD was passed to demonstrate and protect individuals’ right to privacy. Despite Brazil being Latin America’s technology leader and one of the top 10 tech markets in the world, its data protection laws have failed to keep pace with this technological growth. As a side-effect of that rapid growth, Brazil has experienced a number of recent high-profile data breaches. LGPD establishes a clear requirement for organizations to implement controls that protect individuals’ personal data, with the end goal of reducing the impact of breaches on individuals.
LGPD Establishes the National Data Protection Authority
In addition to introducing privacy regulations, the LGPD also established a separate national authority, the Autoridade Nacional de Proteção de Dados (ANPD or National Data Protection Authority in English), which is responsible for enforcing the law, including issuing penalties and fines. The creation of the ANPD was originally vetoed by President Jair Bolsonaro but later reinstated via executive order in August of 2020.
Who LGPD Applies To
LGPD applies to any organization (or individual) regardless of size, industry, public or private status, or country of residence.
Any legal entity or natural person processing data collected from persons in Brazil (“data controller”) is subject to LGPD if:
- The data collected/processed is about people in Brazil.
- The processing is carried out inside Brazil; or
- The processing is for the purposes of offering and selling goods or services to individuals in Brazil.
- The processing is of personal data collected within Brazil.
There are some limited exceptions to the applicability of LGPD. Exceptions include situations where the data is being collected and/or processed:
- By a natural person for private and non-commercial purposes.
- For journalistic, artistic, or academic purposes, regardless of who does the collecting.
- For the purposes of national security, defense, or public safety.
- For investigating and prosecuting criminal offenses.
- If the personal data originates in other countries and only passes through Brazil without any processing being carried out.
LGPD Includes a Broad Definition of Personal Data
LGPD defines personal data broadly as any information that could be used to identify an individual. This includes any information that could be combined with other information to identify an individual. That means information such as email, IP addresses, phone numbers, geolocation, and credit card numbers can all be considered personal information under LGPD.
Sensitive Personal Data
Brazil has a culturally and racially diverse population. Like Europe’s GDPR, LGPD recognizes that additional protections are sometimes needed to protect individuals against discrimination. These potentially higher-risk attributes are defined as “sensitive personal data” under LGPD and include:
- Health information
- Genetic information
- Sexual information
- Medical information
- Biometric characteristics
- Racial or ethnic origin information
- Political affiliations
- Religious affiliations
LGPD Compliance Obligations
LGPD is a significant enhancement and consolidation of Brazil’s previous data privacy laws, and the changes will affect organizations in every industry. Below are some of the key compliance considerations businesses will need to consider.
1. Define and Document Lawful Basis for Processing Personal Data
LGPD requires every organization that collects or processes personal data to have at least one of the following legally acceptable reasons for doing so, as well as to document those reasons for auditing purposes.
- Consent from an individual to process their data. Any individual over the age of 18 can consent to the processing of their personal data.
- To follow applicable regulatory requirements and public policies. Organizations can collect and process data if it is required in order to follow laws and regulations that apply to them.
- For the purpose of conducting a study or research. Research is a legal basis for personal data processing, as long as organizations take reasonable steps to anonymize that data.
- To fulfill a contractual agreement. Processing an individual's personal data is acceptable if you’ve signed a contract with that individual to deliver goods or services and need to process their data to provide it to them.
- Legal proceedings. Personal data may be processed for the sake of a court case, arbitration, or other legal proceedings.
- To protect the life or physical safety of an individual or a third party. For example, national security is a legally acceptable reason to process personal data.
- To protect an individual’s health in healthcare procedures. For example, it’s acceptable to process personal data to ensure you’re not putting a patient at risk during surgery.
- For the legitimate interests of your organization or a third party. Your organization’s interests are a legal basis for processing personal data, as long as those interests do not conflict with the rights, freedoms, or interests of an individual.
- For the sake of protecting an individual’s credit. Protecting an individual’s credit is an acceptable basis for processing data, as long as that processing is done in accordance with the provisions laid out in other relevant legislation in addition to LGPD.
2. Honor the Privacy Rights of Individuals
Like GDPR, LGPD provides individuals with several rights that they can request organizations to recognize and uphold at any time. Organizations must have internal procedures and processes in place to respond to requests from individuals who exercise these rights, which include:
- Confirmation of processing. Individuals have the right to confirm whether their personal data has been or is being processed.
- Access to personal data. Individuals may request access to any of their personal data that an organization processes.
- Data portability. Individuals may request that their personal data be transferred to another service or product provider, as long as that request is in accordance with other national regulations, doesn’t compromise any commercial or industrial secrets, and the data hasn’t already been anonymized.
- Rectification of inaccurate information. Individuals may request that inaccurate, outdated, or incomplete personal data be corrected or updated.
- Anonymization, blocking, or deletion of data. Individuals can request that unnecessary or excessive personal data, or personal data processed in a non-compliant manner, be anonymized, blocked, or deleted.
- Deletion of data. Individuals may request to have their personal data deleted at any time where processing is based on consent.
- Right to be informed. Individuals have the right to be informed about third parties granted access to their personal data. Individuals also have the right to be informed regarding their right to refuse consent.
- Withdrawal of consent. Individuals have the right to revoke their consent to process or collect data at any time.
- Review of automated decisions. Individuals have the right to request the review of decisions solely based on automated processing that affects their interests, including profiling.
- Filing complaints. Individuals may file a complaint against an organization with the ANPD if they feel that any of these rights have been violated.
3. Appoint a Data Protection Officer (DPO)
The LGPD requires every organization under its jurisdiction to appoint a data protection officer (DPO) to be their point person for data protection efforts. The DPO does not have to be an individual person; a committee can provide this service, as can an outside consultant. The DPO is responsible for ensuring that the organization takes appropriate action to protect personal data and for communicating with end-users and government authorities on matters related to data privacy. The identity and contact information of the DPO must be available to the public (preferably on your website).
4. Prepare, Inventory, and Conduct Data Protection Impact Assessments (DPIA)
To comply with LGPD, you must document the types of data you’re collecting, the methods used, along the steps taken to secure that data. You must also identify potential risks and document what you’ve done to mitigate them. Every organization that falls under LGPD’s jurisdiction should have these records on hand to show to a regulator upon request.
5. Follow Data Security Requirements and Data Breach Notification Protocols
Organizations must implement adequate organizational and technical controls in order to secure personal data from unauthorized access, deletion, alteration, sharing, or processing. In the event that a breach occurs that presents a risk or causes damage to individuals, organizations must notify the ANPD and individuals affected by the breach within a reasonable time period and include the following information:
- The type of personal data that was exposed and the individuals affected
- The risks associated with the exposure of that data
- The security measures in place to protect personal data (unless sharing this information would disclose industrial or commercial secrets)
- What your organization is doing to mitigate the effects of the breach on the individuals at risk
The ANPD may require an organization to take further steps, such as alerting the media about the breach or taking specific steps to mitigate the effects of the breach on affected individuals. These actions are assessed on a case-by-case basis.
6. Implement Privacy by Design
Like GDPR, LGPD requires organizations under its jurisdiction to design their data processing systems and procedures so that privacy is the default setting (the approach known as privacy by design) rather than adding privacy controls to those systems as an afterthought. Organizations should also be prepared to demonstrate the effectiveness of their data protection measures to the ANPD, as an audit could be conducted at any time.
7. Comply with Cross-Border Data Transfer Requirements
LGPD allows organizations to transfer protected personal data outside of Brazil if the laws of the country the data is transferred to provide adequate protection for that data. Adequacy of protection is determined by the ANPD. In the event that the protections offered by the receiving country are deemed inadequate by the ANPD, transfers may still be allowed if certain conditions are met.
Penalties for Non-Compliance
Under LGPD, penalties for non-compliance are assessed by the ANPD and can include fines of up to 2% of a company’s annual revenue to a maximum of 50 million Brazilian reais per violation (approximately €7.5 million or $9M USD at the time of writing). The ANPD also has the authority to block access to or delete personal data from related databases and to partially or fully prohibit data processing activities in the event that a violation occurs. Additionally, the LGPD provides individuals with the right to seek civil damages for violations of their privacy, meaning organizations could face legal action from consumers in addition to fines assessed by regulators.
Go Beyond Compliance
Regulations like LGPD and GDPR are landmark steps toward the protection of individuals’ right to privacy. But their similarities should also serve as a wake-up call to organizations everywhere that data privacy will require a lot more than plugging in a new set of controls for their existing systems in the future.
Instead, businesses should look to build privacy functionality into their systems from the outset, considering the well-being of the end-user rather than just the legal requirements. Not only will this help them earn the trust of consumers, but it will also likely simplify the process of complying with new regulations as they emerge.