BRAZILIAN PRIVACY LAW
In 2018 Brazil passed the Lei Geral de Proteção de Dados (General Data Protection Law, or LGPD) that made significant changes to their existing privacy and data protection laws. The LGPD impacts many businesses that operate in Brazil, even those companies that do not have a physical address in Brazil. After passing the Act, Brazil created the Brazilian National Data Protection Authority to enforce LGPD and also extended the compliance period to August 2020.
“Personal Data” is defined as information relating to an identified or identifiable natural person, in both digital and non-digital form. Unlike GDPR, the definition does not contain examples of personal data.
“Sensitive Personal Data” is defined as data relating to racial or ethnic origin, religious belief, political opinion, union membership, philosophical or political organization, health, sexual orientation, and genetic or biometric data.
Application of LGPD
The LGPD regulates controllers and processors of personal data. Similar to CCPA and GDPR, LGPD applies across industry sectors and also has extraterritorial application.
It applies to any individual or organization (private or public) that, (regardless of residency)
- Collects or processes personal data in Brazil; or
- Intends to offer or provide goods or services to individuals in Brazil.
Therefore, the consequences of non-compliance with LGPD will be as severe as non-compliance with GDPR because a business collecting or processing personal data is not required to be headquartered or have a physical address in Brazil for LDPD to apply. Violations of the LGPD can result in fines of up to 2 percent of the company’s gross revenues derived from Brazil.
Data Subject Rights under LGPD
- The right to confirmation of the existence of the processing;
- The right to access the data;
- The right to correct incomplete, inaccurate or out-of-date data;
- The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD;
- The right to the portability of data to another service or product provider, by means of an express request
- The right to delete personal data processed with the consent of the data subject;
- The right to information about public and private entities with which the controller has shared data;
- The right to information about the possibility of denying consent and the consequences of such denial; and
- The right to revoke consent.
Difference Between GDPR and LGPD
- “Legitimate Interest” Standard
LGPD’s legitimate interest standard is satisfied where the processing of personal data can be shown to support and promote the controller’s activities after balancing the data subject’s privacy rights. However, under the GDPR, the legitimate interests of the controller cannot override the fundamental rights and freedoms of the data subject.
- Data Protection Officer
All organizations governed by the LGPD as controllers will also need to appoint a data protection officer. Data protection officers need not be natural persons, which means companies can serve as a DPO also, it is unclear whether they need to reside in Brazil. On the other hand, GDPR only requires a data protection officer in certain circumstances.
- Data Processing Agreements
It is not clear whether the LGPD will require data processing agreements between the collectors and processors as required by Article 28 of GDPR. But it is recommended by privacy law experts to implement a DPA so that parties fully understand their individual responsibilities regarding the collection, use, and protection of personal data.
- Reporting Data Breaches
Under GDPR an organization must report a data breach within 72 hours of its discovery. The LGPD does not give any firm deadline but Article 48 merely states that “the controller must communicate to the national authority and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects… in a reasonable time period, as defined by the national authority.” There is no guidance regarding the same as of now.
Prepared by Christopher L. Rasmussen, Esq., Managing Partner – Commercial, Trademark, and Privacy Practice Group, Inventus Law, PC., 3260 Hillview Avenue, Palo Alto, CA 94304, firstname.lastname@example.org, 1.408.482.3216 and Abhilipsa Panda, Commercial Law Clerk, Inventus Law, PC., 3260 Hillview Avenue, Palo Alto, CA 94304, email@example.com. Please do not hesitate to contact Mr. Rasmussen or Ms. Panda if you have any questions about this memo or privacy matters.
Disclaimer: The information on this page is being provided for information purposes only and is drafted entirely on the basis of public resources. Information contained on or made available herein is not intended to and does not constitute legal advice, recommendations, mediation or counseling under any circumstance. This information and your use thereof do not create an attorney-client relationship. You should not act or rely on any information provided herein without seeking the advice of a competent attorney licensed to practice in your jurisdiction for your particular business
 Please note that LGPD does not apply to anonymous data or data used for artistic, household, academic, journalistic, or national security purposes.
 Controllers are the legal or natural entities that decide how and why to collect and process personal data. Processors are the entities that process the data according to the controller’s instructions.
 The LGPD does not require the designation of a representative in Brazil in the same way the GDPR requires one for United States businesses offering goods and services in the EU.