Understanding the Brazilian Data Protection Act
On 15 February 2020, the Lei Geral de Proteção de Dados Pessoais (LGPD), or the General Law on the Protection of Personal Data, will enter into force in Brazil. This law has been hailed by many as the first GDPR-like law in Latin-America, helping Brazil to ensure a high level of data protection.
From the moment of the law’s publication in August 2018 to its effective date, organizations will have had 18 months to prepare for this new piece of legislation. In this blog, we will take a closer look at some of the highlights of the new Brazilian LGPD.
Article 7 LGPD on the lawfulness of data processing contains the ten legal bases that allow organizations to process personal data in Brazil, at least one of which should apply to any data processing operation. The legal bases are:
– compliance with a legal or regulatory obligation
– execution of public policies (only for the public administration)
– research (anonymized, if possible)
– execution of a contract (or the pre-contractual phase)
– exercising of rights in judicial, administrative, or arbitration procedures
– protection of life or physical safety
– protection of health
– protection of legitimate interests
– protection of credit, according to the pertinent legislation
Many of these legal bases are similar to what can be found in laws like the GDPR, although some of the formulations are slightly different, and some additional criteria have been set. Additionally, the LGPD contains specific criteria on how to deal with sensitive data, stipulating that those data cannot be processed unless with a specific legal basis, including the individual’s consent.
When looking at consent, the LGPD seems a little less strict than the GDPR, citing in article 8 that consent needs to be provided in writing or by another means that demonstrates “the manifestation of the will of the data subject.” The burden to prove that consent was validly obtained is on the data controller, and consent should be clearly distinguished from other items, such as contractual clauses. Consent can be revoked at any time and at no cost. Also, consent needs to refer to “particular purposes.” In other words, it needs to be specific.
Legitimate interest under the LGPD is further explained in article 10 of the law. It is rather similar to legitimate interest as we know it from the European Union. It includes the need for data controllers to identify the specific activities for which they process data, as well as the way the rights of the data subject are protected. Also, the data controller needs to make sure the data subject will not be surprised by the fact that his/her data will be processed, i.e. that there is a reasonable expectation of data processing.
Some level of transparency is expected from the data controller. The supervisory authority can request that a privacy impact assessment (PIA) be performed when a data controller wants to rely upon legitimate interest. However, the supervisory authority has not been established to-date.
The LGPD is yet another data protection law that is built on the accountability principle, which means that organizations are required to adopt measures that help to demonstrate compliance. One of those measures is the obligation to maintain a register of processing activities, similar to the one that is required under the GDPR. However, the LGPD does not spell out which elements need to be documented as part of the register. The same is true for the obligation to complete privacy impact assessments.
The obligation is part of the law, but it needs to be further specified by the supervisory authority, including in which situations PIAs are mandatory and how they need to be completed. Based on the law, it seems private sector organizations may only need to complete impact assessments when processing personal data on the basis of legitimate interest, and a broader obligation would be imposed on the Brazilian public sector.
Data Subject Rights
Chapter III LGPD is devoted to data subject rights. Brazil will extend several rights to individuals, including a right of confirmation that an individual’s data are being processed, as well as the more traditional rights of access, correction, blocking, and deletion. Under the LGPD, an individual can also request the anonymization of their data. Requests can be filed at any time, and organizations are bound to respond within 15 days (for the right of access, at least). Data subject rights can be exercised at no cost to the data subject.
Contraventions under the LGPD can be sanctioned with a fine of up to 2% of the annual turnover of an organization, with a maximum of 50 million real (US$ 12.85 million). Also, a warning can be issued. The enforcement notice can furthermore contain the order to block or delete the data to which the infraction refers. Other sanctions, which were part of the draft law, including the possible suspension of processing, were vetoed by Brazilian president Temer when the LGDP was presented to him for his signature.
Similarly, the provisions on the creation of an independent supervisory authority were vetoed. Therefore, it is not clear how the LGPD will be enforced. Previously, the Brazilian government had announced that the supervisory authority would be established by a different act, although a bill to this end has not yet been published.
How Nymity Helps
Like the GDPR, the LGPD is an omnibus law. This means that it covers many principles of data protection law, unlike, for example, the California Consumer Privacy Act which focuses on data subject rights. Nymity has identified 24 provisions of the LGPD that contain accountability requirements for which some form of evidence would be required. These 24 provisions map to 43 privacy management activities from the Nymity Privacy Management Accountability Framework™. For comparison, the GDPR contains 55 mandatory privacy management activities.
In the coming weeks, Nymity will release an LGPD Accountability Handbook, which will not only contain the full overview of the privacy management activities that we consider to be mandatory under the Brazilian law, but it will also show the overlap between the GDPR and the LGPD. In the meantime, please contact us if you would like to learn more about how we can help you operationalize LGPD compliance.
On 28 December 2018, the Brazilian President Temer signed a provisional measure amending the Brazilian data protection act. First of all, the date it will start to apply has been moved from 15 February to 15 August 2020, providing six additional months for organisations to prepare. Furthermore, the provisional measure contains the provisions on the creation and functioning of the Brazilian data protection authority, that were previously vetoed by the President.
When the law comes into force, Brazil will have a National Authority for Data Protection (ANPD), that is solely responsible for the enforcement of the LGPD, as well as a National Council for Data Protection, that will support the ANPD and propose strategic guidelines, raise awareness and prepare annual reports on the state of data protection.