Brazil Enacts its First Comprehensive Data Privacy Law

By: Gabriel A. Peixoto

2018 has been a banner year for data privacy.  In May, the European Union’s General Data Protection Regulation (“GDPR”) entered into force.  The next month, California passed a sweeping data privacy law, the California Consumer Privacy Act, that will likely be the toughest consumer privacy law in the United States once it goes into effect in 2020.  And this is just the beginning as pressure now intensifies for a comprehensive Federal data privacy regime.

Given this backdrop, it is not surprising that Latin America’s biggest market, Brazil, followed suit with its own law on August 14, 2018, when President Michel Temer signed into law the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados, 13.709/2018) (“LGPD”).  The LGPD, which was inspired by and mirrors many of the key provisions of the GDPR, is Brazil’s first comprehensive data privacy law.  Below, I answer ten key questions about the law.

1.  What businesses are covered by the LGPD?

The LGPD regulates data processing by businesses if:  (1) the data is collected or processed in Brazil, or (2) the purpose of the data processing is to offer or provide goods or services in Brazil.  Art. 3.  Importantly, the processing of personal data by an individual for personal use, or for journalistic, artistic, academic, public safety, or national defense purposes is exempted from the scope of the LGPD.  Art. 4. Additionally, the LGPD is explicitly extraterritorial; it even applies to foreign businesses headquartered outside of Brazil.  Art. 3.

2.  How does the LGPD define personal data?

The LGPD defines “personal data” as information related to an identified or identifiable natural person.  Art.  5.  It also defines a subset of such data as “sensitive personal data,” which is entitled to additional protections.  Under the LGPD, “sensitive personal data” is personal data related to a natural person about racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data referring to health or sex life, genetic or biometric data.  Id.

3.  When can personal data be processed under the LGPD?  

The LGPD provides ten legal bases for processing personal data (Art. 7.) (different bases apply to the processing of sensitive personal data (Art. 11)).  These bases include data subject consent (Art. 8), compliance with a legal or regulatory obligation, and necessity for execution of a contract at the request of the data subject.  Art. 7.  The LGPD also specifies ten general principles regulating the processing of data:  purpose, suitability, necessity, free access, quality of the data, transparency, security, prevention, nondiscrimination, and accountability.  Art. 6.

4.  What rights does the LGPD give to data subjects?

The LGPD confers data subjects with a broad set of enumerated rights (Arts. 17-22), including confirmation of data processing, access to data, correction, anonymization or deletion of unnecessary data, portability, information about third parties which data has been shared, and revocation of consent (Art. 18).  The LGPD further specifies that businesses are required to delete personal data after it has been processed.  Arts. 16, 18. 

5.  Does the LGPD specify minimum security requirements?

Businesses processing personal data are required to adopt security, technical, and administrative data protection measures to prevent the unauthorized access, loss, alteration, transmission, or unlawful processing of data.  Art. 46. The LGPD also requires that businesses appoint a data protection officer in charge of processing personal data.  Art. 41.

6.  What obligations do businesses have in the event of a data breach?

In the event of a data breach, businesses must notify the data subject and the government of the incident within a reasonable time period.  Art. 48. The LGPD articulates the minimum requirements for such notices:  description of data affected, data subjects involved, measures used to protect the data, reasons for delay in notification, risks as a result of the incident, and mitigation efforts.  Id.  The LGPD also establishes that businesses (both data controllers and processors) can be liable to data subjects for damages caused by violations of the law. Art. 42.

7.  Does the LGPD apply to cross-border data transfers?

Yes—the LGPD sets forth limits on the transfer of personal data outside of Brazil.  Art. 33. Generally, for businesses the international transfer of personal data is only permitted to countries that have legal protections as strict as the LGPD or when the data transferee guarantees its compliance with the LGPD.  Id.

8.  What happens if businesses fail to comply with the LGPD?

Businesses that fail to comply with the LGPD may be subject to administrative sanctions ranging from a warning to fines of up to two percent (2%) of their gross revenue in Brazil for the previous year, up to fifty million reais (R$ 50,000,000) (approximately $12.3 million at the time of publication) per violation.  Art. 52.

9.  Who regulates the LGPD?

The National Data Protection Authority (Autoridade Nacional de Proteção de Dados) (“ANPD”) was supposed to enforce the LGPD, including the levying of administrative sanctions, and issue rules in connection with the LGPD.  However, when President Temer signed the LGPD into law, he line-item vetoed several key provisions, including the provision that created the ANPD.  Despite the temporary absence of a regulatory authority, President Temer is expected to propose legislation creating a national authority, and that such a bill will pass the Brazilian Congress.

10.  When will the LGPD go into effect?

The LGPD will go into effect in February 2020. Art. 65.