Main Aspects of the Brazilian General Data Protection Law
How will the private sector be affected?
Ana Carolina Cagnoni Ribeiro
Sanctioned in the afternoon of August 14, 2018, the Brazilian General Data Protection Law (“LGPD”) brings new regulation to the use of personal data by the public and private sector. Inspired by the European model, LGPD incorporates concepts, definitions and responsibilities very similar, when not identical, to the ones within the General Data Protection Regulation (“GDPR”), that entered into effect in all European Union’ countries in May 25, 2018.
With LGPD Brazil moves away from the sector-based regulation model, allows more legal certainty for players and joins the more than 100 countries that have the same type of legislation.
However, the sanction was accompanied with vetoes. The most relevant was the veto to the creation of the National Data Protection Authority (“DPA”), under the justification of being unconstitutional. Nevertheless, in the sanction ceremony’s speech, it was affirmed that DPA would be created by Provisional Measure or a Bill of Law initiated by the Executive would be proposed within the next weeks. The creation of this agency is fundamental to the adequate implementation of the Law (since many of its provisions determine either a decision to be taken or a measure to be adopted by this authority) and would bring more certainty to companies and data subjects.
Another important issue: exception made for some cases, LGPD has not expressly revoked other laws that deal with the subject matter, especially the Brazilian Internet Framework and the Consumer Defense Code. Therefore, the interaction and interpretation of LGPD’s terms considering previous, but specific law, is still uncertain.
GDPL will take effect in February 2020, 18 months after its sanction.
Below we list some LGPD items which are more relevant to private sector activities. It will be of the utmost importance that companies reevaluate its internal procedures considering data processing activities (not only from customers, but also employees for example) and how these activities are impacted by the new law.
- Personal Data: any information relating to an identified or identifiable natural person. Includes data such as name, identity numbers, e-mail, address, locational data, etc. “Public” data cannot necessarily be used.
- Sensitive Data: data that reveals race, religious beliefs, political opinions, affiliation to labor unions, health conditions, sexual life, genetic or biometric information.
- Anonymized Data: data that are not able to identify data subject. LGPD does not apply to this data, except if anonymization cam be reversed, using reasonable technical means.
- Data Processing: includes all set of activities, from the collection until deletion of personal data. Collection, production, reception, classification, utilization, access, reproduction, transmission, processing and archiving are some examples.
- Controller: an entity who is responsible for taking decisions on the use of personal data.
- Processor: the company that processes personal data according to instructions received from the controller.
2. TERRITORIAL SCOPE: LGPD applies to all companies in Brazil. But not only. LGPD also applies to (A) companies which offer goods or services to people located in Brazil; (B) companies that processes personal data from people located in Brazil; (C) personal data collected within the Brazilian territory.
3. HYPOTHESIS OF DATA PROCESSING: processing personal data is not allowed, except if permitted under the 10 legal hypothesis authorizing it. For the private sector, the most relevant are (A) consent; (B) compliance of legal/regulatory obligation; (C) execution of an agreement; (D) health protection, when made by health professionals; (E) legitimate interest of the controller or third party; or (F) credit protection.
4. CONSENT: shall be given in writing or in a legally equivalent manner and should demonstrate the data subjec’s intention. It is the controller’s responsibility to previously inform about the purposes of the processing of the personal data. Data subject has the right to revoke the consent at any time. Generic authorizations are null and void. And special conditions are imposed to sensitive data or children/teenager data.
5. DATA SUBJECT RIGHTS: data subjects can claim their rights directly to the controller or before the competent authority or consumer defense agencies. Among them, LGPD determines that data subject has the right to (A) confirm data processing; (B) data access; (C) rectification, elimination or blocking of data; (D) anonymization of data; (E) data portability; and (F) review of automated decisions.
6. DATA PROTECTION OFFICER: LGPD determines that every company should nominate a DPO. Only the DPA could exempt companies from this obligation. Contacting information of the DPO should be public, allowing the direct communication with data subjects.
7. LIABILITY: The processing agents are not strictly liable for its activities. However, joint controllers are jointly liable. And the processor is jointly liable with controller if it acts against LGPD or when not in accordance with instructions given. No company will be held liable if there is no violation to the Law.
8. INTERNATIONAL TRANSFER: Personal data will not be able to be transferred to other countries (i.e. servers abroad or sharing between companies of the Group) unless the transfer is authorized by the LGPD. Among the legal possibilities are: (A) transfer to countries that have an appropriate level of protection compared to the LGPD and depending on the decision of the DPA; (B) when the controller provides guarantees of protection derived from contractual clauses, corporate rules, codes of conduct or certificates; (C) with subject’s consent.
9. PENALTIES: fine of up to 2% of the gross revenue in Brazil, limited to BLR 50 million. Daily fines are also possible, but within the same limit. Other penalties are provided in the GDPL, but some were vetoed by the Brazilian President.
10. GOOD PRACTICES AND GOVERNANCE: LGPD encourages data processing agents to implement governance and good practices programs. Such measures must be considered by authorityes when penalties are imposed.