In an increasingly connected world, with a growing number of internet services and users, data protection has become increasingly important for both businesses and individuals. Thus, several regions and countries have already launched comprehensive data protection laws. Well-known examples include the California Consumer Privacy Act (CCPA), established by the U.S. state of California, and the General Data Protection Regulation (GDPR), valid for the European Union.

Following this global development, Brazil passed its General Data Protection Law in 2018. In Portuguese, it is called LGPD, or Lei Geral de Proteção de Dados. Inspired by the GDPR, the LGPD aims to regulate the processing of personal data of identified or identifiable individuals in Brazil. Processing includes, among others, the collection, storage, use, or transfer of personal data.

“As personal data has become an increasingly important asset in our economy, it is expected that the LGPD will have a significant impact on most Brazilian companies and industries,” said Lukas Rhomberg. He is a partner at the Brazilian law firm FCR Law and the ILM Group consultancy in São Paulo. An English version of the LGPD, created by the Brazilian law firm Pereira Neto Macedo Advogados, is accessible at this link.

Several Similarities Between LGPD and GDPR

The GDPR.EU website prepared a basic comparison between the GDPR and LGPD, entitled “What is LGPD? The Brazilian Version of the GDPR.” According to the analysis, the two laws share many similarities, but also some important differences. A key similarity is that “the LGPD applies to any company or organization that processes personal data of people in Brazil, regardless of where that company or organization is located.”

Organizations that have already dealt with the GDPR will recognize Article 18 of the LGPD. It explains the nine fundamental rights of data subjects. These include, for example, the right to confirmation of the existence of data processing, the right to correct incomplete, inaccurate, or outdated data, and the right to anonymize, block, or delete unnecessary, excessive, or unlawfully processed data under the LGPD.

On the other hand, there are some differences, such as in terms of data breach notifications. The GDPR requires organizations to report a data breach within 72 hours of discovery. The LGPD does not specify a concrete deadline (as per Article 48).

Brazilian Data Protection Law Causing Confusion

However, in recent weeks, political actions related to the new data protection law have caused some confusion about its initial deadline. Those following the discussions have seen constant back-and-forth regarding the official date when the LGPD will come into effect. The potential publication dates were May 2021, by the end of 2020, or even as early as August 16 of this year.

As reported by Canaltech on August 28 of this year, the Brazilian Chamber of Deputies had already approved Provisional Measure (MP) 959/2020. This would have set the entry date to December 31, 2020. But the Senate thought differently and turned the MP into Conversion Bill (PLC) 34/2020. This bill now awaits the final sanction of President Jair Bolsonaro to put the LGPD into effect immediately. Importantly, companies need to be aware that the law can still come into effect retroactively.

The entity responsible for ensuring compliance with the law is the National Data Protection Authority (ANPD). According to Law 14.010, any penalties are only to be applied from August 2021 onward.

Important Steps to Comply with LGPD

Despite this, Brazilian companies have already started reviewing their data protection policies. Primarily, the legal departments of large Brazilian companies have also started sending LGPD compliance questionnaires to their suppliers and partners. The main reason is that both the controller and the processor can be held liable for breaching LGPD rules.

The LGPD imposes a series of obligations on those who wish to process personal data to protect it from unauthorized processing. According to Article 7 of the LGPD, data processing is allowed, for example, when specific, free, informed, and unequivocal consent is given by the data subject. Another legal basis is data processing for the execution of a contract or pre-contractual steps.

As a central part of LGPD compliance, all companies must appoint or hire a Data Protection Officer (“DPO”). The DPO can be an employee or an external service provider. The DPO is responsible, for instance, for receiving complaints and other communications from data subjects, providing clarifications, or taking necessary actions. The DPO also guides employees and suppliers on LGPD issues.

64% of Companies Still Non-Compliant

A recent national survey showed that 64% of organizations have not yet complied with the Data Protection Law (LGPD). Twenty-four percent of these companies don’t even know what the legislation is about. For these results, over 400 Brazilian companies answered a questionnaire between June and July of this year.

“Companies that do not comply with the LGPD, or whose business partners are not in compliance, may soon be subject to significant penalties and claims for damages,” said Lukas Rhomberg (FCR Law). He recommends that companies that have not yet implemented an LGPD compliance program should do so urgently.

However, compared to the maximum fines under the GDPR, the penalties under the LGPD are much less severe. According to current legislation, the maximum fine per violation would be “2% of the revenue of a private legal entity, group, or conglomerate in Brazil in the previous fiscal year, excluding taxes, up to a maximum total of R$ 50 million.”