What Brazilian companies must know about the LGPD
In an increasingly connected world with an ever-growing number of internet services and users, data protection has become more and more important. Both for companies and private individuals. Accordingly, several regions and countries have already launched comprehensive data protection laws. Well-known examples are the California Consumer Privacy Act (CCPA), established by the US-state California. And the General Data Protection Regulation (GDPR), valid for the European Union.
Following this worldwide development, Brazil passed its General Personal Data Protection Act in 2018. In Portuguese, it is called LGPD, or Lei Geral de Proteção de Dados. Inspired by the GDPR, the LGPD aims to regulate the processing of personal data of an identified or identifiable natural person in Brazil. Processing encompasses, amongst others, collecting, storing, using, or transferring personal data.
“Since personal data has become an ever more important asset in our economy, the LGPD can be expected to have a significant impact on most Brazilian businesses and industries”, said Lukas Rhomberg. He is partner of the Brazilian law firm FCR Law and the consulting firm ILM Group in São Paulo. An English version of the LGPD, created by the Brazilian law firm Pereira Neto Macedo Advogados is accessible at https://www.pnm.adv.br/wp-content/uploads/2018/08/Brazilian-General-Data-Protection-Law.pdf.
Various similarities between the LGPD and GPDR
The website GDPR.EU has prepared a basic comparison of the GDPR and LGPD, named “What is the LGPD? Brazil’s version of the GDPR”. According to the analysis, the two legislations present various similarities, but also some important differences. A fundamental similarity is that “the LGPD applies to any business or organization that processes the personal data of people in Brazil, regardless of where that business or organization itself might be located”.
Organizations that have already dealt with the GDPR, will recognize the Article 18 of the LGPD. It explains the data subjects’ nine fundamental rights. These include, for instance the right to confirmation of the existence of the processing. The right to correct incomplete, inaccurate or out-of-date data, or the right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD.
On the other hand, there are some differences, for example, regarding the reporting of data breaches. The GDPR requires organizations to report a data breach within 72 hours after discovering. The LGPD does not inform any concrete deadline (according to Article 48).
Brazilian Data Protection Act causing confusion
However, over the last weeks, the political actions regarding the new data protection act caused some confusion regarding its initial term. Who accompanied the discussions, could observe a constant back and forth relating to the date when the LGPD shall officially take effect. Possible published dates were May 2021, by the end of the year 2020. Or even as early as the 16th of August this year.
As the website Canaltech reported on the 28th of August this year, the Brazilian Chamber of Deputies had already approved the Provisional Measure (MP) 959/2020. Thereby, the entry date would be December 31st of this year, 2020. But the Senate thought differently and transformed the MP into a Conversion Bill (PLC) 34/2020. This bill is now awaiting the final sanction of President Jair Bolsonaro, to put the LGPD into force immediately. Importantly, businesses need to be attentive since the law can still enter into force retroactively.
The entity that will be responsible for ensuring compliance with the law, is the National Data Protection Authority (ANPD). According to the Act 14.010, any penalties should only be applied from August 2021 onwards.
Important steps to adopt to the LGPD
Nevertheless, Brazilian companies have already started to revise their data protection policies. Primarily, the legal departments of larger Brazilian businesses have also started sending LGPD compliance questionnaires to their suppliers and partners. The reason is mainly that both the controller and the processor may be held liable for violation of LGPD rules.
The LGPD presents a series of obligations for whom wants to process personal data, in order to protect it against unauthorized processing. According to the Article 7 of the LGPD, the processing of data is allowed, for instance, when it is specific, freely given, informed and unambiguous consent of the data subject is given. Another legal base is the data processing for the performance of a contract of steps prior to entering into a contract.
As a central part of LGPD compliance, all companies must nominate or contract a Data Protection Officer (“DPO”). The DPO may be an employee or external service provider. The officer’s responsibility is, for example, to receive complaints and other communications from data subjects, to provide clarifications or take any necessary actions. The person in charge also guides employees and suppliers on LGPD matters.
64% of the companies still do not comply with the law
A recent national survey showed that 64% of the organizations have not adapt to the Data Protection Act (LGPD) yet. 24% of these companies do not even know what the legislation is about. For these results more than 400 Brazilian companies responded to a questionnaire between June and July this year.
“Companies that do not comply with the LGPD, or whose business partners are not LGPD compliant, may soon be subjected to significant penalties and compensation claims”, said Lukas Rhomberg (FCR Law). He recommends that companies that have not yet implemented an LGPD compliance program, urgently should do so.
However, compared to the maximum GDPR fines, the fines under the LGPD are much less severe. According to the current legislation, the maximum fine for a violation would be “2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reals”.
If you require further information or would like to talk to one of our business consultants,
you can fill in the contact form on our website or contact us by message or phone.