As we have often said here in the US, “so goes California, so goes the country” when it comes to laws of all kinds, not just those addressing privacy. Well, globally, the same can be said of the impact of the European Union’s GDPR. Originally scheduled to go into effect this month (it was later amended to be enforced in August 2020), Brazil will be regulating privacy and security more extensively with the Brazilian General Data Protection Law (aka, the Lei Geral de Proteção de Dados and often referred to as the “LGPD” in the Portuguese acronym) (Law 13.709/2018). Here is a quick summary of the LGPD’s requirements.
The LGPD has many of the same aspects of what we have seen in the GDPR, including broad definitions of “personal data” and “processing,” and defining responsibilities of the regulated entities (i.e., the controllers and processors). The LGPD also enumerates similar rights of data subjects, which include the rights to:
- receive or access information on processing activities and entities receiving the data, which must be provided to the data subject within 15 days from the date of the request;
- access, rectify or erase data (i.e., the right to be forgotten);
- restrict or object to the data processing;
- have the data be portable to another service or provider;
- review the automated processing of personal data;
- receive notices of data breaches;
- receive information on the consequences of denying consent;
- withdraw consent; and
- submit claims or complaints to the Brazilian National Data Protection Authority (the “ANPD” in the Portuguese acronym).
The LGPD applies extraterritorially once it goes live, so it is imperative that businesses know whether they must comply. The Law applies when processing activities involving personal data:
- are carried out within the Brazilian territory;
- are related to the offer or supply of goods or services to individuals located in Brazil;
- implicate data referring to individuals located in Brazil; or
- involve data collected in Brazil.
For now, the LGPD does not apply to non-personal data. However, it is always a good idea for any business to understand the different types of data flowing into its business from inception to the end of the data’s life cycle, to ensure that it is not receiving data that may fall under the LGPD. We have all witnessed how businesses can badly mishandle data by failing to properly classify or map the data through its organization.
Finally, a transfer of personal data outside Brazil under Article 7 of the LGPD will be allowed—though subject to additional approval by the applicable data protection authority—when certain requirements are met, including:
- a controller offers and evidences that the principles and all data subject’s rights are complied with by specific contractual clauses, standard contractual clauses, global corporate rules, or stamps, certificates, and codes of conduct;
- the transfer is necessary to protect the life or physical safety of the data subject or a third party;
- the national authority authorizes the transfer, which is necessary for the execution of public policies provided in laws or regulations;
- the data subject has given specific consent; or
- it is necessary for compliance with legal or regulatory obligations, the performance of a contract, or the regular exercise of rights in judicial, administrative or arbitration procedures.
And yes, if you don’t comply and violate the Law, there are fines available up to 2% of the annual sales revenue for your company or a maximum of 50 million reals per infraction (about €10.6 million or $11.5 million). While this is much lower than the GDPR’s current penalties—the greater of 4% of a company’s annual global turnover or €20 million (about $22 million U.S.)—the LGPD certainly has enough teeth to warrant businesses to take the Law seriously.
As previously noted, enforcement does not commence until August 2020, so there is still time to develop or improve your compliance program. As we have always recommended, the time is now to develop an enterprise-wide strategy for all personal data, regardless of jurisdiction, to enable more effective and consistent operations and handling of personal data. It is always easier to do it on your timeline (and your budget) as opposed to the ticking clock of a data breach response, enforcement action or pending regulation, like the LGPD.
This is but a quick summary of the LGPD’s requirements and not intended to be legal advice or a complete synopsis. As always, we recommend consulting counsel and reviewing any regulation in detail to determine applicability and to implement a business-friendly approach to the ever-moving target of “compliance.” Taft stands ready to assist in your assessment and to help implement a balanced approach to data governance.