Brazil Adopts Comprehensive Privacy Law

Highlights of Brazil’s LGPD

Brazil became the latest country to draw inspiration from Europe’s General Data Protection Regulation (“GDPR”) and adopt its own national comprehensive legal framework for personal data regulation, called the Lei Geral de Proteção de Dados (“LGPD”). A comparison of some of the key topics covered by the GDPR and LGPD are summarized below:

  GDPR LGPD
Effective Date May 25, 2018 August 15, 2020 (but enforcement will not begin until August 1, 2021)
Fines Up to the higher of €10 M or 2% of  global annual revenue from preceding financial year Up to the lesser of 50 M reals or 2% of Brazilian sourced revenue from preceding financial year
Territorial Scope Personal data processing activities when:

1.     Controller or processor is established in the EU, regardless of whether the processing takes place in the EU or not;

2.     the data refers to individuals located in the EU when offering goods or services to such data subjects or monitoring their behavior;

3.     carried out by a controller not established in the EU, but in a place where Member State law applies by virtue of public international law.

Personal data processing activities when:

1.     carried out in Brazil;

2.     related to the offering or supplying of goods or services to individuals located in Brazil;

3.     the data refers to individuals located in Brazil; or

4.     data was collected in Brazil.

Rights of Data Subjects Data subjects have the right:

  1. To be informed about the collection and use of their personal data*;
  2. To access their personal data;
  3. To correct their personal data;
  4. To restrict or object to the processing of their personal data;
  5. To obtain and reuse their personal data for their own purposes across different services;
  6. To delete personal data processed with the consent of the data subject;
  7. To be informed consequences of not giving consent; and
  8. Withdraw consent.

*the right to be informed about entities the controller has shared data with is incorporated into this right whereas the LGPD separates these rights.

Data subjects have the right:

  1. To be informed about the collection and use of their personal data;
  2. To access their personal data;
  3. To correct their personal data;
  4. To restrict or object to the processing of their personal data;
  5. To obtain and reuse their personal data for their own purposes across different services;
  6. To delete personal data processed with the consent of the data subject;
  7. To be informed about entities with which the controller has shared data;
  8. To be informed consequences of not giving consent; and
  9. Withdraw consent.
Children’s Data Children defined as under 16 but individual members of the EU may lower the age as low as 13.

Where the lawful basis of processing is consent, the consent must come from the child’s parent.

Children defined as under 12 and teenagers defined as between 12-18.

Parental consent is required for processing children’s and teenager’s personal data.

Legal Basis for Processing May only process data under the following justifications:

1.     Data subject’s consent;

2.     Execute contractual obligations where the data subject is a party;

3.     Compliance with controller’s legal or regulatory obligations;

4.     Protect the vital interests of an individual;

5.     Perform a task carried out in the public interest or in the exercise of official authority vested in the controller;

6.     Fulfill the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

May only process data under the following justifications:

1.     Data subject’s consent;

2.     Compliance with controller’s legal or regulatory obligations;

3.     Execute public policies provided by law;

4.     Carry out studies by research organizations;

5.     Execute contractual obligations where the data subject is a party;

6.     Exercise rights in judicial, administrative or arbitration procedures;

7.     Protect the physical safety of an individual;

8.     Protect health in a procedure carried out by health professionals;

9.     Fulfill the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject; or

10.  Protect a credit score.

Cross Border Transfers Personal data may only be transferred or accessible to a recipient outside of the EU if:

1.     The recipient is covered by an EU adequacy decision;

2.     The entities are related entities where at least one entity is located in the EEA and the entities have agreed to binding corporate rules, which have been approved by an EEA supervisory authority;

3.     The sender is based in the EEA and has executed approved standard protection clauses with the recipient;

4.     The data subject has provided valid, explicit consent after being advised of the details and risks of such transfer;

5.     The transfer is necessary to perform a service or agreement requested by the data subject.

*Please note this is only a selection of the most common, relevant cross border transfer safeguard mechanisms under the GDPR.

Personal data may only be transferred or accessible to a recipient outside of Brazil if:

1.     The recipient is covered by a Brazilian adequacy decision;

2.     The recipient is subject to contractual clauses to demonstrate data protection practices comparable to the LGPD (ex. standard contractual clauses, global corporate rules, or stamps, certificates, and codes of conduct);

3.     The data subject has given specific consent, being previously informed about the international nature of the operation; or

4.     The transfer is necessary for compliance with legal or regulatory obligations, performance of a contract, or regular exercise of rights.

*Please note this is only a selection of the most common, relevant cross border transfer safeguard mechanisms under the LGPD.

While the penalties under the LGPD are less severe than those under the GDPR, the key obligations and limitations with respect to processing personal data appear very much in synch. If your organization believes it processes data from Brazil and/or that might otherwise fall under the LGPD, it should consider working internally and with counsel on a LGPD compliance program as soon as possible, but particularly before enforcement of penalties under this law begins on August 1, 2021.