What is the LGPD? Brazil’s version of the GDPR
Brazil passed the General Data Protection Law in 2018, and it will come into effect February 2020. This article examines the GDPR vs. the LGPD, how it differs, and what business owners globally need to do to prepare.
Brazil’s Lei Geral de Proteção de Dados (or LGPD) brings sorely needed clarification to the Brazilian legal framework. The LGPD attempts to unify the over 40 different statutes that currently govern personal data, both online and offline, by replacing certain regulations and supplementing others. This unification of previously disparate and oftentimes contradictory regulations is only one similarity it shares with the EU’s General Data Protection Regulation, a document from which it clearly takes inspiration.
Another similarity is that the LGPD applies to any business or organization that processes the personal data of people in Brazil, regardless of where that business or organization itself might be located. So, if your company has any customers or clients in Brazil, you should begin preparing for LGPD compliance. Fortunately, you still have time before the law takes effect. And if you are already GDPR compliant, then you have already done the bulk of the work necessary to comply with the LGPD.
Similarities between the GDPR and the LGPD
In addition to its extraterritorial application, the LGPD and the GDPR agree on several basics when it comes to data protection.
While the LGPD does not have a single definition for personal data, if you read the entirety of the text, you can see echoes of the GDPR’s definition of personal data. The LGPD states in various places that personal data can mean any data that, by itself or combined with other data, could identify a natural person or subject them to a specific treatment. While this definition will likely be clarified as Brazil nears implementation of the LGPD, as currently stated, the LGPD takes a broad view of what data qualifies as personal data, even more expansive than the GDPR.
Data subject rights
Article 18 is another section of the LGPD that will look familiar to businesses that have dealt with GDPR compliance. It explains the nine fundamental rights that data subjects have, which include:
- The right to confirmation of the existence of the processing;
- The right to access the data;
- The right to correct incomplete, inaccurate or out-of-date data;
- The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD;
- The right to the portability of data to another service or product provider, by means of an express request
- The right to delete personal data processed with the consent of the data subject;
- The right to information about public and private entities with which the controller has shared data;
- The right to information about the possibility of denying consent and the consequences of such denial; and
- The right to revoke consent.
While the GDPR is known for granting its data subjects eight fundamental rights, they are essentially the same rights the LGPD mentions. It seems the LGPD split “The right to information about public and private entities with which the controller has shared data” out of the GDPR’s more general “Right to be informed” to make it more explicit.
Differences between the LGPD and the GDPR
Despite their similar goals and the apparent influence the GDPR had on Brazilian lawmakers, there are some key differences to note between the two pieces of legislation.
Data protection officers
Both acts require businesses and organizations to hire a Data Protection Officer (DPO). However, while the GDPR outlines when a DPO is required, Article 41 in the LGPD simply says, “The controller shall appoint an officer to be in charge of the processing of data,” which suggests that any organization that processes the data of people in Brazil will need to hire a DPO. This is another area that will likely receive further clarification, but as written, it is one of the few areas where the LGPD is more stringent than the GDPR.
Legal basis for processing data
Possibly the most significant difference between the LGPD and the GDPR concerns what qualifies as a legal basis for processing data. The GDPR has six lawful bases for processing, and a data controller must choose one of them as a justification for using a data subject’s information. However, in Article 7, the LGPD lists 10. They are:
- With the consent of the data subject;
- To comply with a legal or regulatory obligation of the controller;
- To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments;
- To carry out studies by research entities that ensure, whenever possible, the anonymization of personal data;
- To execute a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject;
- To exercise rights in judicial, administrative or arbitration procedures;
- To protect the life or physical safety of the data subject or a third party;
- To protect health, in a procedure carried out by health professionals or by health entities;
- To fulfill the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties, which require personal data protection, prevail; or
- To protect credit (referring to a credit score).
Having the protection of credit as a legal basis for the processing of data is indeed a substantial departure from the GDPR.
Reporting data breaches
While both the GDPR and the LGPD require organizations to report data breaches to the local data protection authority, the level of specificity varies widely between the two laws. The GDPR is explicit: an organization must report a data breach within 72 hours of its discovery (although different organizations are already testing that deadline).
The LGPD does not give any firm deadline: Article 48 merely states that “the controller must communicate to the national authority and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects… in a reasonable time period, as defined by the national authority.” Since the national data protection agency has not, as yet, been established, there is no guidance for what constitutes a “reasonable time period.”
A regulation is only as strong as its teeth. That is why the maximum GDPR fines are substantial, requiring organizations that commit grave GDPR violations to pay to up to €20 million or 4% of annual global revenue, whichever is higher.
The fines under the LGPD are much less severe. Article 52 states that the maximum fine for a violation is “2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reals” (this works out to roughly €11 million). The LGPD fines are in line with GDPR’s fines for less egregious infractions, but €11 million is not going to concern the world’s largest data processors.
This is not an exhaustive overview of the LGPD, but it should reassure business owners that, in most respects, if you have achieved GDPR compliance, you are already well on your way to complying with the LGPD. Data protection laws are beginning to be considered all around the world, from India to the USA. GDPR.eu will be here to help you keep up with the latest developments and attain compliance.