1.What is the LGPD Act passed by Brazil?
Brazil recently enacted its omnibus law governing the use of personal data, the Lei Geral de Proteção de Dados (LGPD), or General Law for the Protection of Privacy. The LGPD is intended to regulate the processing of personal data to protect “the fundamental rights of freedom and privacy and the free development of the personality of the natural person.” The LGPD took effect August 27, 2020; enforcement of the LGPD’s penalties and sanctions provisions will not officially take effect until August 1, 2021.
2. Whom does it apply to?
- Processing of personal data within the territory of Brazil
- Processing of personal data to offer or provide goods or services to individuals in Brazil
- Processing of personal data of individuals who are in Brazil, regardless of where in the world the processing entity is located
- Processing of personal data collected in Brazil
3. What is the scope of personal data?
Under the LGPD, personal data is defined broadly in that it encompasses any information regarding any identified or identifiable natural person. The key attribute of this definition is that it includes identifiable data. Thus, not only does the definition encompass data that can identify an individual independently, but it also includes any data that can be aggregated to another to identify the individual.
4. How does it differ from GDPR?
- 4.1 – Personal data vs. anonymized and pseudonymized data
In the same way as the GDPR, LGPD has established.1 that anonymous data falls outside the scope of the law. Both laws have employed the same criteria: to set forth whether information can no longer be attributed to a natural person and, therefore, cannot make a person identifiable
- 4.2 – Anonymous data
LGPD’s normative rationality focuses on how data processing may impact the lives of data subjects, instead of only considering if the anonymized data is reasonably reversible. This has been called a consequentialist approach of personal data concept, which protects the “free personality development” of data subjects — one of the foundations of the Brazilian Law — regardless of the data processing involves anonymous data.
- 4.3 – Lawful legal basis- Legitimate interest
the “legitimate interest” legal basis did not exist in the prior Brazilian legal data protection framework. It could allow for the use of the data for purposes other than those originally authorized by its data subjects or those that led to its disclosure. In comparison to the GDPR, the Brazilian legitimate interest will possibly be more flexible, since it can be used for the “promotion” of the controller’s activities. The balancing test provided by the law, and needs to be documented.
5. What are the legal basis for processing data?
In Article 7, the LGPD lists 10. They are:
1. With the consent of the data subject;
2. To comply with a legal or regulatory obligation of the controller;
3. To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments;
4. To carry out studies by research entities that ensure, whenever possible, the anonymization of personal data;
5. To execute a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject;
6. To exercise rights in judicial, administrative or arbitration procedures;
7.To protect the life or physical safety of the data subject or a third party;
8.To protect the health, in a procedure carried out by health professionals or by health entities;
9.To fulfil the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties, which require personal data protection, prevail; or
10.To protect credit (referring to a credit score).
6.What are the rights of consumers?
- The right to confirmation of the existence of the processing
- The right to access the data
- The right to correct incomplete, inaccurate or out-of-date data
- The right to anonymize, block or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD
- The right to the portability of data to another service or product provider, through an express request
- The right to delete personal data processed with the consent of the data subject
- The right to information about public and private entities with which the controller has shared data
- The right to information about the possibility of denying consent and the consequences of such denial
- The right to revoke consent
7.What are the fines if don’t comply with LGPD?
The fines under the LGPD are much less severe. Article 52 states that the maximum fine for a violation is “2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reals” (this works out to roughly €11 million).