This blogpost will try to provide a comparison guide concerning the EU General Data Protection Regulation and the Brazilian General Data Protection Law.
The Brazilian Lei Geral de Proteção de Dados (LGPD) attempts to unify the over 40 different statutes that until recently have governed the protection of personal data in Brazil, both online and offline, by replacing certain regulations and supplementing others. The law was published on August 15, 2018 and came into effect on August of 2020.
This unification of regulations is only one similarity it shares with the EU’s General Data Protection Regulation (GDPR), which went into effect on the 25th of May 2018.
GDPR provisions can be enforced by any data protection authority within the EU starting immediately when the law was set into effect, whereas the LGPD’s enforcement provisions will take effect on the 1st of August 2021. The provisions will be enforced by the newly established Brazil’s data protection authority.
The LGPD, like the GDPR, applies to any business or organization that processes the personal data of people in Brazil, irrespective of the means used for the processing and regardless of where that business or organization itself might be located.
Both the GDPR and the LGPD provide for specific fundamental rights that data subjects have, which include amongst others, the right to access the data, the right to correct their data, the right to delete unnecessary or excessive data, the right to data portability, and the right to revoke consent.
Another similarity the LGPD shares with the GDPR is its broad definition of personal data. The LGPD considers personal data as any information that is related to an identified or identifiable individual, including a category of sensitive personal data. However, it provides more exemptions than the GDPR. Under the LGPD, categories of data such as publicly available information and personal data that is processed by a natural person for private non-economic reasons, journalistic, artistic, and academic purposes, or used exclusively for public security, national defence, and data processed for state security or criminal investigations or prosecution are all excluded.
The LGPD defines the collection and processing of personal data as “data treatment”, which includes all operations carried out with personal data. This is an apparent influence that the GDPR had on Brazilian lawmakers.
However, possibly the most significant difference between the GDPR and the LGPD concerns what qualifies as a legal basis for processing data. Under the GDPR, processing is lawful if the data subject has consented or processing is necessary to perform a contract, comply with legal obligations, protect a natural person’s vital interests, act in the public interest, or achieve a legitimate interest of the controller or third party under certain conditions.
The LGPD includes all of the legal bases for processing listed under the GDPR, but it additionally provides that controllers may process personal data specifically to exercise rights in judicial, administrative or arbitration procedures and to protect credit. The LGPD goes further to require that consent when in writing must be highlighted among the other contractual provisions. The burden of proof that consent was manifested in accordance with the LGPD rests on the controller. Additionally, the LGPD does not specifically address electronic marketing, which is clearly defined in the GDPR. Under the LGPD, obtaining an opt-in consent from consumers prior to sending marketing emails is recommended, but not enforced.
Both acts define the term of sensitive personal data in a similar way. Additionally, both legislations share several legal bases for processing sensitive information. However, the LGPD does not allow businesses to process sensitive personal data in the course of legitimate activities of non-profit entities in connection with their purposes, as permitted by the GDPR.
The LGPD also differs from the GDPR with respect to the processing of personal data of a minor. Specifically, the Brazilian law defines a child as anyone below the age of 12, and an adolescent as one between the age of 12 and 18. So, for a child, a verified parental consent is required. With respect to the processing of any personal data of a child or adolescent, any such processing must be in their best interest.
Both acts include in their provisions the role of a Data Protection Officer (DPO) for businesses and organizations. However, the GDPR considers a DPO to be mandatory only under specific circumstances, whereas under the LGPD, companies are generally required to appoint a “Chief of Data Treatment” to be the “channel of communication” between the financial controller, the data subjects, and the regulators. The role is also responsible for overseeing compliance efforts, as well as training sessions. Provisions are in place, in order for the National Authority to define further rules regarding the DPO.
The regulations impose significant technical and administrative security obligations on businesses to protect personal data from unauthorized access and accidental or illegal destruction, loss, alteration, communication, or dissemination. They both include the maintenance of processing records, as well as the provision to conduct data protection impact assessments or reports (as referred under the LGPD).
However, the LGPD requires businesses to notify within a “reasonable amount of time” the National Authority and the affected data subjects if an incident or breach may cause harm to them, whereas under the GDPR, notifications of a data breach are to be provided to the supervisory authorities within 72 hours.
The LGPD imposes significantly less severe fines than the GDPR (fines up to €20M or 4 % of their total global turnover of the preceding fiscal year, whichever is higher). Specifically, controllers and processors may be subject to a fine of up to two percent (2%) of their revenues up to a total of R$50M (€7.5M). Unlike the GDPR, the calculation of the fine is based upon revenues in Brazil and not on a global basis. A company may also be subject to having their name, along with the nature of the violation, published, as well as blocking or deleting access to the personal data used in violation of the LGPD.
Apparently, when the GDPR came into effect, it had a global impact due to the fact that the law covers the personal data of all EU citizens and residents. Thus, any company which processes such data has been also considered to be a subject to the law, regardless of its location. The same applies for the LGPD. So, if your business or organization processes the personal data of people in Brazil, then your company is also a subject to the regulations of the LGPD. The good news is that if you have already achieved compliance with the GDPR, you are also well on your way to complying with the LGPD.
Until next time.