Here's what you need to know and do.
- 1. The Basics of the LGPD
- 2. Similarities With the GDPR
- 2.1. Definition of Personal Data
- 2.2. User Rights
- 2.3. Concepts and Operation
- 3. Requirements of the LGPD That Go Beyond the GDPR
- 4. Requirements of the LGPD That are Weaker Than the GDPR
- 4.1. Data Breach Reporting
- 4.2. Penalties
- 4.3. Direct Marketing
- 6. Summary
The Basics of the LGPD
LGPD stands for Lei Geral de Proteção de Dados Pessoais (General Law on Protection of Personal Data.) It's a Brazilian national law passed in 2018 that took effect in August 2020. Although it's now law, it's not yet being enforced at the time of writing.
As things stand, a new agency named Autoridade Nacional de Proteção de Dados (ANPD) will begin enforcement in May 2021. This could include sanctions such as forcing an organization to change its data processing policies or even stop processing data. From August 2021 the ANPD can start issuing fines for serious breaches.
The most important similarity between the LGPD and the GDPR is that it has extra-territorial effect. This means that you can still come under the law even if you or your organization is neither legally nor physically based in Brazil.
The law applies to you when you (the data controller) process personal data about somebody (the data subject) and:
- The data subject resides in Brazil (Their nationality doesn't matter),
- You are processing the data as part of offering goods or services to people in Brazil, or
- You collected the data in Brazil
The law has some exemptions but these mainly cover non-economic activity, journalism, art and government activity. Processing personal data for business purposes will almost never be exempt.
Similarities With the GDPR
Many points in the LGPD will be familiar if you already follow the GDPR.
Definition of Personal Data
The LGPD defines "personal data" as "information regarding an identified or identifiable natural person." This is almost the exact wording used in the GDPR.
Remember that a "natural person" means a human being rather than a legal entity such as a corporation.
Both the LGPD and the GDPR are based around the rationale that individuals have core privacy rights that the law must protect. The listed rights in the LGPD are:
- To know you are processing their data
- To access the data you process
- To correct outdated or inaccurate data
- To tell you to anonymize or delete data that isn't necessary or isn't lawfully processed
- To easily take a copy of their data to another product or service provider
- To tell you to delete data that you collected based on their previous consent
- To know who you've shared data with
- To know when they can refuse to consent to data processing and the consequences of doing so
- To revoke consent they've previously given
These are largely the same rights people have under the GDPR, just expressed slightly differently. (The GDPR covers knowing the data is being processed, and knowing who it's shared with, through a single "right to be informed.")
Concepts and Operation
Both the LGPD and the GDPR work on the same main principle: processing is only lawful when it's done on one of a specified list of legal bases.
The GDPR lists six legal bases for processing:
- To carry out a contract
- To carry out a legal obligation
- To carry out a public duty
- The processor's legitimate interests
- To protect the data subject's vital interests
The LGPD includes all of these, plus four extra legal bases:
- To carry out a study (research bodies only)
- To exercise legal rights in a judicial procedure
- To protect health
- To protect credit (such as in credit scoring)
With both laws, the two most commonly used bases for a business processing personal data about a customer will be consent and legitimate interests.
The LGPD says consent must be in a form that "demonstrates the manifestation of the will of the data subject." As with the GDPR, consent must cover data processing for a specific purpose rather than be a blanket permission. Both laws stress that the burden is on the data processor to prove the consent is valid.
This example from Mott Macdonald clearly explains the specific processing purpose the consent covers:
As with the GDPR, the LGPD's examples of "legitimate interests" include carrying out the data controller's core business activities.
With both laws, processing is only allowed where these legitimate interests outweigh the data subject's core privacy rights. The ANPD has the right to ask you to produce an impact report that shows how you concluded this is the case.
The Woodland Trust stresses how this balance works as such:
Requirements of the LGPD That Go Beyond the GDPR
The GDPR only requires a data controller to designate a data protection officer in specific circumstances:
- If the controller is a public authority
- The processing is the data controller's core activity and is "regular and systematic" and "on a large scale"
- The processing is the data controller's core activity and involves special categories of sensitive data
In contrast, the LGPD requires all data controllers to appoint a data protection officer. (The ANPD has the power to make exemptions, for example for small businesses or those which don't process a lot of data, but has not yet done so.)
The data protection officer's role must include:
- Handling complaints and queries from data subjects
- Dealing with the ANPD
- Training staff in data protection issues
The LGPD says you must publicly disclose your data protection officer's name and contact details, preferably on your website.
NHS England not only gives contact details but explains the role:
While adding the explanation of the role isn't necessary, it is helpful to users and will allow them to utilize the contact information better.
Requirements of the LGPD That are Weaker Than the GDPR
Data Breach Reporting
Both the GDPR and the LGPD require data controllers to report data breaches to both the relevant data protection agency and the data subject.
The GDPR says such notifications must be as soon as possible and, wherever possible, within 72 hours after discovering the breach. If the notification is later than 72 hours, the GDPR must explain why to the data protection agency.
As things stand, the LGPD simply says the notification must be made "in a reasonable time period." The ANPD has the power to define this period but has yet to do so.
The LGPD says the notification must include:
- The type of data affected
- The data subjects involved
- The measures used to protect the data
- The risks that come from the breach
- The measures to rectify the breach
This example from Claire's clearly details the data involved in the breach:
Both the LGPD and the GDPR give data protection authorities the power to issue a series of punishments for breaches. These include warnings, orders to change procedures, and temporary or permanent bans on processing personal data.
The ultimate punishment is a fine. The GDPR has two levels of fines. For general breaches, the maximum is either €10 million or two percent of annual global revenue, whichever is higher. For more serious breaches that affect an individual's privacy rights, the maximum is either €20 million or four percent of annual global revenue, whichever is higher. Individuals may also pursue claims for damages separate to these fines.
The LGPD has a single level of fines. The maximum is two percent of annual revenue in Brazil, though this is capped at 50 million Brazilian reals (€7.49 million at the time of writing).
The GDPR says objecting to personal data processing for direct marketing is an absolute right. If a data subject objects, you must stop processing the relevant data immediately.
The LGPD doesn't have a specific exemption for direct marketing. This means that if you are relying on the legal basis of legitimate interests, you can weigh up these interests against the data subject's rights in the same way as with other types of data. However, such processing will also be subject to the Consumer Protection Code, a Brazilian law that regulates advertising.
- Your name and contact details
- The details of your representative in the EU (if you have one)
- The details of your data protection officer (if you have one)
- The purpose or purposes for which you process data
- Which legal basis you are relying on (including an explanation of your legitimate interests if applicable)
- Whether you share data and, if so, who you share it with
- How long you'll keep personal data (or how you decide)
- The individual's rights under the GDPR including to withdraw consent and to complain to a supervisory authority
- Whether the individual is legally required to provide personal data and what happens if they don't
- Whether you use the data for automated decision-making such as profiling
- The "responsibilities of the agents that will carry out the processing" (This should include the responsibility to protect the data, along with an outline of your security measures.)
- The additional data subject rights included in the LGPD, namely the right after withdrawing consent to insist the relevant data is immediately deleted, and the choice of whether any data gathered unlawfully or unnecessarily should be anonymized, blocked or deleted
Let's recap what you need to know about the LGPD and how it compares with the GDPR.
- The LGPD is a Brazilian data protection law that follows many of the same principles as Europe's GDPR.
- The LGPD can affect businesses outside of Brazil if they collect data in Brazil, process data about a person who lives in Brazil or process data as part of offering goods or services in Brazil.
- The LGPD became law in August 2020. A regulatory authority, the ANPD, will begin enforcement in May 2021 and can issue fines from August 2021.
- Both the LGPD and the GDPR are based around protecting a similar set of personal privacy rights. Both do this by saying processing of personal data can only be done for a specific legal basis.
- The LGPD has several legal bases not covered by the GDPR, including research, judicial procedures, health and credit. However, with both laws, businesses will normally rely either on explicit consent or that their legitimate interests outweigh the individual's privacy rights.
- The LGPD requires all data controllers to appoint a data protection officer.
- The LGPD doesn't have a fixed deadline for reporting breaches.
- The maximum fine for breaching the LGPD is two percent of annual revenue from Brazil, capped at 50 million Brazilian reals.
- The LGPD doesn't give data subjects an absolute right to object to their data being used for direct marketing. Instead it's treated like other data uses when assessing if the legitimate interests basis is valid.
- Details of your security measures for protecting data
- The data subject's right to tell you to delete data after withdrawing the relevant consent
- The data subject's right to choose what happens to data you gather unlawfully or unnecessarily. This could be anonymization, blocking or deletion.