Amidst the pandemic that has struck Brazil and its businesses in an unprecedented way, the Brazilian Senate has reminded anyone collecting data that protection will not take a backseat and has accelerated the path for the LGPD to become law. Although privacy professionals and supporters applaud this accelerated effective date, rushed and unexpected privacy compliance programs are usually not made to the benefit of data subjects.
The California Consumer Privacy Act (CCPA) exemplifies a challenging regulation for businesses to comply with, considering its numerous amendments past its effective date. On the bright side, companies that already comply with the General Data Protection Regulation (GDPR) will get a sense of deja vu when reviewing the Brazilian General Data Protection Law (LGPD). Both regulations are comparable in terms of scope, data subject rights, and obligations put on the business.
What is The LGPD?
When does it come into effect?
In light of the COVID-19 pandemic, the Brazilian Senate had initially pushed back in April the effective date of the LGPD to 2021, giving businesses some breathing room to implement measures to comply.
However, on August 26th, the article postponing the LGPD effective date was removed from the Conversion Bill. The effective date now depends on when the President will sanction the Decree approving the regulatory structure of the Autoridade Nacional de Proteção de Dados (ANPD), which should occur in the last weeks of September. However, on September 9th, a legislative decree project suspended parts of the decree that created the ANPD, generating further confusion on the expected effective date of the LGPD.
The enforcement of the LGPD remains scheduled for August 2021. The sanctions’ delay does not impede legal proceedings to be initiated against companies having to comply in Brazil or outside its borders.
Concept of personal data
Similarly to the GDPR, personal data is defined by the LGPD as “information regarding an identified or identifiable natural person” This excludes anonymized data where the data subject cannot be identified using reasonable technical means.
Does it require a ROPA, DSR fulfillment, etc?
Data controllers and processors share the same meaning as provided by the GDPR. While controllers take the decisions for the processing of the personal data and processors are in charge of the processing activities based on those decisions, both must keep records of the processing operations and both can be held liable for damages suffered by data subjects. However, the LGPD does not detail the type of information controllers and processors need to record.
What businesses are covered by the law?
The LGPD applies to data “processing operations carried out in Brazil irrespective of the means, the country in which its headquarter is located, or the country where the data are located.” This entails that any American companies processing data collected in Brazil or belonging to a data subject present in Brazil at the time of the collection will be obliged to comply with the LGPD — even without a physical presence in the country.
The LGDP will also apply when the business’ purpose is to offer or provide goods and services to data subjects located in Brazil. Further, any e-commerce company providing shipping options to Brazil is included in the territorial scope of the law. However, any data processed originating outside of Brazil and not shared with Brazilian processing agents nor third-party countries will be exempted, provided that the local legislation offers an adequate level of protection.
What should companies expect from consumers and regulators with regard to the LGPD?
Consumer/Data Subject rights?
The LGPD offers its data subjects a range of rights similar to those listed in the GDPR with some modifications.
- Right to Information – Under article18, the LGPD lists several rights to information a data subject can obtain from the controller: the confirmation of the existence of the processing, public and private entities with which the controller has shared data, and the options to deny consent and its consequences. Article 19 of the LGPD highlights how to deliver that information to the data subjects. The LGPD insists on providing the information in a simplified format that includes details around the origin of the data, the criteria used, and purposes of processing.
- Right to Access – Similar to GDPR and CCPA, the LGPD gives data subjects the right to which data controllers are processing on them alongside with the origin of the data and the purpose of the processing. It is the only set of rights that gives controllers up to 15 days to comply.
- Right to Rectification – Like the GDPR, the LGPD gives the right to data subjects to correct incomplete, inaccurate, or outdated data.
- Right to Object – Data subjects can object to the processing of their data by revoking their consent. Once invoked, controllers must immediately reply to this type of request. Then, controllers and processors need to terminate any processing operations.
- Right to Portability – This right allows data subjects to expressly request for their data to be sent to another service provider or product provider and typically requires the controller to provide the data in a format and file that is easily accessible and uploadable.
- Right to Deletion – Data subjects have the right to request the deletion of data processed with their consent but also unnecessary or excessive data or data processed in non-compliance with the LGPD. Similarly to the GDPR, the LGPD exempts deletion of data to fulfill certain purposes, such as a legal or regulatory obligation. Controllers must inform processors of the erasure request so that they can fulfill those. A noticeable difference with the GDPR and CCPA is that controllers must respond immediately to the deletion request. Businesses already complying with the GDPR or CCPA face difficulties to fulfill requests within the legal timelines (30 and 45 days respectively) and sometimes need to request extensions. Without a technology solution, it is hard to understand how businesses can reply immediately to data deletion requests.
LGPD alleviates American companies complying with CCPA of certain processes:
- The LGPD does not specify anything related to the verification of the data subject’s identity. Therefore, businesses should not need to put in place a stringent verification system as required by the CCPA (2 to 3 verification steps). However, it is always good practice to ensure that a reasonable level of verification is carried out to avoid any data breaches.
- A request can be submitted to a controller by a legal representative. Here again, the LGPD chose the GDPR-like approach of mentioning the possibility of representation without specifying a process around it, as the CCPA did with an entire section dedicated to Authorized Agents.
- Where the CCPA instructs specific request intake methods depending on the type of businesses, the LGPD only mentions “express” requests without specifics around the intake requirements for businesses.
How should companies prepare for the LGPD?
- Review the data processing activities to determine whether the LGPD applies. Inform the processors if that is the case, so they understand their obligations. Appoint a DPO.
- Update the Privacy Policy to inform data subjects of their rights under the GDPR and disclose processing activities as well as how to submit a request under LGPD.
- Review the inventory of systems holding personal data and processes to comply with data subject requests. Due to the legal timelines, it is most likely impossible to rely on any human processes at this point to comply with the immediate or 15-day response deadline.
Enforcement and Penalties of the LGPD
The Brazilian Data Protection Authority (ANPD) has the power to issue fines up to 2% of the revenues up to BRL 50,000,000 (the equivalent of €7,975,000).
Trying to keep up with privacy regulation and industry news? Subscribe to the Weekly Grail to get insights on the latest in data privacy.
Learn more about data privacy and compliance with these related resources: