LGPD – Brazil’s Privacy Law
Brazil's Lei Geral de Proteção de Dados (or LGPD) provides the Brazilian legal system with desperately needed clarity. By repealing some laws and supplementing others, the LGPD aims to unify the over 40 separate legislation that currently regulate personal data, both online and offline.This convergence of previously separate and sometimes conflicting regulations is just one similarity which it shares with the General Data Protection Regulation of the EU, a document which clearly draws its inspiration from it.
In light of the COVID-19 pandemic, the Brazilian Senate had initially pushed back in April the effective date of the LGPD to 2021, giving businesses some breathing room to implement measures to comply.
However, on August 26th 2020, the article postponing the LGPD effective date was removed from the Conversion Bill. The effective date now depends on when the President will sanction the Decree approving the regulatory structure of the Autoridade Nacional de Proteção de Dados (ANPD), which should occur in the last weeks of September. However, on September 9th, a legislative decree project suspended parts of the decree that created the ANPD, generating further confusion on the expected effective date of the LGPD.
The enforcement of the LGPD remains scheduled for August 2021. The sanctions’ delay does not impede legal proceedings to be initiated against companies having to comply in Brazil or outside its borders.
Concept of personal data
Similarly to the GDPR, personal data is defined by the LGPD as “information regarding an identified or identifiable natural person” This excludes anonymized data where the data subject cannot be identified using reasonable technical means.
Does it require a ROPA, DSR fulfillment, etc?
Data controllers and processors share the same meaning as provided by the GDPR. While controllers take the decisions for the processing of the personal data and processors are in charge of the processing activities based on those decisions, both must keep records of the processing operations and both can be held liable for damages suffered by data subjects. However, the LGPD does not detail the type of information controllers and processors need to record.
What businesses are covered by the law?
The LGPD applies to data “processing operations carried out in Brazil irrespective of the means, the country in which its headquarter is located, or the country where the data are located.” This entails that any American companies processing data collected in Brazil or belonging to a data subject present in Brazil at the time of the collection will be obliged to comply with the LGPD — even without a physical presence in the country.
The LGDP will also apply when the business’ purpose is to offer or provide goods and services to data subjects located in Brazil. Further, any e-commerce company providing shipping options to Brazil is included in the territorial scope of the law. However, any data processed originating outside of Brazil and not shared with Brazilian processing agents nor third-party countries will be exempted, provided that the local legislation offers an adequate level of protection.