Brazil President Approves Data Protection Legislation

On 14 August 2018, Brazil signed into law new regulations governing data privacy, the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais - LGPD). It has numerous similarities to Europe’s General Data Privacy Regulations (GDPR) but there are also significant differences. DPL becomes effective from February 2020, 18 months after its enactment, giving companies time to implement necessary procedures.
 
Currently, there are no provisions in the LGPD that rescind current Data Protection laws such as the Internet Framework (Marco Civil da Internet – Law no 12.965) or The Consumer Defense Code (Código de Defesa do Consumidor or law no 8.078). It is assumed that some attempt will be made to rationalize the provisions of the different laws.
 
  1. A National Data Protection Authority which is essential to implement the regulations has yet to be created; this will require a further bill of law from the executive branch.  It is likely the bill will be proposed by the President within a few weeks.
  2. As in the EU, penalties for noncompliance are stiff. The amounts are up to 2% of turnover (gross revenue) with a cap of BRL 50 million (currently US$12.7 million).
  3. LGPD applies to:
    • All sectors of the economy, public and private.
    • Any company which offers goods or services within Brazil.
    • Any activity involving the collection or processing of the personal data of individuals within Brazil.
    • Any personal data collected within Brazil.
    • Any processing carried out in Brazil.

      ‚ÄčAs can be seen from the above LGPD has applicability outside Brazil.
  4. Processing personal data is only allowed if it meets certain criteria such as:
    • There is consent (in writing) from the individual. (There are special conditions relating to sensitive data or the data relating to minors.)
    • It is necessary to comply with legal or other regulatory requirements.
    • It is required under an agreement (i.e. a contractual necessity).
    • The processing is necessary for the legitimate interests of the Controller or third party.
    • It is necessary in the opinion of health professionals for health protection.
    • For credit protection.
  5. Each company needs to nominate a Data Protection Officer whose contact information must be publicly available.
  6. Transfer of data outside Brazil will only be allowed:
    • If it is authorized by the LGDP e.g. to countries which have an appropriate level of protection which will be determined by the DPA once established.
    • Where the company has the necessary contractual clauses with the transferee or other corporate rules which satisfactorily demonstrate that the data will be correctly handled by the transferee.
    • Where the individual consents to the transfer.
  7. Any data which whether by itself or combined with other data would allow an individual to be identified constitutes personal data.
  8. Sensitive data is that data based on which discrimination could occur such as racial or ethnic origin, religion, political affiliation, health, sexual preferences, genetic data. This type of data requires additional security including the consent of the individual to hold this specific data.
  9. LGPD does not apply to anonymized data providing the process by which it was anonymized cannot be reversed.
  10. Individuals on whom data is held have rights to have access to the data, to require it to be corrected, canceled or excluded and to receive information and explanations as to how the data will be used. A specific new right is for the data to be “portable” i.e. to be supplied with a copy of the data in a format which allows the transfer of the data to other services including competitor services.
  11. Once a Data Protection Authority is established, data breaches will require to be notified to the DPA within a reasonable time limit.
  12. Where processing of data is based upon the legitimate interest of the controller or the processing is considered risky, then a Privacy Impact Report or Data Protection Impact Assessment (DPIA) may be required before processing can begin.

Copyright Shan & Co LTD 2018 © A Sister Company to Nucleus