Following a year of uncertainty regarding the date of implementation, Brazil’s General Data Protection Law has officially come into effect. Although Brazil is no stranger to sectoral privacy laws and already had more than 40 laws and norms at the federal level, the LGPD is the country’s first law to provide a comprehensive framework regulating the use and processing of all personal data.
Greatly influenced by the EU General Data Protection Regulation, the LGPD will be familiar to those who have worked with the GDPR (the IAPP published a GDPR matchup with the LGPD here). Comprising 65 articles, the law sets forth the Brazilian conception of personal data and provides the legal bases authorizing its use. In line with past coverage from the IAPP, here is an update and recap of what is in this comprehensive law.
To whom does the LGPD apply?
Scope
Unlike its predecessors, such as the GDPR and California Consumer Privacy Act, the LGPD’s applicability is not limited only to businesses and organizations above a particular size. Rather, the law is applicable to businesses of all sizes and provides exceptions only in a few enumerated instances, such as where data are collected exclusively for journalistic, artistic and academic purposes, or public safety and national defense.
Jurisdiction
Furthermore, as does the GDPR, the LGPD provides for extraterritorial jurisdiction. Under Article 3, a personal data processor is subject to the law when the data are either collected or processed within Brazil or the data is processed for the purpose of offering goods or services to individuals in Brazil. Accordingly, so long as one of these conditions is met, the nation in which the company is headquartered is irrelevant, and the LGPD is fully applicable.
What type of data is protected?
Personal data
At the core of any data protection law is the definition assigned to each key term. Among the most important of these is the definition of “personal data.” Under the LGPD, personal data is defined broadly in that it encompasses any information regarding any identified or identifiable natural person. The key attribute of this definition is that it includes identifiable data. Thus, not only does the definition encompass data that can actually identify an individual independently, but it also includes any data that can be aggregated to another to identify the individual. Given the rapid development of big data, under this definition of personal data, effectively any data can be categorized as personal data.
Sensitive personal data
The LGPD also includes additional provisions specifically applicable to sensitive personal data that are considered particularly susceptible to discriminatory practices. Under the LGPD, where related to a natural person, this type of data includes personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, health or sex life, and genetic or biometric data. Given the delicate nature of this data, such data may only be processed in limited circumstances enumerated in Article 11.
Compliance
Finally, and perhaps of most interest to privacy professionals, the LGPD compliance requirements are based in the desire to support the Brazilian general principles of data protection, as well as to protect the individual rights outlined in the law.
Rights
Article 18 of the LGPD lays out the rights and holds they are exercisable by individuals and requires they be provided in an accessible manner. These rights are:
- Confirmation of the existence of the processing.
- Access to the data.
- Correction of incomplete, inaccurate or out-of-date data.
- Anonymization, blocking or deletion of unnecessary or excessive data or data processed in noncompliance with the provisions of this law.
- Portability of the data to another service or product provider, by means of an express request and subject to commercial and industrial secrecy, pursuant to the regulation of the controlling agency.
- Deletion of personal data processed with the consent of the data subject, except in the situations provided in Article 16 of this law.
- Information about public and private entities with which the controller has shared data.
- Information about the possibility of denying consent and the consequences of such denial.
- Revocation of consent.
Of note is the fact that while many of these rights have been seen in the data protection legal sphere before, the LGPD expands upon the familiar “right to be informed” (previously seen in the GDPR). It does so by splitting the “right to be informed” into both the right to be informed as to the entities with which data is shared and the separate right to be informed as to what will happen if they refuse to consent. While this distinction appears minor, this right provides individuals with greater transparency and understanding of the impact of their choices.
General principles
The desire to provide increased transparency is in line with the general principles of the LGPD. Outlined in Article 6, the law lays out 10 principles that should be considered when processing personal data. Ultimately, the extent of such consideration will assist the Brazilian data protection authority, Autoridade Nacional de Proteção de Dados, in determining whether a company complies with the law. These general principles are purpose, suitability, necessity, free access, quality of the data, transparency, security, prevention, non-discrimination and accountability.
Grounds for processing and consent…
Privacy Isn’t Dead. Far From It.
Welcome! The fact that you’re reading this means that you probably care deeply about…