Brazilian Government Passes GDPR Inspired Data Privacy Law
On August 14, 2018, Brazil passed the General Data Protection Law (the “LGPD”). The LGPD is set to go into effect in February of 2020. The bill is one of the latest to be cultivated in the global trend for stricter data privacy laws following the implementation of the European Union’s General Data Protection Regulation (the “GDPR”). The LGPD borrows from the GDPR in part but also includes multiple unique features. The key takeaways from the bill are:
- extraterritorial application
- legal grounds for processing data
- rights granted to data subjects
- appointment of a Data Protection Officer
- severe penalties for violators
We previously have analyzed the issue of extraterritorial application, or attempting to legislate conduct beyond the jurisdiction in which a particular law or regulation is in effect, with regard to the GDPR. In that connection by its express terms, the LGPD requires compliance beyond Brazil’s borders. The LGPD states that any foreign company: (i) with a branch in Brazil; or (ii) that offers services to the Brazilian market and collects and treats personal data of data subjects located in Brazil, is subject to the new law. Importantly, the nationality or citizenship of the data subject is irrelevant so long as such person is located in Brazil.
This provision differs from the corresponding provision in the GDPR. The GDPR requires compliance based on the consumer whose data is being collected being a citizen of the European Union. That GDPR requirement is far more ambiguous, whereas the LGPD provision specifically focuses on data subjects located within Brazil, regardless of citizenship.
Legal Grounds for Processing Data
The LGPD requires companies to have a legal basis to collect, process, and store personal data of Brazilian data subjects. The LGPD defines ten legal bases for dealing in such consumer data, which are as follows: (1) consent; (2) compliance with law; (3) by the government for public policy or regulation; (4) research utilizing anonymized personal data; (5) when necessary for the performance of a contract with the data subject; (6) to exercise legal rights in lawsuits, arbitration, or administrative proceedings; (7) the protection of life or physical safety; (8) by medical providers for the protection of health; (9) when necessary to meet the legitimate interest of the data controller or third parties; and (10) the protection of credit ratings or profiles.
In addition to fulfill the consent requirement, companies must reconstruct their privacy policies, terms of usage, and consent requests to consumers to comply with the LGPD. This measure is intended to ensure that the consumer may clearly understand the character and extent of his or her consent. The LGPD will label certain personal data as “Sensitive Data.” Companies may process such Sensitive Data only following specific consumer consent or when processing is essential to serve some legitimate purpose.
Rights Granted to Brazilian Data Subjects
Another provision in the LGPD that is similar to the GDPR concerns the rights granted to data subjects. A few of the rights that we previously have discussed in our analysis of the GDPR have corresponding rights in the LGPD. Those rights are: (i) the right to access; (ii) the right to revoke consent; (iii) the right to data portability; and (iv) the right to be forgotten. The LGPD also includes new, unique rights that are not present in the various data privacy bills that we have explored to this point. Those new rights are:
- confirmation of the existence of processing
- disclosure of third parties
- information about consent choices
First, the confirmation of the existence of processing is a provision that allows a consumer to contact a company and receive confirmation that his or her data is being processed. Second, the right to disclosure of third parties will allow a consumer to request a list of all third parties to which his or her data is being processed. Finally, data subjects have a right to know the data uses to which they are consenting and the consequences of withholding such consent.
Ramifications for Businesses
The LGPD presents several of the same obstacles to data collection and processing companies as the GDPR does. A company is required to appoint a Data Protection Officer (the “DPO”), who will be a high ranking executive within the company. The DPO will be tasked with monitoring compliance, mapping and documenting processing and legal bases for processing, reporting data breaches, and various other tasks that are necessary to be compliant with the LGPD.
Beyond all that, the penalties under the LGPD are severe. Brazil is creating a separate governmental entity to monitor compliance with this bill, the Data Protection Authority (the “DPA”). Similar to the DPA’s counterpart under the GDPR in the European Union, the DPA in Brazil will audit and monitor compliance and render fines. Fines may be up to 2% of a company’s gross revenues generated from Brazilian consumers in the previous year and is capped at about $12 million (U.S. dollars).
Our experienced attorneys at Dickie, McCamey & Chilcote, P.C. have advised clients on international and domestic data privacy compliance for years and will continue to provide updates on this latest development (and others to be forthcoming of course) as the global trend toward stricter data privacy inevitably continues. If you have any questions or concerns, please contact us; and we will be happy to work with you and to help equip your company for compliance in this constantly evolving area.
Jason L. Ott, Esq.
Marjorie F. Bagnato, Esq.
Derrick L. Maultsby, Jr.