– Katie Hyman, Partner
Brazil’s Lei General de Proteção de Dados (“LGPD”) officially came into effect on Friday, September 18 2020. This Brazilian General Data Protection Law (LGPD), Federal Law no. 13,709/2018, was published on August 15, 2018, is heavily influenced by the EU GDPR and is Brazil’s first comprehensive framework regulating the use and processing of personal data. Prior to the LGPD, data privacy regulations in Brazil consisted of various provisions spread across Brazilian legislation.
The LGPD applies to businesses of all sizes, with only a few listed exceptions, such as where data are collected for artistic or academic purposes, or for national security and public safety. It will apply when data is collected or stored in Brazil or where data is processed for the purposes of offering goods or services to individuals in Brazil.
The LGPD defines “personal data” broadly: it means any information regarding any identified or identifiable natural person, including data that could be aggregated to identify a person. The general principles underlying the LGPD are set out in Article 6, and these will be used by the Brazilian data protection authority to determine a company’s compliance with the law. The principles are purpose, suitability, necessity, free access, quality of the data, transparency, security, prevention, non-discrimination and accountability.
In line with these principles, the rights of the data subject are set out in Article 18, and these are very similar to those in the GDPR, including access to data, correction of inaccurate data, portability, deletion of data processed with consent, information about entities with which the controller has shared data, information about the possibility of denying consent and revocation of consent.
Companies are required to report data protection breaches to the local data protection authority, but no deadline for reporting is included in the LGPD. Guidance on this is to come from the data protection agency, which is yet to be established. Companies that violate the LGPD can be fined up to 2% of the revenue of their organization, up to a total of R$50 million (approximately US$9 million) per violation. However, penalties for infractions will only start to be applied from August 1, 2021.
An official English translation is not yet available, but the IAPP has provided a translation and you can read it here: Brazilian General Data Protection Law.