What to Expect from Brazil's New Data Protection Law | Tripwire

What to Expect from Brazil's New Data Protection Law

Posted on June 28, 2020
What to Expect from Brazil's New Data Protection Law
The European GDPR (General Data Protection Regulation) is one of the most influential consumer privacy laws that has affected 500,000 companies throughout the world. This law has played a crucial role in formulating another substantial privacy law known as the California Consumer Privacy Act that came into effect on January 1, 2020. Similar to the European GDPR (General Data Protection Regulation), the LGPD (Lei Geral de Proteção de Dados Pessoais) law is a brainchild of the Brazilian government. In this post, we will evaluate how LGPD law secures the privacy of Brazilian users. Apart from this, we will explore the significant similarities between the GDPR and LGPD. Similarly, we will try to analyze the impacts of LGPD law in detail.

What Is the General Data Protection Law (LGPD)?

The National Congress of Brazil passed The Brazilian GDPR, also called the LGPD (Lei Geral de Proteção de Dados Pessoais), on August 14, 2018. The law will be applicable on August 15, 2020. The LGPD is a legal framework that provides an outline regarding the use and processing of personal data of Brazilian users regardless of where the data processor is located. This law is applied to organizations that offer their services to people in Brazil.

Where Is the LGPD Applied?

The LGPD law applies to individuals situated in Brazil. Moreover, companies that are processing personal data of Brazilian users have to abide by the LGPD law. It means that organizations or websites, operating from anywhere in the world, who collect the personal data of individuals who reside in Brazil will have to follow the LGPD law accordingly.

When Is the LGPD Not Applied?

There are different situations when the LGPD law does not apply. These situations are:
  • An individual who is processing the data for personal purposes
  • In the case that the data is academic, journalistic, and artistic nature-wise
  • If the information has to be used for criminal investigations, national security, national defense, public safety, and punishment tasks

How Is Personal Data Defined under the LGPD?

As per the LGPD law, data relating to an identified individual or an identifiable natural person is considered personal data. However, anonymous or anonymized data does not belong to personal data.

What Are Data Subject Rights According to the LGPD?

According to article 18 of the LGPD law, individuals have the following nine rights over their data processing:
  1. They can access their data.
  2. They can confirm the processing of their personal data.
  3. They can rectify incomplete, outdated or false data.
  4. They can delete excessive or necessary information, which is not being processed under the LGPD.
  5. They can hand over their data to other processors if requested.
  6. Delete their data.
  7. Exposure of third parties or subprocessors with whom the controller has shared the data.
  8. Know about the consequences of denying consent.
  9. Cancellation or consent revocation.

What Kinds of Obligations Does the LGPD Enforce on Companies?

The LGPD (Lei Geral de Proteção de Dados Pessoais) law imposes the following obligations on organizations that include:
  • Companies must inform, rectify, delete, anonymize, or provide a copy of the data in case the data subject requests.
  • Companies should remove the data once the relevant relationship ends.
  • Organizations must appoint a data protection officer for managing communications with the data subjects.
  • Implement administrative and technical data security measures to secure personal information from data theft, unauthorized access, accidents, and other issues.
  • Deliver data breach notification to the concerned parties including data subjects and local authorities in case of data violation.

Major Similarities between GDPR and LGPD?

As already mentioned, the LGPD law is similar to GDPR. Both these customer privacy laws safeguard the individual rights of living persons. Furthermore, the personal data of legal persons is not covered in the GDPR and the LGPD. According to the GDPR, the data subject is defined as the natural identifiable or an identified person. As far as the LGPD law goes, the data subject is related to a natural person. The GDPR indicates that the data controller or data processors are considered as businesses, public institutions, and not-for-profit organizations. The same goes for the LGPD law as data processors, or what data controllers refer to as businesses, public corporations, and not-for-profit organizations. If we talk about anonymous data as per the GDPR, this type of data is not related to naturally identifiable or an identified person. Therefore, anonymous data is not processed under GDPR. The LGPD law describes anonymized data as the data that relates to a data subject. However, the data subject cannot be identified, so it is not processed.

Key Differences between the GDPR and the LGPD

GDPR and LGPD differ with each other despite having various similarities. GDPR is applied to natural persons regardless of their nationality and place of residence. On the other hand, LGPD does not mention whether it applies to natural persons, regardless of nationality. The personal data is processed through automated or non-automated means if the information is a part of a filing system in GDPR. Compared to GDPR, LGPD applies to any processing operation. GDPR does not explain the process of anonymized data for profiling objectives. But, LGPD considers data as personal that can be used to create behavioral profiles of identified natural persons. Companies have to appoint a Data Protection Officer (DPA) who will communicate with the subject rights alongside the local authorities as and when required under the LGPD. However, according to GDPR, a Data Protection Officer (DPO) is only needed in certain circumstances.

What Next in Case of a Data Breach?

If a data breach incident occurs, the controller will have to inform both the data subject and the National Data Protection Authority (ANDP) through a data breach notification within a stipulated time period. A data breach notification should include the information comprising:
  • Description elaborating the nature of the affected data
  • Information about the data subjects involved
  • The privacy protection actions that were or will be followed
  • The risks resulted from the incident
  • Description of the security measures applied

What Are the Penalties?

A financial penalty, which is 2% of the company’s Brazilian revenue of up to R$50 million (EUR 11.2 million), will be applied per violation on an organization that does not comply with the LGPD law.

Wrapping Up

There is a strong likelihood that the LGPD will suffer the same fate as GDPR because most of the regulatory bodies in the country have an association with the Brazilian government. That said, consumers should not lose all their hope since there is a light at the end of the tunnel. Due to the LGPD law, companies cannot take things for granted when processing their customers’ information without obtaining their consent. Therefore, the LGPD law should be considered as a step in the right direction because it will protect the Brazilian users’ digital privacy rights successfully.
Author Bio: Usman Hayat is a business school grad specializing in marketing. He found his love for writing during his studies. Usman now pursues a career as a digital privacy & security advocate for VPNRanks. He loves reading about sci-fi & technology, while cricket is his game of choice. When the world cries ‘online freedom,’ Usman stands resolute, raising his voice for the rights of netizens everywhere. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!