Data privacy legislation continues to dominate headlines in 2020, this time with the Lei Geral de Proteção de Dados. Brazil’s new law suddenly went into effect on August 27th and has companies around the world scrambling to understand how it works. Fortunately, it’s quite similar to Europe’s GDPR. We’ll take a closer look at Brazil’s privacy law and examine both the similarities and differences between these two laws.
With its name being a literal translation of the GDPR in Portuguese, it’s not difficult to understand the concept. This law regulates data processing in Brazil and defines enforcement mechanisms. You can read the full text of the law in English here.
What surprised the international community was how the law came into effect. Much like the GDPR, when the law was passed there was a transitional period to help companies settle into compliance. It was supposed to take effect earlier this year, but concerns about the economic impact during the COVID-19 pandemic gave lawmakers pause.
A compromise was struck in the Brazilian senate: the law would come into effect immediately, but fines would not be enforced until August 1st, 2021. Private lawsuits may be filed, but the National Data Protection Authority (ANPD) has yet to be installed.
Examining LGPD vs. GDPR reveals similarities in their backstories as well. Europe had already established certain principles regarding internet use prior to passing the GDPR. Likewise, Brazil had passed a law in 2014 commonly referred to as the Brazilian Internet Law.
This law declared that constitutional rights such as freedom of speech were extended to online spaces. It also enshrined net neutrality into law. However, it fell short of defining data rights and had no clear enforcement mechanisms. Brazil’s new data privacy law builds a robust framework on the foundation that the Brazilian Internet Law laid years ago.
It is clear from the content of the LGPD that Brazilian lawmakers were heavily influenced by the content of the GDPR. The two laws are very similar, but there are a few key differences.
The LGPD and GDPR grant consumers similar rights, including the right to know exactly what personal data a company holds about the data subject and the right to request deletion of that data. While the LGPD lists nine rights and the GDPR lists eight, that is only because the LGPD split GDPR’s “right to be informed” into two, to make it more explicit: “information about public and private entities with which the controller has shared data” and “information about the possibility of denying consent and the consequences of such denial.”
In addition, both laws define what constitutes legal data processing. While Brazil’s law adds a few items to the definition, including health protection and credit protection, Brazil had no laws in these areas prior to drafting the LGPD, whereas European markets already had laws protecting health-related data and financial information.
Consent must be obtained in most cases, and this can be done in the same way the GDPR allows. A visible notice on your website or app is sufficient to confirm that the user has consented to your collection of their data. Like the GDPR, a user can revoke their consent at any time, and companies are expected to delete their data shortly thereafter.
Here’s where the LGPD vs. GDPR debate heats up. Brazil didn’t just copy Europe’s paper and turn it in. There are a few critical differences that stand out and that your company should be aware of when developing its data compliance plans.
The GDPR raised eyebrows because it was essentially a global law. Any business that either offers goods or services to EU residents or collects data on them must comply. It does not matter where that data was collected or processed: if it has to do with an EU citizen or legal resident, it’s subject to the GDPR. Similarly, the LGPD applies to all organizations that offer goods or services to data subjects in Brazil, even if the company is not located in the country.
One key difference with respect to jurisdiction is that the GDPR explicitly includes organizations that monitor the behavior of EU residents, while under Brazil’s law, there is no explicit provision. Therefore, in Brazil, the data must be collected or processed in Brazil to be under its jurisdiction. If the data flow originates outside of Brazil and is merely transmitted but not processed in the country, the LGPD will not apply.
The LGPD’s current definition of personal data is more expansive in scope than that of the GDPR, because it refers to any data that, by itself or combined with other data, could identify a Brazilian resident or subject them to a specific treatment. The GDPR however has a more narrow definition of personal data.
One novel addition to the list of justifications for data processing is research. The law specifically allows research to include Brazilians’ data, meaning that universities and research companies can obtain Brazilian data without repercussions. You still have to play by the rules if this applies to you, but having explicit permission to conduct your research is a welcome addition to the law.
There are some major differences in terms of penalties. The GDPR sets fines based on a company’s global turnover, but Brazilian law determines the amount based on Brazilian revenue only. If your company does not generate revenue in Brazil and has no legal entity there, Brazil would not be able to properly assess fines and prosecute your company.
In these scenarios, the Brazilian business that sold or exported the data would possibly be subject to fines. Like the GDPR, cross-border transfers are limited, and the recipient is required to provide a similar level of data protection.
Brazilians cannot exercise their right to deletion if the data is being processed in a third country. You would not have to respond to such requests if your company does not have a Brazilian branch.
In addition, government agencies are outside the scope of the LGPD, but the GDPR gives discretion to Data Protection Authorities to make that determination.
However, as mentioned earlier, Brazil’s Data Protection Authority (DPA) has not yet been appointed, and enforcement is not scheduled to begin until August 21, 2021, while the EU is of course already being enforced by several DPAs (one in each EU member state).
On the topic of citizens’ rights, the deadlines for replying to citizen requests for data reports are tighter under the LGPD than other laws. The GDPR sets the deadline at 30 days, while Brazil’s law places this at 15 days.
Breach reporting rules are fuzzier. While other data protection laws establish firm deadlines, Brazil’s rules simply state that breaches must be reported “in a timely manner.”
Once Brazil’s National Data Protection Authority is created, the law is likely to be refined and certain rules will be tweaked. If you’re worried about staying compliant, contact Aparavi today. Our intelligent data management system is automatically updated with new and changing data privacy regulations. The Aparavi Platform is designed with compliance in mind and makes it easy to track files regardless of where you store them, ensuring compliance and keeping you out of trouble.