On 14 August 2018, Brazilian President Michel Temer signed into law the new General Data Protection Law (LGPD), the first detailed legislation on the subject in the country. The LGPD establishes a period of 18 months for data processing agents to adjust to its rules.
The new law follows the trend of reinforcing personal data protection, and its key provisions closely mirror the European Union’s General Data Privacy Regulation (GDPR), which took effect on 25 May 2018, and forced companies and other entities to implement changes in how they deal with personal data.
The LGPD applies to any agent (legal entity, individual or public agency) who performs data processing, a term defined in the law as “any operation carried out with personal data.” Such definition may include the mere access to the data of employees, suppliers and consumers, and also the storage, transfer and erasure of such personal data. As such, the LGPD will impact different areas of companies, such as legal and compliance, marketing and HR departments.
According to the LGPD, personal data means any information relating to an identified or identifiable individual. It is also worth noting that certain data are qualified as “sensitive” and therefore have specific and stricter rules for their processing. Sensitive data includes personal data regarding religious beliefs, racial or ethnic origin, political opinions, health conditions or sexual activities.
Following the extraterritoriality principles already applied in the European Union’s GDPR, the LGPD relates not only to companies incorporated in Brazil, but also to entities that process or collect data in the Brazilian territory and to those that aim to supply goods and services to anyone located in Brazil.
The law also creates important new roles, such as the controller and the processor. While the controller is the individual or legal entity responsible for making decisions regarding the processing of data and is required by law to communicate any security incident that may create risks or material damages to the data subjects, the processor is the one who effectively processes the data on behalf of the controller. Most importantly, the law imposes strictly liability upon the controller and the processor in relation to the data processing activity.
Except for those activities in which data processing is expressly permitted in the LGPD, the agents must obtain the informed and unequivocal consent of the data subject both to the data processing and to the sharing of the data with other entities. Controllers must also adopt the concept of “privacy by default,” ensuring that technologies work naturally and automatically to process only the minimum amount of personal data required to fulfil their specific purpose.
Likewise, the agents must inform the data subject, in a clear and specific manner, of any changes in the purpose or duration of data processing. Finally, the agent ordinarily will have an obligation to delete the personal data upon completion of the data processing—usually when the purpose of the data processing is reached or when the period agreed to for the processing ends.
The LGPD also lists a number of rights of the data subject that must be respected by the processing agents, and the processing agents have an obligation to keep the data subjects informed of their rights in a clear and accessible manner. The rights of the data subjects include the following:
- Easy access to data that has been collected;
- Anonymization, blockage or erasure of his or her data;
- Withdrawal of consent;
- Correction of incomplete or outdated data; and
- Portability of personal data to another good or service provider.
With respect to penalties, failure to comply with the LGDP by data processing agents may result in penalties, including: (a) warnings; (b) disclosure of the violation; (c) blocking or deletion of the personal data to which the violation relates to; or (d) daily fines, or fines of up to 2 percent of the sales of the corporate group in Brazil, limited to R$50 million per violation.
In order to comply with the new legislation, companies that process or collect data in Brazil will need to adopt various measures and adjust their internal policies concerning the processing of data of their customers, vendors and employees. In that sense, management will need to involve different business areas to make sure the necessary adjustments to their business are put in place before the LGDP becomes effective in 2020.