By Fabio Pereira, Fabio Pereira, Denise Louzano, Juliana Assis
Compared to Europe, where the first data protection laws were created decades ago, Brazil has only recently joined comprehensive discussions on data protection regulations, more accurately in 2009. Until then, the Brazilian data protection regulatory framework was sector-based and primarily regulated by the country’s Civil Rights Framework for the Internet (Internet Act) and Consumer Protection Code, among others.
The text for the GDPR approved on 14 April 2016 has deeply impacted the Brazilian initiatives on the creation of specific data protection legislation and consequently inspired the text for the Brazilian General Data Protection Law (LGPD or Law 13.709/18), which was signed into law on 14 August 2018 and will come into force in August of 2020.
The legislation replicates key points of the European regulation, following the worldwide trend towards strengthening personal data protection, guaranteeing a series of rights to data subjects, as well as imposing important obligations and relevant penalties on processing agents. However, it also contains some particularities adapted to Brazil. For example, any consent obtained must be specific and data subjects can withdraw their consent at any time. Moreover, the Brazilian law creates ten legal bases allowing the processing of personal data, four more than the European legislation. These include performance of a contract, legitimate interests, legal basis for processing and the protection of credit. This last one is very specifically adapted to the needs of the credit sector in Brazil. This specific provision might suggest that the application of the LGPD can be more flexible in Brazil than what has been established in Europe.
On the other hand, similarly to the GDPR, the Brazilian law regulates controllers and processors of personal data and establishes the principle of extraterritoriality, that is, the Law also applies to processors based outside Brazil that treat data collected in Brazilian territory or offer goods or services to individuals located in Brazil, regardless of where the organisation is based.
Furthermore, the consequences of non-compliance with the LGPD can be just as severe as non-compliance with the GDPR. While EU enforcers can issue fines worth 4% of global revenue, Brazil's regime allows fines of up to 2% of Brazilian revenues, capped at BRL 50 million (approximately USD 13 million or EUR 11,395.140) per infraction.
Regarding enforcement, Law No. 13,853/2019 established the creation of the National Data Protection Authority (‘NDPA’), which, among other powers, has the authority to:
- regulate data protection and privacy matters;
- impose administrative sanctions in the event of breach of the LGPD provisions;
- propose guidelines for the creation of the National Policy for the Protection of Personal Data.
Since the LGPD is recent, controllers and processors still lack appropriate technology systems, data governance mechanisms, and ways to allow data subjects to exercise their rights. For this reason, organisations are now implementing measures to guarantee compliance with the GDPR and the LGPD when it comes into force, but there is still much more to do.
At the time of writing, there is no record of any Brazilian company facing GDPR enforcement, perhaps due to lack of supervision while the country is still adapting to this new regulatory scenario. Expectations are that when the ANPD is properly established and operating, organisations will face closer supervision and sanctions will be imposed on non-compliant organisations to guarantee the efficacy of data protection regulations.