The short answer is: Yes.

Earlier this year I started a series called “Stop the hype!” where I criticized the numerous of articles that equated revisions to Colorado’s data security statute and the California ballot initiative as copy-cat GDPRs as doing little but trying to incite fear.

In comparison there were relatively few articles written about Brazil’s General Data Protection Law (“LGPD”) that was enacted on August 14, 2018. While there are sixteen months before that law will go into force and, like the CCPA, changes are anticipated, it has far more similarities to the GDPR than any recent United States enactment (or even United States proposal). Without even parsing the substantive provisions of the LGPD, the terminology it utilizes (e.g., “controllers,” “processors,” “data subjects”) make it abundantly clear that the legislation was designed to emulate the GDPR. When you do look at the substance there are without a doubt differences between Brazil and Europe, and in some respects the LGPD is less restrictive (or proscriptive) than the GDPR, but conceptually Brazil embraced the same familiar concepts set forth by the GDPR such as the requirement to have a permissible purpose for processing data, data minimization, notice of privacy practices, data subject rights, restrictions on cross border transfers, and some degree of accountability for the activities of processors.

For those who are looking for a quick primary on the Brazilian law, Fabio Pereira and Denise Louzano, colleagues at Veirano Advogados in Sao Paulo have published a good concise summary of the new law and its requirements.