Brazil’s General Personal Data Protection Law or “LGPD” entered into force on September 18, 2020.
In this podcast, Thiago Luís Santos Sombra of the prominent Brazilian law firm Mattos Filho, explains the basic approach to personal data privacy of South America’s largest country. Highlights:
- Brazil chose the European Union’s basic approach (GDPR), but there are differences between GDPR and LGPD.
- Personal data is defined broadly to include identifiers such as email address, geo-location and similar information particular to a person.
- Data mapping and risk assessment are the immediate steps a business should take that collects or processes personal data of Brazilians.
- Companies must assess whether consent or legitimate interest is the basis of holding particular personal data and decide a compliant approach thereafter. Brazil’s Code is broader than GDPR in providing various bases to hold and process personal data. Businesses will look to express consent as a last resort rather than the first in complying with the law.
- A privacy-compliant notice should be posted.
- A prevention and emergency plan should be in place for handling breaches.
- Within 15 days (instead of 30 under GDPR), a data subject’s request under LGPD should get a response or action. LGPD does not provide for extension beyond 15 days. A request for exclusion or opt-out is to be immediate or at least with no undue delay. Because the Authority that will regulate and enforce the Code has not yet been appointed, the time limits for response could cause businesses particular challenges in making a 15-day response.
- If a business is compliant with GDPR (or thinks it is), this does not guarantee Brazilian compliance, as there are differences from GDPR. There is probably more flexibility in Brazil for businesses than exists under GDPR, but until an Authority is in place, there is no regulator to discuss ambiguities or obtain advance guidance.
- Cross-border transfers take the European approach, with no data localization as required by China, Russia, or India. The data protection authority to be appointed will need to issue standard contractual clauses or otherwise specify what is required. Brazil and the USA are already negotiating about data transfers, with no clear guidance from the Code about what is required of another country’s level of protection by law.
- Data Protection Officers (DPO’s) must be appointed for controllers but not processors, with no threshold or de minimis test for this (unlike GDPR). No specific liability is specified for DPO’s, except for willful misconduct common to any relationship. DPO’s can be internal or outsourced. While there is no requirement that the DPO reside in Brazil, Portuguese language skill is practically essential for a DPO.
- Regulations will follow in time. Individuals will need to be appointed to the Authority and approved by the legislature, with the aim of having an enforcement agency ready to act by August 2021.
On September 22 the first government lawsuit was filed to enforce LGPD against Infortexto, a Brazilian website that sells personal information. It is accused of transferring information of a half million residents of São Paulo without their consent and contrary to law. An injunction is sought. See https://www.mpdft.mp.br/portal/index.php/comunicacao-menu/sala-de-imprensa/noticias/noticias-2020/12384-mpdft-ajuiza-1-acao-civil-publica-com-base-na-lgpd for the press release of the Public Ministry of Federal Districts and Territories. Class action and other lawsuits began to appear the day the law became effective.
Because of Brazil’s prominent position as the giant of South America, one could expect an Iberian approach to personal data privacy throughout South America. Similar but not identical comprehensive codes exist in Chile, Colombia and many other South American countries.