Updated February 21, 2020.
In this blogpost, we paint a broad overview of the LGPD (Lei Geral de Proteção de Dados Pessoais) – its substance and consequences for data protection in both Brazil and the rest of the world.
We look at its foundation and definitions, the rights it empowers data subjects with, what constitutes compliance with the LGPD and how it compares to the European GDPR.
Brazil has over 140 million internet users. It is the largest internet market in Latin America and the fourth largest in the world in number of users. Brazil already has more than forty legal norms at the federal level that in various ways deal with data protection and privacy, causing a crosswire legal framework.
However, these are sectoral in nature, meaning that they relate separately and specifically to banking, real estate, consumer protection and the likes.
Brazil's new data protection law – the LGPD (Lei Geral de Proteção de Dados Pessoais) – is intended to replace this fractured legal landscape with an overarching regulatory framework.
It will empower individuals with a streamlined set of rights, rather than the partial protection of the sectoral laws in place today and is shaped with great inspiration from the EU’s General Data Protection Regulation.
Some even call it “Brazil’s GDPR”. And it’s true – if you’re already GDPR compliant, you are mostly within the provisions of the LGPD… though not completely!
There are some significant differences between the LGPD and GDPR, which we will sort out below.
Brazil’s data protection law is Lei Geral de Proteção de Dados Pessoais, which means “general law of personal data protection”.
It is officially abbreviated to LGPDP, though it is most commonly known and referred to as the LGPD or Lei Geral de Proteção de Dados.
It was passed on August 14, 2018 and conclusively sanctioned by President Bolsonaro in July 2019.
The effective date of the LGPD enforcement is August 15, 2020.
The Lei Geral de Proteção de Dados is closely modelled after the European GDPR and creates a legal framework for how personal data is allowed to be handled in Brazil. It contains sixty-five articles.
LGPD (Lei Geral de Proteção de Dados) empowers data subjects with nine rights, defines what constitutes personal data, creates ten legal bases for lawful processing.
It also puts the responsibility on companies and organizations to appoint a Data Protection Officer (DPO) and establishes the Autoridade Nacional de Proteção de Dados (or ANPD, Brazil’s new national data protection authority) with powers of supervision, guidance and enforcement of its administrative sanctions.
Any data processing within Brazil is protected by the LGPD, even from foreign data processors.
LGPD defines a data subject as “a natural person to whom the personal data that are the object of processing refer”. In other words, an individual whose data is being collected and/or processed is a data subject.
LGPD has “transversal” and “multi-sectoral application”, meaning that it applies to both public and private sectors, as well as online and offline.
It also has “extraterritorial application”, which means that websites, companies or organizations that process personal data from individuals in Brazil are bound to comply with the LGPD, regardless of where in the world they are owned or operated from.
In Article 3, it is defined that the LGPD applies to:
Brazil's LGPD not only protects Brazilians, but all individuals whose data is collected or processed while in the national territory.
This means that the LGPD applies to any individual whose data has been collected or is being processed while inside the territory of Brazil, and not only Brazilian citizens!
It is no secret that the LGPD (Lei Geral de Proteção de Dados) has been closely modelled on the GDPR with the intention to make it easier for Brazil to achieve a so-called adequacy agreement with the EU, ensuring a free flow of data between the two.
Yet, some significant changes were made to the law in July 2019, when it was sanctioned by President Bolsonaro.
These include the removal of a provision that mandated companies and organizations to review machine-automated decisions, the removal of technical skill requirements for data protection officers, as well as changes made to the enforcement power of Brazil’s coming data protection authority (the ANPD).
In the original draft, the ANPD had the option of restricting a data processor’s access to databases and forbid them to process personal data altogether. This was scrapped by the time Bolsonaro sanctioned the final version of the LGPD.
Privacy watchdogs, as well as the country’s first data protection commissioner, have called it a watering down of the LGPD that could affect Brazil’s EU adequacy decision and take away the law’s enforcement teeth.
An English translation of the official LGPD law text can be found here, however, note that it is a previous draft and not the final law that was passed in July 2019. Some changes have been made to the law, but the overall scope, foundation and wording remains very much the same.
The official LGPD law text in Portuguese can be found here.
Here at Cookiebot, we follow the implementation and enforcement phase of the LGPD (Lei Geral de Proteção de Dados) very closely, since it deals with our area of expertise: protecting privacy.
Our consent and compliance solution is unique on the market: the Cookiebot scanner finds all cookies and similar tracking technology, and automatically holds everything back until the users give their specific, unambiguous consent to which types of cookies they will allow on their browser.
Cookiebot consent banner for GDPR compliance in EU.
Cookiebot enables 100% GDPR compliance.
When the LGPD takes effect in August 2020, Cookiebot will enable compliance with it as well.
The LGPD (Lei Geral de Proteção de Dados) creates nine rights for data subjects.
They are found in Article 18 and empower individuals with the rights to:
These are closely modelled after the rights that the GDPR empower European citizens with and have direct implications for website owners and operators all over the world, who process and/or collect data within the territory of Brazil.
It means that if you have a website and that website has visitors from Brazil, or if you offer services to individuals in Brazil, or collect and process data within Brazil, you need to comply with the LGPD.
A consent solution like Cookiebot can help you become compliant.
The LGPD (Lei Geral de Proteção de Dados) defines its key terms and concepts in its Article 5. These include personal data, sensitive personal data, data subject and processor, among others.
Personal data is defined broadly in the LGPD.
The law simply states that personal data is “information regarding an identified or identifiable natural person” (Article 5, I).
This can be anything from names, ID-numbers, location data, online identifiers to physical, physiological, genetic, mental, economic, cultural or social facts, although the LGPD does not list any of these examples itself.
Sensitive personal data is defined as a subcategory to personal data and applies when the data processed concerns “racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data” (Article 5, II).
The LGPD specifies in Article 11 the limited situations in which the processing of sensitive personal data is allowed to occur.
Personal information is similarly defined in the LGPD and GDPR, with minor differences.
They include “specific and distinct consent”, “by the public administration for the execution of public policies” and “studies carried out by a research entity”, the latter upon the guarantee that the data will be anonymized whenever possible.
This subcategory refers to “data related to a data subject who cannot be identified” with the technical means of the time of processing. If anonymized data is in any way reversible, i.e. that if can be used to identify or used for behavioral profiling, it is not anonymized data.
IAPP’s English translation of the LGPD varies slightly from the original text in Portuguese, e.g. “Operador” is translated to “Controller”.
See the full 19 definitions in Article 5, take a look at the English translation here.
Of the ten legal bases for lawful processing that the LGPD lays out, consent is the first.
This is very important for our niche of the privacy field, because it has direct implication for how your website is allowed to set cookies, process user data and share this with third parties.
Article 8 of the LGPD makes it clear that consent cannot be obtained through “generic authorization”, rather it must refer to particular purposes.
This means that websites, companies and organizations must first obtain the specific, unambiguous consent of the data subject before any processing of personal data is allowed to take place.
Consent must be revocable at any time and must also be provided by the data subject “in writing or by other means”, e.g. a consent banner on a website.
When processing personal data, a website or company or organization must present a specific legal basis.
The ten legal bases in the LGPD (Article 7) for lawful processing of personal data are –
The entire processing of personal or sensitive data must be documented from its initial collection to its termination. Also mandatory is a description of what kind of data is collected, the purpose of the collection and processing, its retention time, and who the data can be shared with.
Controllers or processors can be either jointly or separately liable to data breaches or non-compliance.
The final version of Brazil's data protection law LGPD (Lei Geral de Proteção de Dados) that was sanctioned by the Brazilian president in July 2019 establishes both a national data protection authority (the ANPD) and mandates companies and organizations to appoint a data protection officer.
First, it was in the original draft of the LGPD, then vetoed by the former president for fears that it was unconstitutional, then included again by the Federal Senate in May and sanctioned by the Office of the President.
Enforcement of the LGPD will be overseen by the newly created ANPD.
The ANPD’s main objectives will be to set new norms, establish technical standards, supervise and audit, educate about the law and its correct applications, deal with notifications of data breaches and enforce its sanctions.
The national data protection authority will be directly tied to the office of the presidency. It will have two bodies – the Board of Directors consisting of five members with expertise from the privacy and data protection field, and the National Council, a 23-member advisory board with representation from government, civil society, research institutions and the private sector.
According to the final version of LGPD (Lei Geral de Proteção de Dados), companies will be responsible for appointing a Data Protection Officer. It will be the job of this entity to ensure compliance with the LGPD for the data controller, who appoints them.
In the original draft, certain technical skills were required for an individual to become a DPO. These were deleted from the final, sanctioned version. This has led to criticism by privacy experts.
The LGPD (Lei Geral de Proteção de Dados) is clear when it comes to the consequences of non-compliance with the law.
The penalty system ranges from –
Maximum fines reach 50 million Brazilian reais or 2% of a company’s annual turnover for a LGPD violation.
It will be the ANPD that will enforce such sanctions, when the LGPD comes into enforcement.
The LGPD (Lei Geral de Proteção de Dados) was informed and shaped by the EU's GDPR (General Data Protection Regulation) that came before it. It also has global jurisdiction, since any website anywhere that processes personal data from individuals in Brazil is obligated to comply with it.
First off, when it comes to the number of rights given to the data subjects in each law, the LGPD and GDPR vary slightly, but only on surface: the GDPR provides data subjects with eight fundamental rights, while the LGPD grants nine rights.
This is in part because the LGPD has split the more general “right to be informed” in the GDPR into the “right to be informed of the parties the controller has shared the data with” and the “right to be informed about the possibility of denying consent”.
Secondly, the LGPD differs only on surface from the GDPR when it comes to its framework for what constitutes legal bases for processing of data. Again, the LGPD and GDPR basically aligns, with minor variations.
Where the GDPR has six lawful bases for processing, the LGPD has ten (as described above).
Again, the GDPR and LGPD basically align, but the LGPD splits the more general wording of the GDPR into more specific provisions.
The GDPR’s legal basis of “to save somebody’s life” has been split into first “protect the life or physical safety” and secondly “to protect health, in a procedure carried out by health professionals or by health entities” in the LGPD.
Other splits include the GDPR’s “necessary to perform a task in the public interest” into the LGPD’s “to execute public policies” and “to carry out studies by research entities”. Additionally, the LGPD includes a legal basis that the GDPR does not have at all, the basis of credit protection.
Additionally, the LGPD includes a legal basis that the GDPR does not have at all, the basis of credit protection.
Personal data has a broader definition in the LGPD than GDPR.
According to the LGPD, personal data is anything that relates to an identifiable natural person. In the GDPR, this is further specified with examples such as names, addresses, gender.
EU's GDPR has more "teeth" than Brazil's LGPD when it comes to enforcement.
Sensitive data is – like in the GDPR – a separate category from personal data that includes data on race, ethnicity, religious beliefs, political convictions, health, sexuality, genetics and biometrics. The restrictions for processing sensitive data in the LGPD are stricter than in the GDPR.
The LGPD does not give any definitions or provisions about pseudonymized data, as does the GDPR, except in context of research done by public health organizations. Where the GDPR is very specific in its requirements for the processing of personal data for marketing purposes, the LGPD does not specify at all.
In the GDPR, a so-called DPIA (Data Protection Impact Assessment) is instituted to evaluate the potential risks of data processing. It also requires processors to notify their respective data protection authorities if high risks associated with data processing are assessed.
The LGPD also institutes DPIAs but does not specify how these are to be used, nor does it lay out any requirements for notification of any supervisory authorities.
LGPD makes is mandatory for companies to have a data protection officer (DPO), whereas this is only required in certain circumstances in the GDPR.
Time limitations for the notification of data breaches are sharply defined in the GDPR as 72 hours, whereas the LGPD loosely mandates that data breaches are to be reported to the authorities in “reasonable time”.
Compared with the GDPR, the LGPD is much less severe in its abilities to fine and penalize violations and non-compliance.
Maximum fines for non-compliance in the GDPR are set at €20 million or 4% of a company’s annual global turnover. The LGPD sets its maximum fines at 50 million Brazilian reais (around €11 million) or 2% of a company’s annual turnover in Brazil per violation.
The LGPD treats the transfer of personal data internationally in much the same way as the GDPR, by assessments of whether the foreign country has an adequate level of data protection laws in place. And of course, based on the prior, specific and express consent of the data subject.
However, the LGPD (unlike GDPR) does not rule on data being transmitted through Brazil without further processing.
With Brazil's new data protection law Lei Geral de Proteção de Dados Pessoais (LGPDP), the country is getting a whole new legal framework for data protection that spans beyond sectoral reach, includes all data processing and collection within the nation’s territory, and might very well reach an adequacy decision with the EU, since the LGPD is closely modelled after its European sibling, the GDPR.
Cookiebot will, come enforcement date, enable compliance with the LGPD.
But you don’t have to wait – try our technology for free today.