Brazil’s Data Protection Law: A Brief Overview
Although Brazil has had for many years some sparse and sector driven data privacy standards (mostly addressed to banking, health and consumer-based businesses), it still lacked a comprehensive and generally applicable framework governing the handling of personal data. On August 14th, 2018, however, Law 13.709/18 (the Brazilian Data Protection Law, or “LGPD”) was enacted to regulate “the processing of personal data, including via digital means, by individuals or legal entities whether public or private”.
Originally, the LGPD provided for a 12-month grace period to come into effect; however, after two years of a tumultuous legislative turn of events which included the consequences of a globally scaled pandemic and legislators arguing that such initial timeframe would not allow companies enough time to adapt its systems and properly learn information treatment – one of the most controversial and difficult tasks brought by the new regulation – the LGPD finally came into force on September 18th, 2020. Nevertheless, in order to allow even more time for businesses in general and the overall public to adapt to such new reality brought by the LGPD, it has also been decided by the Brazilian Congress that the penalties set out in articles 52 to 54 of the Law will only be applied to violations occurred after August 1st, 20211.
Very much based on the European legislation (the General Data Protection Regulation, or “GDPR”), the LGPD regulates the processing of data related to identified or identifiable individuals only, but applies to processing activities carried out within or outside of Brazil, as long as (i) personal data has been collected within the Brazilian territory, (ii) the personal data is related to individuals located in Brazil, and/or (iii) such processing activity is aimed at offering goods and/or services in Brazil2.
On July 8th, 2019, Law 13.853/19 was enacted, creating the National Data Protection Authority (“ANPD”), the new government body responsible for interpreting the LGPD and regulating, monitoring and applying data privacy related sanctions. Autonomous from a technical and decision-making standpoint, the ANPD is also responsible for communicating data related criminal offenses to the competent authorities, and for requesting information from controllers or processors of personal data as it deems fit.
On January 28th, 2021, the internationally famous Data Privacy Day, the ANPD published its regulatory strategy for 2021-2023 and work plan for 2021-2022, which respectively (i) establishes the ANPD’s three main objectives in its initial years as a data protection regulator, and (ii) establishes the immediate priorities and areas of focus for the ANPD.
Important subjects such as rules concerning the ANPD’s enforcement and calculation of fines/penalties, notification of data breaches to the ANPD and data subjects, data protection impact assessments (DPIAs), the ANPD’s bylaws and the protection of personal data and privacy for small and medium-sized enterprises, startups, and individuals who process personal data for economic purposes are planned to be discussed already within this year of 2021.
In short, the ANPD’s strategic agenda for 2021-2023 presented three main goals:
- Promote the strengthening of the culture of personal data protection;
- Establish an effective regulatory environment for the protection of personal data; and
- Improve the ANPD’s ability to operate according to the LGPD rules.
In conclusion, it seems clear that the LGPD will greatly affect companies doing business in Brazil, and in view of today’s digital economy and the ever-expanding use of personal data, organizations in all sectors will likely have to adjust and adapt their data processing practices to Brazil’s LGPD at some point.
1In addition to the potential liability for indemnification, the LGPD establishes administrative penalties in the event of non-compliance that range from simple warnings to fines of up to 2% of the organization’s revenue in Brazil, limited to BRL$ 50 million per violation.
2There are certain data processing exceptions that are not subject to the LGPD, such as those carried out by individuals exclusively for private and non-economic purposes, those conducted only for academic or journalistic purposes, and/or those conducted by the authorities for criminal investigation or public security purposes.
Article provided by: Fábio Lacaz (ALV, Brazil)
Dr. Tobias Höllwarth (Managing Director INPLP)