Brazil's innovative approaches to data protection: the main differences between GDPR and LGPD.
In today's interconnected world, data protection has become a critical concern for individuals and businesses alike. Two prominent data protection regulations, the General Data Protection Regulation (GDPR) and the “Lei Geral de Proteção de Dados” (LGPD), have gained significant attention worldwide. While the GDPR is a comprehensive regulation implemented in the European Union (EU), the LGPD is Brazil's response to data privacy challenges within its jurisdiction.
The GDPR applies to all EU member states and organizations that process personal data of EU residents, regardless of the geographical location. Similarly, the LGPD applies to organizations that process personal data within Brazil or provide goods or services to individuals in Brazil, irrespective of their physical location. This wide-ranging applicability ensures that businesses operating in Brazil must comply with strict data protection requirements.
Exceptions to consent
Both the GDPR and LGPD emphasize the importance of obtaining individuals' consent for processing their personal data. However, the LGPD introduces an innovative aspect by providing a legal basis for exceptions to consent, specifically for credit protection purposes.
Due to the Brazilian population is large and growing, and the economy is still developing. This means that there is a large demand for credit, but also a risk of over-indebtedness. To mitigate this risk, banks and other financial institutions need to be able to assess the creditworthiness of potential borrowers. This can be done by collecting and analyzing personal data, such as income, employment history, and credit history.
By processing personal data, banks and other financial institutions can make more informed decisions about who to lend to. This helps to protect consumers from over-indebtedness and also helps to reduce the cost of credit for everyone.
This provision allows organizations to process personal data without explicit consent when necessary for credit-related activities, providing businesses with a legal framework that enhances efficiency in financial operations and reduces administrative burden.
In Brazil, the Banco Central do Brasil (BACEN) is responsible for regulating the financial sector. On May 23rd of 2023, the BACEN issued Resolution 6, which provides additional guidance on how financial institutions should comply with the LGPD. The resolution also establishes requirements for the sharing of data and information on evidence of fraud to be observed by financial institutions, payment institutions, and other institutions authorized to operate by the Central Bank of Brazil.
The information that must be shared includes:
- Registration data for customers involved in the fraud;
- Data on suspicious transactions;
- Data on financial instruments used;
- Other data that may assist in the identification and prevention of fraud.
The resolution aims to strengthen the security of the Brazilian financial system, combating fraud and other financial crimes. To do this, it establishes that institutions authorized to operate by the Central Bank of Brazil must share information on evidence of fraud with each other, as well as with the Central Bank itself.
Although GDPR acknowledges the need for special protection for children´s personal data, the LGPD goes a step further by recognizing the data of elderly individuals as high risk. This classification highlights Brazil´s commitment to protection vulnerable groups and establishes stricter safeguards for the personal data of elderly people. Businesses must take additional precautions when processing data belonging to this group, ensuring heightened security measures and privacy considerations. This has an impact on the risk analysis and valuation of a company that handles large amounts of elderly data.
The Resolution 2/2002 of ANPD of Elderly People (Resolution 2/2002 of the Brazilian National Data Protection Authority on Elderly People) further strengthens the protection of elderly people's personal data under the LGPD. The resolution defines elderly people as individuals aged 60 years or older and recognizes that they are a vulnerable group that is particularly susceptible to abuse and fraud. As a result, the resolution imposes additional requirements on organizations that process the personal data of elderly people;
The GDPR and LGPD are comprehensive data protection regulations that play a pivotal role in shaping the digital landscape. Brazil's LGPD introduces innovative elements such as exceptions to consent for credit protection and the recognition of data belonging to elderly individuals as high risk. These provisions demonstrate Brazil's commitment to addressing unique challenges and vulnerabilities in data protection. While the LGPD imposes obligations on businesses, it also presents opportunities for organizations to build trust, enhance their cybersecurity practices, and differentiate themselves in the marketplace.
The differences between the GDPR and LGPD reflect the different realities and priorities of each country. In the case of Brazil, the concern with the efficiency of the financial sector and the protection of consumers from fraud and other financial crimes led to the recognition of the need for exceptions to consent for credit-related matters. In the case of the recognition of elderly data as high-risk, Brazil's concern with the protection of the elderly, who are particularly vulnerable to abuse and fraud, led to the establishment of a special protection regime for this data.
Article provided by INPLP members: Lorena Botelho and Patricia Peck (Peck Advogados, Brazil)
Dr. Tobias Höllwarth (Managing Director INPLP)