By Stan Sundel
A landmark data privacy law is soon set to take effect in Brazil. The law, titled Lei Geral de Proteção de Dados (or “LGPD”), was passed by Brazil’s legislature in 2018 and becomes enforceable starting this month. LGPD institutes a sweeping series of data protection rules — and there’s a good chance that your organization will be required to comply with these regulations.
Legal Precedents: From GDPR to LGPD
The LGPD is closely modeled on the European Union’s groundbreaking data privacy law, the General Data Protection Regulation (GDPR). As we’ve discussed in previous blog posts, GDPR was the most far-reaching revision to cybersecurity regulations in decades. GDPR, which went into effect in 2018, set stringent new standards for organizations that collect information from EU citizens.
Like GDPR, the LGPD is an extraterritorial regulation — that is, these laws apply beyond the borders of Brazil. This means that even organizations located outside of Brazil need to comply with this regulation, if they are collecting personal data from Brazilian citizens.
The LGPD, as with GDPR, grants a number of fundamental rights to data subjects. These include the right of individuals to access their personal data; the right to correct incomplete or inaccurate data; the right to anonymize or block unnecessary or excessive data; the right to information about third-parties with which the controller has shared data; the right to delete personal data processed with the consent of the data subject; and the right to revoke consent.
Despite the significant similarities, LGPD differs from GDPR in a few fundamental ways. First, and perhaps most significantly, are the circumstances that qualify as a lawful basis to process data. Unlike GDPR, the LGPD allows for the protection of credit (i.e. an individual’s credit score) as a legal basis for the processing of data. Moreover, both laws differ regarding the “legitimate interest” legal basis for processing. The LGPD’s standard is met when data processing can be shown to support and promote the controller’s activities, after taking into account the data subject’s privacy rights.
Under GDPR, however, the legitimate interests of the controller cannot supersede the rights of the data subject. Ultimately, this conceivably makes the LGPD more flexible than GDPR when it comes to justifying the processing of personal data.
Second, LGPD and GDPR differ in regards to the appointment of a data protection officer (DPO) — the individual within an organization responsible for ensuring compliance with data privacy regulations. Under the LGPD, all organizations will need to appoint a DPO. GDPR, however, only requires organizations to appoint a DPO if they are carrying out certain types of processing activities. Additionally, the LGPD does not mandate that organizations appoint a DPO located in Brazil in the same way GDPR requires one for United States businesses operating in the European Union.
Third, the two regulations have different breach notification requirements. Both the LGPD and GDPR mandate that organizations report data breaches to the local data protection authority. GDPR, however, specifies a firm reporting deadline: organizations must report a data breach within 72 hours of its discovery. The LGPD, on the other hand, does not provide a specific reporting deadline.
The Consequences for Non-Compliance
When it comes to the consequences for noncompliance with the LGPD, there’s good news and bad news. The good news is that organizations can use many of the same measures they already have in place to comply with other data privacy regulations (e.g. GDPR, CCPA, etc.) to comply with the LGPD. For example, if your organization already appointed a DPO to comply with GDPR, that DPO can cover many of the same functions mandated under the LGPD.
The bad news is that the cost of noncompliance of the LGPD is significant — albeit not quite as punitive as GDPR. The maximum fine for a violation of the LGPD is “2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reals” (roughly $9 million USD). That amount is not going to bust the bottom line of a Fortune 500 company, but it could cause substantial damage to a small or medium sized business.
It is too early to tell how aggressively Brazilian regulators will enforce the LGPD. However, if the implementation of GDPR is any guide, LGPD enforcement is likely to be both frequent and severe. In just over two years since the law went into effect, GDPR regulators have already issued dozens of fines and notices, with some even climbing into nine-figure territory — a $230 million fine against British Airways and a $123 million fine against Marriott (both businesses are in the process of appealing the penalties). And GDPR regulators show no signs of slowing down anytime soon.
Want to learn more?
If your organization needs help with LGPD compliance planning, or navigating other data privacy laws and regulations, contact us. Let’s discuss how we can help reduce your business’ legal and regulatory risks, today.