Brazil’s Lei Geral de Proteção de Dados (LGPD) – what do UK and EU companies need to know?
04 February 2021
September 2020 saw the official entrance on the scene of the LGPD - Brazil’s first comprehensive data law, which consolidates existing legislation in order to regulate the use and processing of personal data.
In many ways, the LGPD mirrors its European cousin, the General Data Protection Regulation (GDPR) albeit in some significant ways it does not. On 28 January 2021, Alexander Milner-Smith and Benjamin Favaro from Lewis Silkin spoke with Vanessa Ribeiro, a Partner specialising in data and privacy from Lewis Silkin’s Brazilian data and privacy partner, Gusmão and Labrunie, to break down the key tenets of the LGPD and how they may affect UK and EU companies with connections to Brazil:
- Extraterritorial application: Like the GDPR, the LGPD enjoys extraterritorial application, applying to any natural person, or public or private entity who is processing personal data by any means (unless a limited exemption applies), if:
- The data is collected or processed in Brazil; or
- The processing is for the purposes of offering goods or services to data subjects in Brazil (this can apply to a UK or EU company without any establishments in Brazil).
- Scope: The LGPD adopts a broad definition of ‘personal data’, including information regarding an identified or identifiable natural person. Notably, although anonymised data falls outside the LGPD’s scope, anonymised data used to formulate behavioural profiles of a person can constitute personal data.
- Lawful bases: The LGPD expands on the GDPR by introducing four new lawful bases for processing data, namely: studies by a research body, the exercise of rights in legal, administrative or arbitration proceedings, health protection, and notably, credit protection.
- Consent: Similar to the GDPR, under the LGPD, we see a high threshold for what constitutes ‘valid’ consent. Both pieces of legislation position consent as just one of the ways in which data subjects can control their personal data. In practice, this likely means that consent will not be an appropriate lawful basis in many situations, such as in an employment context.
- Data Protection Officers (“DPOs”): DPOs must be appointed by all data controllers, regardless of the companies’ size or type, and irrespective of the volume of personal data that they collect. Data controllers will also need to publish the contact details for their appointed DPOs. The DPO does not need to be an employee of the company, nor be located within Brazil, so it appears that an existing UK or EU DPO could fulfil the role of the Brazilian DPO. However, given the potential for language issues and that over the next year enforcement of the LGPD may come from multiple authorities, appointing a local DPO may be more appropriate for most companies.
It is worth noting that whilst the GDPR requires non-EU organisations (who fall within the scope of the GDPR) to appoint an EU representative, there is currently no equivalent requirement under the LGPD to appoint a representative in Brazil.
- Records of data processing activities: These records must be maintained by all organisations, although the LGPD doesn’t specify which information needs to be recorded. UK and EU companies may choose to harmonise their Brazilian records of processing with their existing GDPR records of processing.
- Data breach notification: Whilst the GDPR imposes a strict 72 hour timeframe within which organisations must notify data protection authorities of data breaches, the equivalent provision in the LGPD requires that such notifications are made within a “reasonable” time, giving organisations more discretion. However, the core functions of a data incident response in Brazil are likely to be substantially the same as in the EU and UK, and companies might again choose to harmonise their procedures and standards through a global incident response protocol.
- Data subject rights: Though broadly similar to what we are familiar with under the GDPR, the LGPD introduces two significant new rules in relation to data subject rights:
- In most cases, data controllers must respond immediately to data subject requests, and within 15 days in the case of data subject access requests; and
- Data subject rights can be exercised before the data controller, consumer defence authorities, and/or the judiciary – this is significant, given that Brazil’s data protection authority will only apply penalties from August 2021 onwards, and so in the meantime data subjects may turn to the courts for effective remedy.
- Penalties: Violations are subject to penalties ranging from warnings to fines of up to 2% of the company’s or economic group’s gross revenue in Brazil in the previous year, limited to R$ 50 million per violation, approximately £6.9 million GBP, and €7.8 million EUR. A key divergence from the GDPR is that penalties under the LGPD are calculated on Brazilian revenue only, not global revenue. These penalties will still be seen as significant for all but the largest, global organisations.
The LGPD also introduces other administrative penalties for infractions, including public disclosure of the violation after investigation, restriction or deletion of the affected personal data, and suspension or prohibition of data processing.
Key takeaways for UK and EU companies
Given the great deal of convergence between the LGPD and the GDPR, UK and EU companies may be able to leverage their GDPR efforts in many areas, efforts which they will have undoubtedly poured much investment and time into, and which they have been road-testing for a few years now.
However, companies should be mindful of the key nuances in the LGPD, and points of divergence from the familiar GDPR.
Data mapping will be an essential tool for businesses to understand what personal data they process and why, and to ensure they have a lawful basis (or bases) to rely on. Records of processing will be essential, and go hand in hand with the focus of both the GDPR and the LGPD on the accountability principle.
In light of the tightened time limit within which organisations need to respond to data subjects’ rights, companies should build data rights into their systems and seek to automate where possible, for instance to efficiently deal with data subject access requests and erasure requests. Your workforce should also be skilled up to ensure data subject rights requests are dealt with accurately and efficiently. As with the introduction of the GDPR in 2018, it is likely there will be a low level of awareness of data rights in Brazil. General awareness training will be vital to correct misconceptions about the law. More targeted training will also be appropriate to focus on core compliance areas such as responding to breaches, dealing with data subject rights requests, and the specific data issues that might be encountered by HR teams day-to-day.
Ultimately, the LGPD is a key new player on the data protection scene, and for UK and EU businesses with a presence or customers in Brazil, one to watch out for.