May 28, 2023

Volume XIII, Number 148


May 26, 2023

Subscribe to Latest Legal News and Analysis

May 25, 2023

Subscribe to Latest Legal News and Analysis

Brazil’s Comprehensive Privacy Law Now in Effect

Following lots of legislative uncertainty, Brazil has now formally enacted the country’s first general data protection law, Lei Geral de Proteção de Dados, or “LGPD.” While administrative sanctions do not go into effect until August 1, 2021, individuals and public prosecutors can now bring claims for losses and damages. Indeed, at least one public civil action has already been filed. LGPD is the first comprehensive general data protection law in Latin America. It was modeled after the EU’s GDPR. While there are many similarities, LGPD does introduce new concepts. Below are some of the key elements to keep in mind.

  • When does LGPD apply? Like GDPR, LGPD has extraterritorial effect. A company does not need to be based in Brazil or otherwise have any physical presence for the law to apply. Generally, LGPD applies when an organization does any of the following: (i) processes personal data in Brazil; (ii) processes personal data that was collected in Brazil; or (iii) processes personal data to offer goods or services in Brazil.
  • Does LGPD provide rights to individuals? Yes. While many of the rights are similar to those in GDPR, LGPD also introduces additional rights. In addition to GDPR-like rights of access, deletion, portability, LGPD also gives people a right to access information about those with whom an organization has shared the individual’s data. It also calls for individual access to information on whether an organization holds particular data.
  • What are the requirements for transferring data? Organizations may transfer personal data to other countries that provide an “adequate level of data protection.” Brazil has not yet identified which countries it considers as providing an adequate level of protection. All other transfers require a valid legal transfer mechanism. While there are several available transfer methods, the two main ways organizations can transfer data include: (1) with the specific and express consent of the individual, which must be prior and separated from the other purposes and requisitions of consent; and (2) through contractual instruments such as binding corporate rules and standard clauses, committing the organization to comply with the LGPD principles, individual rights, and the Brazilian data protection regime. No specific model clauses or language are available yet.
  • Are there other record keeping requirements? LGPD calls for record of processing requirements. There are also certain requirements for “impact reports.”
  • Do we have to appoint a Data Protection Officer? It depends. Companies that qualify as “controllers” are required to appoint a data protection officer. Unlike GDPR, there are no specific requirements for the qualifications of this individual.

Putting it Into Practice. Many questions remain open as to the interpretation and enforcement of this law. Brazil’s National Data Protection Authority (ANPD), the administrative agency tasked with enforcing administrative sanctions and issuing regulations under the LGPD, has not yet been established. In the meantime, organizations can begin reviewing their global privacy programs to assess any gaps in compliance. They may want to focus on, among other things, the differences between current rights processes and the rights anticipated under LGPD.

Copyright © 2023, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 273

About this Author

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...