October 26, 2020

Volume X, Number 300

Advertisement

October 26, 2020

Subscribe to Latest Legal News and Analysis

October 23, 2020

Subscribe to Latest Legal News and Analysis

Brazil's LGPD Takes Effect - With Early Enforcement

Brazil represents over half of all IT spend in Latin America, has the largest regional market for software outsourcing, employs a sizable IT workforce, manufactures consumer goods (including commercial airplanes and cars) and has an active consumer market of social media operated by global data aggregators. At a time when data privacy is becoming increasingly important to consumers, it seems only fitting that Brazil would adopt comprehensive privacy legislation to protect data privacy rights.

The General Data Protection Law, the first law of its kind in Brazil, is now in effect, and we are already seeing enforcement. Streamlining the legal framework on data protection, the law sets forth a number of requirements addressing legal bases for processing, individual rights, governance and accountability and data transfers. Here’s what you need to know.

IN DEPTH


WHAT IS LGPD?

The General Data Protection Law (LGPD) is Brazil’s first comprehensive data protection law and is designed to enhance the privacy and protection of personal data of individuals in Brazil. The LGPD heavily resembles the EU General Data Protection Regulation (GDPR).

When did the LGPD take effect?

After a long period of uncertainty regarding LGPD’s implementation, the Federal Senate of Brazil issued an amendment which accelerated the LGPD’s effective date, setting an immediate effective date upon enactment of the amendment on August 27, 2020. On September 17, 2020, the Brazilian president approved the bill, resulting in the LGPD taking effect on September 18, 2020.

While the LGPD’s implementing regulations have yet to be released, and administrative enforcement has been delayed until August 2021, the Constitution of the Federative Republic of Brazil grants a private right of action to all citizens and a public right of action to Brazil’s “Ministério Público” or “MP” (Brazil Public Prosecutors’ Office). Private lawsuits and public prosecutor actions based on the LGPD’s main provisions may be possible now that the law has taken effect. Please review our summary of enforcement below for an overview of the potential penalties for violating the LGPD and the recent public civil action filed just three days after the LGPD took effect. 

To whom does the LGPD apply?

Similar to the General Data Protection Regulation (GDPR) in the European Union and European Economic Area, the LGPD has extraterritorial reach. The law generally applies to any organization that processes personal data of individuals in Brazil regardless of where the organization is located, and irrespective of where the data is stored or otherwise processed, if: (i) the processing is carried out or collected in Brazil; (ii) the purpose of the processing is to offer or provide goods or services to individuals in Brazil; or (iii) the purpose of the processing is to process personal data of individuals in Brazil.

What did the LGPD change?

Before the LGPD, Brazil’s data protection legal framework was a patchwork of laws, consisting of a federal constitutional right to privacy and several different sectoral laws and regulations. The LGPD streamlines the legal framework by replacing certain regulations and supplementing others, and sets forth a number of requirements addressing legal bases for processing, individual rights, governance and accountability and data transfers. The most significant requirements of the LGPD include the following:

Legal Bases for Processing

Under the LGPD, organizations must have a legal base to process personal data. They may do so:

  • With the data subject’s consent;

  • To comply with a legal or regulatory obligation;

  • By the public administration, for the processing and shared use of data when necessary for the execution of public policies;

  • To carry out studies by research entities;

  • Where necessary for the execution of a contract with the data subject;

  • For the regular exercise of rights in judicial, administrative or arbitration procedures;

  • For the protection of life or physical safety of the data subject or a third party;

  • To protect health, in a procedure carried out by a health professional or health entity;

  • When necessary to fulfill the legitimate interests of the organization or a third party, except when the data subject’s fundamental rights and liberties outweigh the organization’s interest; or

  • To protect an individual’s credit.

Individual Rights

Data subjects in Brazil have a number of rights over their personal data, including the rights to:

  • Confirm the existence of processing, including whether the organization holds particular data

  • Access the data subject’s personal data

  • Access information about entities with whom the organization has shared the data subject’s personal data

  • Correct incomplete, inaccurate or out-of-date personal data

  • Anonymize, block or delete unnecessary or excessive personal data or personal data processed out of compliance with the LGPD

  • Port or transfer their personal data to another service or product provider

  • Delete personal data processed on the basis of consent

  • Request information about the possibility of denying consent and the consequences of such denial and the right to revoke consent.

Governance & Accountability

Generally speaking, organizations subject to the LGPD must take the following steps to meet their compliance obligations:

  • Appoint a data protection officer (controllers only)

  • Maintain records of processing activities

  • Implement and maintain privacy notices

  • Report security incidents to the National Data Protection Authority (ANPD) and to data subjects within a “reasonable” time period, if the security incident may create risk or relevant damage to the data subjects

  • Perform data protection impact assessments

  • Develop products and services using the principle of privacy-by-design

  • Adopt security, technical and administrative measures to safeguard personal data from authorized access and accidental or unlawful destruction, loss, alteration, communication or any type of improper or unlawful processing.

Data Transfers

Organizations subject to LGPD may export data internationally if:

  • The data protection authority issues an adequacy finding for the recipient jurisdiction; or

  • The controller is able to guarantee compliance with the principles and rights of the data subject, in the form of:

    • Specific contractual clauses for a given transfer;

    • Standard contractual clauses;

    • Binding corporate rules;

    • Regularly issued stamps, certificates or codes of conduct; or

  • The organization has obtained the data subject’s specific and express consent, distinct for the transfer.

Enforcement

Violations of the LGPD may result in fines of up to 2% of the organization’s Brazilian revenue for the prior year, up to a total of 50 million reais (or approximately $9.3 million USD) per violation.

Merely three days after the LGPD took effect, the Ministério Público do Distrito Federal e dos Territórios’ (MPDFT) Special Data Protection and Artificial Intelligence Unit filed the first public civil action alleging that violations of the LGPD violate the right to privacy, privacy and image, which are guaranteed by the Constitution of the Federative Republic of Brazil. The MPDFT filed the lawsuit against a data services company that allegedly sold the personal data of 500,000 Brazilian individuals. The complaint also stated that potential buyers of data can purchase categories of personal data, such as data from hairdressers, brokers, dentists, doctors, nurses, psychologists and other professionals from specific states in Brazil. The MPDFT is seeking an urgent preliminary injunction to prohibit the company from disclosing (for sale or otherwise) personal data and to have the company’s website domain be frozen until the courts reach a final decision. This action may encourage other MPs to begin enforcing violations to protect individuals’ data privacy rights.

Next Steps

The LGPD still has a number of significant uncertainties, including when the ANPD’s director and members will be appointed and the timing and content of implementation regulations, which have yet to be issued. However, with the MPDFT filing the first public lawsuit less than one week after the LGPD took effect, it is critical that companies promptly assess their Brazilian operations and take the necessary steps to ensure LGPD compliance. We are monitoring the situation closely and will announce LGPD-related changes on a rolling basis, so check back here for updates.

© 2020 McDermott Will & EmeryNational Law Review, Volume X, Number 272
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Laura E. Jehl Partner Global Privacy & Cybersecurity  Autonomous Vehicles  Compliance  Consumer Data & Digital Marketing  Cross-Border Data Protection  Data Breach Management  Data Licensing & Strategies  Employer Data Privacy  Health Information Privacy  Information Security & Risk Mitigation  Privacy Litigation & Governmental Investigations  FinTech and Blockchain  Technology & Commercial Transactions  Telecommunications Transactions  Energy  Food, Beverage & Agribusiness  Healthcare  Technology  Alcohol
Partner

Laura Jehl serves as global head of the Firm’s Privacy and Cybersecurity Practice. Focusing on the intersection of data, law and emerging technologies, Laura advises clients on a broad range of privacy and cybersecurity issues. She has extensive experience identifying and mitigating privacy and data protection issues arising out of the collection, use and storage of data as well as the design of new business models, products and technologies. With unique experience as a former senior in-house counsel and C-suite executive, she understands the business, legal and...

202-756-8930
Michael Silva International Tax Attorney McDermott Will & Emery Miami, FL
Partner

Michael Silva focuses his practice on international tax law, with an emphasis on US investment structures, cross-border transactions, tax treaty planning and US activities of foreign banks. He has significant experience forming investment funds and advising family offices.

 

Michael also advises Brazilian and Asian investors on investments in US real estate projects, and assists multinational corporations on establishing a business presence in the US.

Maintaining an active private client practice, Michael regularly advises families on trusts and private trusts companies and other techniques to transfer wealth and business assets. Michael advises foreign clients on the US income, estate and gift tax consequences of alternative inbound investment structures while utilizing income, estate and gift tax treaties to minimize tax and regulatory burdens. He coordinates the formation of foreign trusts, corporations and advises clients the US reporting requirements imposed on foreign trusts with US beneficiaries. Michael also assists international banks and trustees on dealing with US clients.

Michael represents financial institutions, insurers, broker-dealers, custodians, funds, fund advisers and managers, trust companies and other financial intermediaries in connection with the requisite protocols and procedures to validate compliance with FATCA requirements.

Michael is board-certified by the Florida Bar in Tax Law and in International Law, and is a Certified Public Accountant. Michael previously served as adjunct professor of Law in the University of Miami Law School Graduate Tax Program.

305-329-4494
Matthew Cin, McDermott Law Firm, Chicago, Cybersecurity Law Attorney
Associate

Matthew R. Cin focuses his practice in technology transactional and regulatory matters, with particular focus on software licensing and data privacy and security in the United States and internationally. He represents technology companies, cloud service providers, health care providers, health information technology vendors, retailers, financial institutions and consumer analysis providers with US and international privacy, security and security breach response issues, including navigating the Health Insurance Portability and Accountability Act of...

312-984-2099
Advertisement
Advertisement