July 23, 2019

July 23, 2019

Subscribe to Latest Legal News and Analysis

July 22, 2019

Subscribe to Latest Legal News and Analysis

Brazil’s New Data Protection Law: An Overview and Four Key Takeaways for U.S. Companies

2018 was a watershed year for data privacy regulation. While Europe’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) garnered the most attention from the public and businesses worldwide, Brazil also passed a new privacy law that makes sweeping changes to its existing data protection regime and promises to impact many businesses operating there, even those without a physical presence in Brazil.

In August 2018, Brazil passed its first comprehensive data protection regulation, the Lei Geral de Proteção de Dados (General Data Protection Law, or LGPD). Like the GDPR, the LGPD imposes new rules regarding the collection, use, processing, and storage of personal data in electronic and physical form and will affect all industries and sectors of the Brazilian economy. Before the LGPD, the data protection regulatory framework in Brazil was sector-based and primarily regulated by the country’s Civil Rights Framework for the Internet (Internet Act) and Consumer Protection Code, among others. Shortly after passing the LGPD, Brazil provisionally created the Brazilian National Data Protection Authority to enforce the LGPD, and extended the compliance period to August 2020.

This article is intended to help businesses understand the LGPD and its effects by: (1) providing a general overview of the rights and obligations the LGPD creates and the scope of its application and extraterritoriality; (2) highlighting notable differences from the GDPR; and (3) presenting key takeaways for businesses in the United States that may be affected by this new regulation.

What Does the LGPD Regulate?

The LGPD regulates the collection and use of “personal data,” defined broadly as information relating to an identified or identifiable natural person, in both digital and non-digital form. Unlike many other privacy laws, this definition does not include examples of “personal data.” The LGPD further regulates “sensitive personal data,” which is defined as data relating to racial or ethnic origin, religious belief, political opinion, union membership, philosophical or political organization, health, sexual orientation, and genetic or biometric data.

There are notable exceptions to the law’s application to personal data, much like the GDPR. The LGPD generally does not apply to processing of anonymous data or personal data used for household, artistic, journalistic, academic, or national security purposes. The law also does not regulate business-to-business (B2B) information.

Whom Does the LGPD Affect?

Like the GDPR, the LGPD regulates controllers and processors of personal data. Controllers are the natural or legal entities who decide how and why to collect and process personal data. Processors are the entities who process the data according to the controller’s instructions.

Much like the GDPR and the CCPA, the LGPD applies across industry sectors and has extraterritorial application. There are two main aspects to its application. The LGPD applies to any individual or organization, private or public, regardless of residency:

  1. collecting or processing personal data in Brazil; or
  2. intending to offer or provide goods or services to individuals in Brazil.

Thus, a business collecting or processing personal data need not be headquartered, or even have a physical presence, in Brazil for the LGPD to apply. The consequences of non-compliance with the LGPD can be just as severe as non-compliance with the GDPR. Violations of the LGPD can result in fines of up to 2 percent of the company’s gross revenues derived from Brazil, or 50 million reais (approximately $13 million), per infraction.

How Does the LGPD Differ From the GDPR?

Although inspired by the GDPR, the LGPD and the GDPR differ in several notable ways. First, the LGPD includes additional legal bases for processing personal data than the GDPR, such as an additional basis related to the protection of credit. Second, with respect to the “legitimate interest” legal basis for processing, which is provided in both laws, the LGPD’s standard is satisfied where the processing of personal data can be shown to support and promote the controller’s activities after balancing the data subject’s privacy rights. Under the GDPR, the legitimate interests of the controller cannot override the fundamental rights and freedoms of the data subject. These differences arguably make the LGPD more flexible in terms of justifying the processing of personal data when compared to the GDPR.

All organizations governed by the LGPD as controllers will also need to appoint a data protection officer, absent future clarifications from the Brazilian National Data Protection Authority. This differs from the GPDR, which only requires a data protection officer in certain circumstances. Data protection officers do not need to be natural persons, meaning companies can serve in that capacity, and it is unclear whether they need to reside in Brazil. The appointment of a data protection officer may be a new and unexpected expense for some companies, particularly those in the United States without a presence in Brazil or the EU. The LGPD, however, does not require the designation of a representative in Brazil in the same way the GDPR requires one for United States businesses offering goods and services in the EU.

It is also uncertain whether the LGPD will require data processing agreements between the collectors and processors, as is required by GDPR Article 28. There is no functional equivalent of GDPR Article 28 in Brazil’s new law. Nevertheless, it is recommended to implement a data processing agreement so that the parties fully understand their respective responsibilities with respect to the collection, use, and protection of personal data, and if there is ever an incident involving personal data. This is particularly true under the LGPD, where liability is joint and several absent an agreement limiting a processor’s liability.

Additionally, when it comes to reporting data breaches to the data protection authority, the LGPD requires reporting within a “reasonable time.” This is considered less rigid than the GDPR’s 72-hour deadline.

Key Takeaways

There are four key takeaways for U.S.-based businesses evaluating whether, and to what extent, the LGPD affects their business.

  1. The LGPD, like the GDPR and the CCPA, applies extraterritorially, meaning it impacts businesses that do not necessarily have a physical presence in Brazil. The key questions in determining whether the LGPD applies to a U.S.-based business are: (1) whether any data collection or processing activities occur in Brazil; and (2) whether the business intends to offer or provide goods or services to individuals in Brazil. If a business satisfies either factor, then all of the LGPD’s provisions apply.
  2. The LGPD, again like the GDPR and the CCPA, does not apply to non-personal data, such as B2B data. A good first step for any business asking whether these data protection laws apply is to conduct a data-mapping analysis to understand the different types of data flowing into the business from inception through the end of the data’s life cycle. A proper data map requires input from the business’s data-driven departments, such as marketing and human resources.
  3. It is important to remember that the LGPD, like the GDPR and the CCPA, is technology-blind and does not hinge on whether personal data is in hard copy or digital form. These statutes are intended to apply for years to come, regardless of the changes in technology. This is already proving to be a challenge for industry-altering forms of technology, such as artificial intelligence and blockchain technologies. Businesses should keep this in mind when determining whether and to what extent these laws apply to their data collection and processing activities, and when determining whether to engage in new products and services.
  4. A business that has implemented measures to comply with the GDPR and the CCPA can use many of the same measures to comply with the LGPD. For example, the mechanisms through which a business responds to subject access requests (SARs) are largely the same. Moreover, while the LGPD does not specify that data processing agreements are required, entering into such agreements will aid in demonstrating compliance and protecting your business’s interests.

Questions?

Businesses have until August 2020 (in the event the provisional measure is ratified) to come into compliance with the LGPD. And many of the actions companies are taking to demonstrate compliance with the GDPR can be used to demonstrate compliance with the LGPD. 

©2011-2019 Carlton Fields, P.A.

TRENDING LEGAL ANALYSIS


About this Author

Steven Blickensderfer, Litigation Attorney, Carlton Fields Law Firm
Associate

Steven Blickensderfer handles a wide variety of civil litigation matters in federal and state court for clients across a number of industries. He is experienced in all phases of litigation, including case analysis and strategy, written and electronic discovery, depositions, expert witness preparation, motion practice, alternative dispute resolution, trials, and appeals. He has participated in a number of trials, including a two-week federal jury trial involving First Amendment issues that attracted national media attention, and has argued in several appellate courts,...

305.539.7340
Joseph Swanson Cybersecurity Privacy Attorney
Shareholder

Joe Swanson is a former federal prosecutor who advises clients on a variety of issues related to cybersecurity and privacy. He has investigated and responded to data breaches and similar cyber incidents, and he has defended clients in litigation stemming from those incidents. In addition, Joe advises on best practices for interacting with law enforcement, regulators, and other constituencies in the event of a cyber incident. Joe also assists clients with drafting incident response guides and related cyber policies and procedures, as well as complying with privacy laws and regulations, such as the EU General Data Protection Regulation.

In addition to Joe's privacy and cybersecurity practice, he represents companies and individuals in government and criminal investigations and conducts internal investigations. His experience in this area has encompassed a range of issues, including cybercrime, theft of government property, pharmaceutical marketing, health care, gambling, securities, public company accounting, and compliance with professional standards of conduct. The internal investigations have been prompted by government enforcement proceedings, as well as company-initiated investigations based on suspected wrongdoing by employees, competitors, and other third parties. Joe has experience referring the findings of those investigations to federal prosecutors.

Joe also defends companies, executives, and directors in shareholder litigation and high-stakes commercial litigation in federal and state court.  These matters have included securities claims, trade secret disputes, and claims for breach of fiduciary duty.

Before joining the firm, Joe served as an Assistant U.S. Attorney in the Criminal Division of the U.S. Attorney’s Office for the Middle District of Florida. This experience provides the foundation for his practice. As an AUSA, Joe investigated and prosecuted a broad range of offenses, including computer/privacy crimes, obstruction of justice, tax fraud, mortgage fraud, and money laundering. He tried seven cases to verdict and handled hundreds of hearings and other proceedings on behalf of the government. He also served as the Computer Hacking and Intellectual Property (CHIP) Coordinator in Tampa, where he advised other prosecutors on investigative techniques involving internet and email providers, computers, websites, and other electronic evidence.

In 2017-18, Joe was appointed by the U.S. District Court for the Middle District of Florida to chair three merit selection panels that recommended appointments for federal magistrate positions. He co-leads the firm’s cybersecurity and privacy practice.

813.229.4335
Arnaldo C. Rego Jr. corporate lawyer Carlton Fields
Associate

Arnaldo Rego Jr. has extensive experience in cross-border debt and equity capital markets transactions; mergers and acquisitions; private equity financing and investment; corporate, joint venture, and partnership structuring; and financial technology, including blockchain and cryptocurrency. He handles a variety of domestic and international transactions, including advising U.S. clients in acquisitions abroad and foreign clients in acquisitions and transactions in the United States. Arnaldo also advises start-up, early stage, and well-established technology companies in...

305.539.7268