Brazil’s General Data Protection Law LGPD

Brazil’s General Data Protection Law LGPD

Brazil’s General Data Protection Law or LGPD for short is a comprehensive data privacy law that was passed in order to protect the regulation and use of the personal data and information of Brazilian citizens. Similar to other data privacy laws that have been passed around the world in recent years, such as the EU’s General Data Protection Regulation or GDPR and the California Privacy Rights Act or CCPA, the LGPD provides a specific definition for personal information under the law, as well the legal basis for which such information can be collected, processed and, and disclosed. However, the LGPD differs from other privacy laws in that it does not apply to businesses of a certain size or financial threshold, as almost all Brazilian businesses must comply with the LGPG with few exceptions.

What types of personal data are protected under the LGPD?

Under the LGPD, personal data is given a broad definition to mean any information related to an identifiable natural person. This definition is notable in that it does not solely include traditional forms of personal data such as first and last names or social security numbers, but online identifiers as well. As such, any form of data that is collected from a Brazilian citizen can be categorized as personal data under the definition of the LGPD. What’s more, the LGPD also contains specific provisions aimed at protecting forms of personal data that are subject to and susceptible to discriminatory practices.

To this end, the following forms of personal data are specifically protected in the context of the potential for discrimination:

What rules must Brazilian businesses follow when collecting and processing the personal data of Brazilian citizens?

Much like other data privacy laws around the world, the LGPD limits the collection, use, and disclosure of a consumer’s personal information to the specific purposes for which said information was obtained. Moreover, the law also states that businesses must obtain valid consent before collecting any form of personal data or information. This consent must be clear, and include the purpose for processing, the duration of said processing, the identity of the data controller who will handle this processing, any third parties or other entities who may access this information, outline the rights of the subject whose data has been processed, and give consumers the ability to deny consent.

Conversely, the LGPD does allow for data processing in limited scenarios in the absence of valid consent. For instance, data controllers are permitted to process the personal information of a Brazilian citizen without valid consent if said processing is necessary to the fulfillment of the legitimate needs of said controller. However, the rights of the data controller are not permitted to override the rights of Brazilian citizens under the LGPD. In instances where these rights may come into conflict, the rights of citizens will trump the rights of data controllers under the law.

To this point, the personal data of Brazilian citizens can be processed without their consent under the following circumstances:

Furthermore, the LGPD also mandates that businesses that process the personal data of Brazilian consumers must establish a data protection officer or DPO. However, this DPO does not necessarily have to be a natural person, as committees, companies, and other forms of internal groups within businesses can also serve as DPOs under the provisions of the LGPD. Moreover, businesses can also outsource the DPO position to a third party, such as a law firm or other specialized company.

What are the rights of Brazilian citizens under the LGPD?

Under the LGPD, Brazilian citizens can exercise the following rights in regards to the collection, processing, and disclosure of their personal information and data:

In accordance with the creation of the LGDP, the Federal Government of Brazil also created the Autoridade Nacional de Proteção de Dados or ANPD to serve as the country’s authority on data protection. The ANPD will be responsible for enforcing the LGPD as a government policy, and while the authority of the ANPD will not come into effect until January 2022, fines and violating related to the violation of the LGPD can range from simple warnings to monetary penalties of up to 50 million Reais ($9 million U.S. dollars).

The LGPD is one of the many comprehensive data privacy laws to be passed around the world in the last decade. As the bounds of online communication and commerce continue to reach new heights, such legislation is only poised to increase in the upcoming years. In this way, what it means for a country to maintain the privacy of its citizens is sure to change with the advent of online identifiers, as the definition of personal information has grown and changed with the times. With legislation such as the LGPD, Brazilian citizens are one step closer to having their personal data and privacy protected at all times when engaging with business entities and organizations.

Related Reads