Brazil’s General Data Protection Law LGPD

Brazil’s General Data Protection Law or LGPD for short is a comprehensive data privacy law that was passed in order to protect the regulation and use of the personal data and information of Brazilian citizens. Similar to other data privacy laws that have been passed around the world in recent years, such as the EU’s General Data Protection Regulation or GDPR and the California Privacy Rights Act or CCPA, the LGPD provides a specific definition for personal information under the law, as well the legal basis for which such information can be collected, processed and, and disclosed. However, the LGPD differs from other privacy laws in that it does not apply to businesses of a certain size or financial threshold, as almost all Brazilian businesses must comply with the LGPG with few exceptions.

What types of personal data are protected under the LGPD?

Under the LGPD, personal data is given a broad definition to mean any information related to an identifiable natural person. This definition is notable in that it does not solely include traditional forms of personal data such as first and last names or social security numbers, but online identifiers as well. As such, any form of data that is collected from a Brazilian citizen can be categorized as personal data under the definition of the LGPD. What’s more, the LGPD also contains specific provisions aimed at protecting forms of personal data that are subject to and susceptible to discriminatory practices.

To this end, the following forms of personal data are specifically protected in the context of the potential for discrimination:

• Personal data related to racial or ethnic origin.
• Religious, philosophic, or trade union information.
• Political opinions or associations.
• Health or sex life data.
• Biometric or genetic data.

What rules must Brazilian businesses follow when collecting and processing the personal data of Brazilian citizens?

Much like other data privacy laws around the world, the LGPD limits the collection, use, and disclosure of a consumer’s personal information to the specific purposes for which said information was obtained. Moreover, the law also states that businesses must obtain valid consent before collecting any form of personal data or information. This consent must be clear, and include the purpose for processing, the duration of said processing, the identity of the data controller who will handle this processing, any third parties or other entities who may access this information, outline the rights of the subject whose data has been processed, and give consumers the ability to deny consent.

Conversely, the LGPD does allow for data processing in limited scenarios in the absence of valid consent. For instance, data controllers are permitted to process the personal information of a Brazilian citizen without valid consent if said processing is necessary to the fulfillment of the legitimate needs of said controller. However, the rights of the data controller are not permitted to override the rights of Brazilian citizens under the LGPD. In instances where these rights may come into conflict, the rights of citizens will trump the rights of data controllers under the law.

To this point, the personal data of Brazilian citizens can be processed without their consent under the following circumstances:

• To comply with a legal obligation
• To execute or fulfill a contract at the request of the data subject.
• For healthcare reasons or purposes.
• To protect the physical safety or life of a data subject.
• Instances in which personal data is collected in the context of a research entity, and such data is anonymized when possible.
• To exercise administrative or judicial rights.
• To protect the credit score of a Brazilian citizen.
• When the collection of data is necessary by the public administration for the execution of public policies, or based on certain contracts or agreements.

Furthermore, the LGPD also mandates that businesses that process the personal data of Brazilian consumers must establish a data protection officer or DPO. However, this DPO does not necessarily have to be a natural person, as committees, companies, and other forms of internal groups within businesses can also serve as DPOs under the provisions of the LGPD. Moreover, businesses can also outsource the DPO position to a third party, such as a law firm or other specialized company.

What are the rights of Brazilian citizens under the LGPD?

Under the LGPD, Brazilian citizens can exercise the following rights in regards to the collection, processing, and disclosure of their personal information and data:

• The right to confirm the existence of data processing.
• The right to access their personal data.
• The right to correct any incomplete, inaccurate, or out-of-date information.
• The right of anonymization, as well as the right to block or delete any unnecessary or excessive data, or data processed in non-compliance with the provisions of the LGPD.
• The right of portability of personal data to another service or product provider, by the means of an express request and the inclusion of commercial and industrial secrecy, pursuant to the regulation of the controlling agency.
• The right to delete their personal data that is processed with their consent, except in the situations outlined in article 16 of the LGPD.
• The right to know information about private and public entities with which a data controller has shared their personal data.
• The right to access information detailing their ability to deny consent, as well as the potential implications or consequences of such denial.
• The right to revoke their consent.

In accordance with the creation of the LGDP, the Federal Government of Brazil also created the Autoridade Nacional de Proteção de Dados or ANPD to serve as the country’s authority on data protection. The ANPD will be responsible for enforcing the LGPD as a government policy, and while the authority of the ANPD will not come into effect until January 2022, fines and violating related to the violation of the LGPD can range from simple warnings to monetary penalties of up to 50 million Reais ($9 million U.S. dollars).

The LGPD is one of the many comprehensive data privacy laws to be passed around the world in the last decade. As the bounds of online communication and commerce continue to reach new heights, such legislation is only poised to increase in the upcoming years. In this way, what it means for a country to maintain the privacy of its citizens is sure to change with the advent of online identifiers, as the definition of personal information has grown and changed with the times. With legislation such as the LGPD, Brazilian citizens are one step closer to having their personal data and privacy protected at all times when engaging with business entities and organizations.