What is the LGPD?
The LGPD is Brazil’s main data privacy law. Its full name is Lei Geral de Proteção de Dados Pessoais (General Law on the Protection of Personal Data).
Brazil’s legislature passed the law in August 2018, though it went through several delays and stages of implementation. Since August 2021 it is fully enforced, with fines for failing to comply.
The primary goals of the LGPD are to establish and uphold data rights for individuals, most notably by restricting data processing using a “legal basis” system that only allows processing under specific conditions.
As well as the points covered below, the LGPD has several similarities with Europe’s GDPR, including the following:
- Businesses that handle personal data must appoint a dedicated data protection officer, responsible for compliance. Unlike with the GDPR, this requirement covers all businesses, not just those who handle data on a large scale or as a core activity.
- Businesses that suffer a “security incident” that creates a risk to data subjects must inform both the data subject and Brazil’s data protection authority, the ANDP. The ANDP could then order the business to make a public statement or take steps to mitigate the risks the breach caused.
- Transferring data outside of Brazil is only allowed where it’s a legal requirement, the data subject has given explicit consent, or the transfer is done under a legally binding agreement that guarantees the recipient will protect the data to LGPD standards.
What Rights does the LGPD Establish for Data Subjects?
The LGPD is based around nine rights for data subjects (the person the data is about).
Three of these rights are about information. Data subjects have the right to know:
- Whether or not you are processing their data.
- Who (if anyone) you have shared data with, including people processing it on your behalf.
- What happens if they refuse to consent to data processing.
Three of the rights are about the data subject's rights to data access and consent. Data subjects have the right to:
- Access the data you hold on them.
- Transfer the data to another processor.
- Withdraw consent for processing.
The remaining three rights focus on the data subject's right to remediation and deletion. Data subjects may request that you:
- Correct any data that is incorrect, incomplete, or outdated.
- Delete any data that you processed based on consent that the data subject has since withdrawn.
- Delete any data that is unnecessary, excessive, or not being lawfully processed.
What type of data is protected?
The LGPD covers personal data, which it defines as “information regarding an identified or identifiable natural person.” In Brazil, that means a human rather than a corporate body.
In principle, any processing of personal data is covered, though the law allows three key exemptions:
- Processing for purely personal purposes rather than for business purposes
- Processing for government reasons such as national security, defense, or criminal investigation.
- Processing for academic, artistic, or journalistic reasons.
It doesn’t matter how you process the data (manually or automatically). Processing is defined extremely widely and effectively covers any collection, use, alteration, or transfer of data.
What are the Consent management requirements of the LGPD?
The LGPD requires that a legal basis covers any processing you carry out, a similar system to that in Europe’s GDPR.
Several of these legal bases are mainly relevant to processors other than businesses, for example in judicial activity or for health work.
As with the GDPR, businesses can use the basis of carrying out a legal or contractual obligation or processing in pursuit of legitimate interests (which must clearly outweigh the subject’s data rights.)
That leaves consent as the most common and reliable legal basis for a business to use. This must normally meet three main criteria:
- The consent is in writing. (This could include completing a form online or ticking a box to clearly indicate consent.)
- The consent covers data processing for a specified purpose. (You cannot simply get generic, blanket consent to cover all processing.)
- The consent can be withdrawn at any time. (You must stop processing immediately if this happens. The processing you did before the consent withdrawal remains lawful, though you must delete the relevant data if the person tells you to.)
The LGPD also makes clear that consent is a "free, informed and unambiguous" indication of the person's wishes, and that the burden is on the data processor to prove they have valid consent.
What is the scope and jurisdiction of the LGPD?
The LGPD applies broadly to any processing with a connection to Brazillian citizens. The physical or legal location of the processor (such as country of registration) does not matter. Instead, the LGPD applies to any of the following cases:
- The processing occurs in Brazil.
- The data was originally collected in Brazil.
- The data is about somebody who resides in Brazil (whatever their nationality).
- The processing happens in order to either offer or provide goods or services in Brazil.
The LGPD applies to any processing for business purposes. It doesn’t matter whether you (the processor) are an individual, business, or other legal body.
Does your organization need to comply?
If you handle any personal data that meets the wide geographic scope, you need to comply with the LGPD, including:
- appointing a data protection officer;
- keeping track of your data use; and
- making sure you can prove consent where you rely on it as a lawful basis.
The maximum fine for breaching the LGPD is whichever is lower:
- Two percent of your pre-tax revenue in Brazil in the previous financial year.
- 50 million reals (approximately US$9 million at the time of writing.)
Note that the ANDP has the legal right to order businesses to prepare an impact report that details the risks of the ways they handle data and the ways they mitigate this risk. The report must also specifically address the risks and handling of sensitive data such as information about race, religion, health or trade union membership.