What to Expect from Brazil’s General Data Protection Law?
by Margareth Kang (L.L.M. 2019)
According to David Banisar’s 2018 Report[i], around 120 countries currently have data protection/privacy laws that protect personal data processed by both public and private parties, and nearly 40 countries have pending bills or initiatives on the subject. Although awareness in Latin America has been on the rise, Brazil, which has the largest economy, only adopted a general data protection law in 2018. Noting that, among the 12 countries in South America,[ii] five still have no general data protection regulation.[iii]
History and Background
The legislature began drafting the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – LGPD) in 2010. On two occasions between 2010 and 2015, the Ministry of Justice made a draft version of the Data Protection law available for public comment and contribution. Comments received during this period were added to the most recent version.
Between 2010 and 2018, several additional Personal Data Protection Draft Bills emerged, such as: PL4060/2012, PL 5276/16, PLS 330/2013, PLC 53/2018[iv], and others. Over these eight years the draft bills movement was inconstant. This phenomenon has many factors, such as the Brazilian political and economic crises from 2015 to 2017 ones of the most importance, which made congress very busy with other topics, putting data protection on a secondary ground.
However, on May 25 2018, the two main bills were joined, bill PL 5276/2016 was appended to bill PL 4060/2012,. Later, on May 29, the appended version was approved in the House of Representatives, and was sent to the Senate, where the draft bill received a new number, PLC 53/2018. The Senate approved the bill on July 10, 2018, and it was sanctioned with some vetoes by President Michel Temer on August 14. The vetoes mostly dealt with the National Data Protection Authority – NDPA[v]. It was claimed that the authority should be created by the Executive branch. But, in December 27, 2018, President Temer issued an Executive Act (Medida Provisoria MP n. 869/18) created the NDPA and added a few additional changes to the law.
It is important to note that Brazil approved a General Data Protection regulation in three months, though it would ultimately take eight years to reach its final draft. Many factors contributed to the sudden progress around the issue, including the influence of the GDPR, Brazil’s interest in becoming an OECD member,[vi] and suspicions of Cambridge Analytica’s involvement in influencing Brazilian elections.[vii]
What are the main characteristics of LGPD?
The Lei Geral de Proteção de Dados (LGPD) is the Brazilian general data protection law. It applies to both the private and public sectors and was heavily influenced by the GDPR. It will come into effect in August 2020. While Brazil had some provisions and sectoral laws[viii] concerning personal data before the LGPD was approved, the variety of terms and definitions and lack of additional regulation made these provisions difficult to apply. The uniformity LGPD provides will facilitate compliance not only with this regulation, but with other rules, as well.
In this regard, some of the most important topics of the LGPD are:
- Definition of Personal data. Personal data is divided into three categories: (i) Personal data is any information relating to an identified or identifiable person[ix]; (ii) Sensitive personal data is information regarding race/ethnicity, religious belief, political opinion, union membership, religious/philosophical/political organization, health/sexual life, genetic/biometric data linked to a person.[x]; (iii) Anonymized data is the data that cannot be identified through reasonable technical means available at the time.[xi] Anonymized data are outside the scope this law.
- Extraterritorial application. Personal data processors, even those not physically present in Brazil, are subject to the Law if (i) the data is processed in national territory, (ii) the purpose is offering goods or services or provide information about individuals located in the national territory, or (iii) the personal data was collected in the national territory. [xii]
- Legal Bases. Brazil LGDP has 10 legal bases that allow data collection and processing, including consent (not limited to written),[xiii] compliance with legal or regulatory obligation, public policy implementation, collection for research purposes, for contract execution where the data subject is part, regular exercise of a right, protection of life, protection of health, legitimate interest, and credit protection.
- Children under 12. For children under 12 years old, special consent is necessary.
- Difference between Anonymized and Pseudo-Anonymized data. If anonymized data[xiv] cannot identify a person by reasonable technical means available at that time, pseudo- anonymized data cannot identify the data subject without the use of additional information maintained by the controller. This pseudo-anonymized data falls under LGDP purview and, according to article 13, can only be used in conducting public health research.
- Data Exclusion/Deletion. The personal data must be eliminated by the controller after the end of processing. However, data subject can also ask for the deletion in any moment, with some exceptions[xv].
- Subject rights. The law aims at giving the person control of their own data through rights such as: access, rectification, to not consent, anonymization, confirmation of processing, deletion of unnecessary or excessive data, data portability, information regarding data sharing with any third parties, revocation of the consent and automated decision review[xvi].
- International Data Transfer. Allowed when (i) the countries or international organizations provide adequate data protection, which will be evaluated by the DPA; (ii) the controller guarantees compliance with LGPD by contractual clauses, certificates, global corporate norms and code of conduct; (iii) necessary for international juridical cooperation; (iv) when necessary for public policy; (v) others.[xvii]
- National Data Protection Authority (NDPA). The NDPA is the body of the federal administration directly connected to the President of Brazil.[xviii] It is a regulatory body for both private and public data processors, and can act in matters such as providing technical rules and standards, evaluating best practices, asking for data protection impact assessment reports, supervising, and imposing sanctions.[xix] It is important to note that the DPA’s functions and powers were established by Executive Act (Medida Provisória 869/18),[xx] which requires Congressional approval to become law. The voting is scheduled to June 2019 and there is no guarantee that a separate body for DPA will we created. If Congress makes any alterations, it will require further presidential sanction.
- Request for Privacy by Design.[xxi]
- Fines. Fines can be up to 2% of the revenue of the company, group, or conglomerate in Brazil in the last fiscal year, excluding taxes, limited to R$50.000.000,00 (Reais) per infringement.[xxii]
The Brazilian General Data Protection Law (LGPD) will take effect in August 2020 and bring many changes to personal data processing in Brazil. Although it received much influence from the GDPR, it retains its own particularities, such as the legal bases for data processing, which broadens data processing possibilities.
Additionally, though there is disagreement about the scope of the NDPA’s authority, it is fair to say that this regulation will bring more clarity for all sectors. The LGPD establishes the concepts, principles, and legal bases for personal data processing and protection. It is therefore recommended that shape their services and business according to the new law.
[i] Banisar, David. National Comprehensive Data Protection/ Privacy Laws and Bills 2018. September 04, 2018. Available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1951416
[ii] Although Argentine, Chile, Uruguay, Paraguay, Peru, Colombia and French Guiana have General Data Protection Laws, only Argentine and Uruguay have appropriate data protection standards for EU. (https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en)
[iii] Bolivia, Ecuador, Guiana and Venezuela have sectoral data protection laws. Suriname is the only country with any data protection law.
[iv] PLC 53/2018 is in fact a joint version of PL4060/12 with 5276/16.
[v] Brazil. Law n. 13.709/2018. Article 55 to 59.
[vi] Cruz, Bruna Souza. Por vaga na OCDE, governo quer criar órgão de proteção de dados. Uol Tecnologia. April, 13th 2018. Available at: https://noticias.uol.com.br/tecnologia/noticias/redacao/2018/04/13/por-vaga-na-ocde-governo-quer-criar-orgao-de-protecao-de-dados.htm
[vii] Padua. Luciano. Ministerio Publico investiga atuação da Cambridge Analytica no Brasil. Jota. March 21, 2018. Available at: https://www.jota.info/paywall?redirect_to=//www.jota.info/justica/ministerio-publico-investiga-atuacao-da-cambridge-analytica-no-brasil-21032018
[viii] Before the General Data Protection Law, Brazil already had other laws regarding data protection such as : Federal Constitution, (article 5, X), Internet Bill of Rights (Marco Civil da Internet) Consumers Law (Código de Defesa do Consumidor, Article 43), Financial Records Act (Lei de Cadastro Positivo), Public Information Access Law (Lei de Acesso a Informação), Criminal Law n. 12.737/2012 (Lei Carolina Dieckmann), other sectoral laws and municipal laws that bring provisions related to personal data.
[ix] Brazil. Law n. 13.709/2018. Article 5, I.
[x] Brazil. Law n. 13.709/2018. Article 5, II.
[xi] Brazil. Law n. 13.709/2018. Article 5, III.
[xii] Brazil. Law n. 13.709/2018. Article 3, 4.
[xiii] Brazil. Law n. 13.709/2018. Article 7.
[xiv] Brazil. Law n. 13709/2018. Article 13 § 4º.
[xv] Brazil. Law n. 13.709/2018. Article 16 and 18. The exceptions regarding subject rights on data deletion are established in article 15 and 18.
[xvi] Brazil. Law n. 13.709/2018. Article 18 and 20.
[xvii] Brazil. Law n. 13.709/2018. Article 5, XV, 33, 34.
[xviii] Brazil. Law n. 13.709/2018. Article 55-A.
[xix] Brazil. Law n. 13.709/2018. Article 31, 32, 46, 50.
[xx] Although Executive Decree (Medida Provisoria) has immediate applicability, it needs the approval of the Congress (within 60 days automatically extended for the same period if it was not voted in the Congress) to become a permanent law. For this reason, if the Congress rejects the dispositions about DPA or rejects the entire Executive Act, the Act will lose its efficacy.
[xxi] Brazil. Law n. 13.709/2018. Article 46, § 1º
[xxii] Brazil. Law n. 13.709/2018. Article 52.