In a surprising turn of events, the LGPD–Brazil’s new privacy law–went from an expected delayed implementation to being fully active. The twists and turns of the LGPD’s jolt to life make one’s head spin. It was originally scheduled to become active on August 16 of this year, but then delayed until May 2021 due to Covid. But then the plan shifted with a proposal to shorten the delay to December 31 of this year. But the legislature then abruptly changed course and through a maneuver, dropped all delays, reverting back to the law’s original active date of August 16th. So, to adapt something J.R.R. Tolkien might have said, we’ve journeyed to there . . . and there . . . and there, and back again . . .
Now, the switch has been flipped, and the LGPD has risen from the table. Instead of tracing the bizarre procedural maneuverings that got us to where we are, I want to provide some information about the LGPD that can help folks who are suddenly starting to contend with this new law.
• The LGPD stands for the name of the law in Portuguese – the Lei Geral de Proteção de Dados Pessoais.
• Regulatory sanctions for LGPD violations will not start until August 1, 2021.
• There is still no regulation to help implement the LGPD.
• Like the GDPR, the LGPD is extraterritorial in its scope. This means that it applies to organizations outside of Brazil offering goods or services to people in Brazil that process the personal data of people in Brazil.
• The LGPD has 10 legal bases to process personal data. The GDPR has 6. Some of the legal bases included in the LGPD that aren’t in the GDPR include the protection of health by healthcare providers and the protection of credit.
• The LGPD has a similar set of data subject rights as the GDPR.
• Consent under the LGPD is similar to the GDPR – explicit consent is required. Inaction can’t be deemed to be consent as in many US privacy laws. Nor can there be sweeping or blanket consent as in many US privacy laws.
• For personal data (but not sensitive data), the consent requirement is waived for “data manifestly made public by the data subject.” The GDPR doesn’t have this waiver.
• The LGPD requires training, which is music to my ears!
• The LGPD has a data breach notification requirement to notify within a “reasonable time” after discovering the breach. The GDPR’s deadline is 72 hours after discovering the breach.
• The LGPD restricts the international transfer of personal data only to countries that provide an adequate level of protection to the LGPD. This is similar to the GDPR’s requirement, but the LGPD has a more relaxed requirement, allowing the data controller to transfer the data if it can prove compliance with the LGPD through contracts, rules, certificates, and codes of conduct.
• The LGPD has formidable sanctions. Fines can be up to 50 million reais (about US $12 million) or 2% of total revenue in Brazil. The GDPR’s fines can be higher – up to 4% of global turnover.
• Data subjects whose rights are violated can bring civil actions.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum events.
There will be a workshop on the LGPD at the upcoming event on October 21, 2020 with Aline Fachinetti, Marcel Leonardi, Thiago Luís Sombra.