Brazil is working towards adopting a similar privacy framework as the General Data Protection Regulation (GDPR). The country is currently working on the development of the National Data Protection Authority and the privacy law that shall govern the nation. Faced with many challenges in constructing a legal framework in a place where it was very limited, the country has been able to get a substantial amount of work done.
The privacy law refers to the law 13.709 of Brazil as the General Data Protection Law or, in Portuguese the Lei Geral de Proteção de Dados Pessoais (“LGPD”). This was sanctioned by the former president of Brazil, Michel Temer in August of 2018. After refinement and review, the law is now in effect. The main purpose of it being able to regulate the treatment of personal data of all individuals in Brazil.
This law does not apply to data related to organisations, robots or algorithms, it is designed to maintain and protect the privacy of individuals or natural persons as per the first article of the LGPD.
In a similar vein to the GDPR, the law is expected to be upheld by all organisations and companies operating in the country. Any violation is expected to be deterred by a fine up to 2% of their sales revenue, or about $50 million Brazilian Real (equals approximately £8.9 Million).
According to many experts the Lei Geral de Proteção de Dados (LGPD), has been greatly inspired and borrowed from Europe’s General Data Protection Regulation (GDPR).
On August 26, 2020, the Brazilian Senate reversed the foreseeable postponement of the LGPD and it came into effect within 15 days. Their government is also looking into the possibility to make the law retroactive or implemented as of 16th of August 2020. This means any companies that are liable to pay damages or be penalised under this law from the 16th of August shall be eligible to be tried in a court of law.
Data constraints and privacy concerns under LGPD
Similar to the GDPR; data processing involving the use of data, such as the collection, classification, processing, storage, sharing, transfer, elimination of personal data all must adhere to the data privacy law defined by their state. The law states that there are three main roles in data processing, also borrowed from the GDPR. These are the controller, the operator, and the officer.
Both the GDPR and the LGPD are designed to apply to cross border transactions. This requires companies which process and collect data of Brazilian data subjects to uphold the standards defined in the law. Or they shall be held subject to the fines prescribed by the law, whether or not incorporated in the country.
Main Subject Rights in the LGPD
The Data Subject rights are mentioned clearly in Article 18 of the LGPD:
- Must be entertained in a request;
- Access to data shall be given;
- Right to the correction of incomplete, inaccurate or outdated data;
- Will be given adequate anonymization, blocking or elimination of unnecessary, excessive or treated data in discrepancy with the provisions of the law;
- Limitations on data portability and data recycling;
- Possibility of data erasure of personal data except in the cases provided for in Article 16 of the law;
- Right to information of any public and private entities regarding the use and purpose of data collection
- Revocation of consent, pursuant to paragraph 5 of Article 8 of the law.
The data portability and right to information are comprehensive additions to the LGPD that are not as prominent in the GDPR.
The legislation has also clarified the basic definitions for organisations to understand and implement these correctly. The law defines personal data as the name, address and identity number. It defines sensitive data like origin, religion, health and political opinions. It also defines anonymous data as being without any type of identification. This shall help organisations with limited former knowledge with the privacy protection framework.
The date is yet to be determined. Although it is a great win for the people of Brazil, there is still a lot of refinement that the law requires to be foolproof. If you would like to ensure that your organisation is compliant with LGPD then the consent management solutions offered by Seers will help you protect your organisation.