Now that the Brazilian law on the use of personal information (Lei Geral de Proteção de Dados or LGPD) has entered into force on 18 September 2020, companies operating in Brazil are facing significantly new and comprehensive privacy obligations. And while the administrative sanction provisions under the law do not go into effect until 1 August 2021, individuals can now already claim losses and damages for LGPD violations, making timely compliance with the new law all the more critical. To help your organization stay ahead, we answer the most frequently asked questions regarding the LGPD and highlight key elements for your global privacy program.
The LGPD can apply in the following three cases: (i) when the actual data processing operation is carried out in Brazilian territory, (ii) if the processing operation has the goal of offering or providing goods or services to or of processing data of individuals located in Brazilian territory, or (iii) if the processing involves personal information collected in Brazilian territory. Unlike GDPR, the LGPD does not refer to a company’s establishment in order to apply. However, it seems that the location of the actual processing of personal information (prong 1) approximates the “establishment” criterion in that it likely includes companies located within Brazil. Prong 2 (offering goods and services) and prong 3 (data collected in Brazil), in turn, are expected to create extraterritorial application of the LGPD. However, in the absence of further guidance on how each of the LGPD prongs should apply, it remains unclear how far the scope of applicability of the LGPD will reach.
Individuals’ rights under LGPD are largely similar to those available under GDPR (i.e., access, correction, deletion, blocking, and portability), with a few differences.
For example, the LGPD provides for an explicit right to anonymization, which entails that individuals can request that organizations anonymize data about them where the data are unnecessary, excessive, or processed in violation of the law. GDPR does not have an explicit right to anonymization, although the circumstances under which the LGPD’s right can be invoked, as well as its effects, are very similar to GDPR’s “right to be forgotten.”
Another unique feature of the LGPD concerns access requests. Where many legal regimes generally provide that companies are required to respond to individuals requesting access to their personal information, the LGPD distinguishes the way a company can respond. A company can respond in a “regular” fashion to access requests, in which case it should provide the individual with a complete statement about his or her data, specifying the origin of the personal information, the non-existence of records, the criteria used for, and the purpose of the processing activities (provided such information would not violate commercial and industrial secrecy). Responding in a regular fashion should be done within 15 days. However, a company may also respond in a “simplified” fashion, in which case a response is due immediately. It is anticipated that a simplified response requires less detail and less information in the response, but the law is as of yet not specific about the requirements. Guidance by the not yet established Brazilian data protection authority (DPA) will have to clarify any further distinctions between the two modes of responding.
Companies will also need to take note of the response period for replying generally to individuals’ rights requests. Under the LGPD, organizations will, in principle, be required to respond to all individuals’ rights requests immediately. Where this is not possible, the organization needs to inform the individual about the facts and legal reasons that prevent it from responding immediately. The only case where a response does not need to be provided immediately is, as indicated above, for a “regular” access request (which allows for a response period of up to 15 days).
Finally, LGPD rights requests are generally available regardless of the legal basis for the processing, and there are limited exceptions to responding to individuals’ requests. For instance, and unlike in GDPR, the LGPD places no restrictions on how often an individual can lodge an access request. It is also not yet clear whether organizations will be able to refuse to comply with a request that adversely affects the rights of other individuals. In addition, organizations are required to respond to requests free of charge, potentially even repetitive requests.
While the LGPD is certainly inspired by GDPR, there are important and notable differences between the two laws. For instance, the LGPD provides for more legal bases for processing personal information. In addition to legal bases that are comparable to those available under GDPR, the LGPD also permits the use of personal information for: (i) research; (ii) exercise of rights in legal, administrative, and arbitration proceedings; (iii) health protection; and (iv) credit protection. Also, the concept of legitimate interests as a legal basis appears to be broader under the LGPD, which expressly provides that legitimate interests cover processing of personal information for the “support” and “promotion” of the controller’s activities.
The LGPD also introduces additional obligations compared to GDPR. For instance, all companies that qualify as controllers must appoint a data protection officer (DPO), unlike GDPR where companies (controllers and processors) are only required to appoint a DPO if they meet a certain threshold. For processors subject to the LGPD, on the other hand, a DPO is optional. Further, there are no specific requirements on the qualifications of the DPO, in contrast to GDPR which requires DPOs to have certain professional qualifications to exercise the function.
Another important difference between GDPR and LGPD is liability. Under GDPR, controllers and processors are, in principle, liable for damages resulting from their own violations of GDPR. The LGPD, in contrast, provides that both controllers and their processors can be jointly liable for damages caused by the processor as a result of: (i) the processor’s violation of the LGPD or (ii) the processor’s failure to comply with the instructions of the controller. In addition, unlike GDPR, a data processing agreement is not mandatory under the LGPD. In other words, there are no formal requirements for companies that use service providers to process personal information on their behalf. Still, considering the joint liability regime, companies are well advised to memorialize the specifics of their engagement in a data processing agreement, in which the liabilities of the parties are further allocated. In addition, while there are no mandatory provisions to be agreed upon contractually, controllers under the LGPD are required to verify their processor’s compliance with the LGPD. Here, too, the controller-processor relationship will benefit from clear contractual provisions.
At this point in time, we have the law but no further guidance or interpretation. And while some provisions in the LGPD certainly give direction to their underlying principles, there are still many unresolved issues. And some issues won’t be resolved until the DPA is installed and operational.
For example, the LGPD restricts cross-border transfers of personal information outside Brazil. And although the LGPD provides for transfer mechanisms, such as standard contractual clauses, binding corporate rules (BCRs), and adequacy decisions, none of these are available yet. It will be up to the DPA to adopt model standard contractual clauses, set requirements for accepting applications for binding corporate rules, and undertake adequacy decisions on foreign countries’ privacy laws that will allow organizations to carry out data transfers.
Another unresolved issue involves data breach notifications. The LGPD requires controllers to notify both the DPA and affected individuals about data breaches that could result in a relevant risk or damage, within a reasonable period of time. However, neither the risk threshold nor the notice period is defined in the LGPD and will therefore likely be determined by the DPA through guidance and/or enforcement.
The LGPD provides for fines of up to two percent (2%) of a company’s annual turnover in Brazil in the preceding fiscal year, with a maximum of 50 million Brazilian reais (approx. EUR 10 million or USD 13.2 million) per violation.
But it should be noted that the LGPD does not exclude the possibility of other fines. In fact, the LGPD’s fines do not replace administrative, civil, or criminal sanctions defined in sectoral laws, such as those provided by the Consumer Code (which includes fines that could be applied directly by consumer protection authorities in reference to LGPD violations, directly by consumer protection authorities). LGPD enforcement, therefore, may turn out differently than you would expect.