The Brazilian general data protection law
January 2019 | EXPERT BRIEFING | DATA PRIVACY
Federal Law No. 13,709/18, the so-called General Law on the Protection of Personal Data (LGPD), was introduced on 14 August 2018 and will come into force in February 2020, after 18 months of vacatio legis, providing new rules for the use of personal data, by both the public and private sectors. Clearly inspired by the European Union’s (EU’s) General Data Protection Regulation (GDPR), the LGPD incorporates a number of very similar, and sometimes identical, concepts, definitions and responsibilities to those set forth by the GDPR, which came into force across the EU on 5 May 2018.
It is important to point out that Brazil already had more than 40 regulations that directly or indirectly dealt with privacy and personal data protection, however the LGPD is replacing and complementing elements of this regulatory framework, which was sometimes combative, created legal uncertainty and made the country less competitive in today’s economic landscape, where personal data plays a key role.
The legal text of the LGPD is the result of a number of broad discussions and aims not only to guarantee individual rights, but also to foster economic, technological and innovative development through clear, transparent and comprehensive rules for the adequate use of personal data. By having a General Law, Brazil becomes one of around 100 countries with a dedicated legal framework to protect the privacy and use of data.
Nevertheless, the text approved by the National Congress received some vetoes from former Brazilian president, Michel Temer. The most relevant involved the creation of the National Data Protection Authority (ANPD), which was deemed to be unconstitutional due to a defect in the legislative initiative. In his speech at the sanctioning ceremony, Mr Temer said that the ANPD would be created by a provisional measure or proposed in a bill in the near future. The creation of this public authority is fundamental to the proper implementation of the LGPD, since several points depend on the decision or action of this body, and will bring greater security to companies and citizens.
In general, the LGPD will coexist with other norms that deal with the subject, in particular the Brazilian Civil Rights Framework for the Internet and the Consumer Defence Code. Therefore, the interaction and interpretation of the terms of the LGPD, with existing laws, is still uncertain and should be consolidated by jurisprudence over time.
This is one of the main differences between the Brazilian and European rules. The GPDR is a regulation, and therefore seeks to be more direct and objective in its terms, establishing specific rules for different situations, while the LGPD is a law, with more open and subjective clauses, allowing different interpretations in some points, which will be consolidated by the jurisprudence and regulated by the ANPD, once it has been created.
In terms of structure, both are similar, providing for grounds, principles, object and goals, material and territorial scope and definition of various terms.
Among its subjects, Brazilian law defines ‘sensitive personal data’ more comprehensively than the genetic, biometric and health data established in the GPDR. However, the main difference is the possibility to commercialise such data, which is forbidden in the European regulation and allowed by Brazilian law, as long as there is authorisation from the public authority.
Subordination to a single public authority is another difference between the two regulations. While Brazil awaits the law or a provisional measure from the executive branch for the creation of the ANPD, the GDPR allows supervision by one or more entities for each Member State of the EU, with a provision given to the European Commission.
Cryptography is another difference between Brazilian and European standards. The issue, which was already central in the case of limitations placed on WhatsApp in 2015 and 2016 in Brazil, was not covered by LGPD rules, unlike the GDPR.
Despite these occasional differences, in general terms, the standards are quite similar. The rules outlined by both apply on an extraterritorial basis. This means that not only will companies in Brazil be affected, but also companies outside the country that process the confidential information of Brazilian citizens. Any foreign company, regardless of location, that has at least one branch in Brazil and offers some type of service to the Brazilian market, will be subject to the new rules.
In both standards, the consent of the data subject is one of the central points, although it is not, especially under Brazilian law, the only basis for data processing.
In terms of fines, both the GDPR and the LGPD are very strict. The European standard provides for fines that amount to €20m, or 4 percent of a company’s total revenue, whichever is greater. Similarly, in Brazil, if companies do not comply with the law, they will be subject to a fine of 50m Brazilian reais, or 2 percent of sales or the company’s revenue.
When the GDPR came into effect, users were granted new rights and protections governing their own personal data. Now, Brazil has embraced this new wave of privacy and data protection, being one step closer to providing individuals with their rights, as well as establishing transparent rules for the proper use of personal data.
Like virtually any other law, the Brazilian LGPD has its disadvantages. However, in the long run, its introduction will be a positive change. From 2020 onward, Brazil will join the list of countries that offer an appropriate level of privacy protection, making the country a propitious and safe environment for new investments.
Ilan Goldberg is a senior partner and Joao Sa is a senior associate at Chalfin, Goldberg, Vainboim & Fichtner. Mr Goldberg can be contacted on +55 21 3970 7201 or by email: firstname.lastname@example.org. Mr Sa can be contacted on +55 21 3970 7200 or by email: email@example.com.
© Financier Worldwide
Ilan Goldberg and Joao Sa
Chalfin, Goldberg, Vainboim & Fichtner