LGPD: a look at the state of Brazil's big privacy regulation law

Brazil's new unified data privacy regulation LGPD is set to cause quite a stir in the country and facilitate a lot of progress amongst local organisations. However, delays and amendments to the bill are causing uncertainty and may present severe ramifications to its success.

The introduction of the European Union's earth-shattering General Data Protection Regulation (GDPR) can certainly be recognised as a watershed moment for privacy, ethics, and business all around the world.

The GDPR has set a global standard for how organisations should be treating their use of personal data and countries around the world have taken heed of its important privacy-focused message by instilling their own regulatory practices. Its influence both within Europe and abroad has been an important development, as data becomes more and more valuable to businesses and citizens become more and more mindful of how it is being used.

While many countries have crafted their own sets of GDPR-inspired privacy laws and have already put them into practice, other countries have had run into issues getting up to speed. Falling into the latter camp is Brazil, whose GDPR-modelled privacy law - known as Lei Geral de Proteção de Dados Pessoais (LGPD) - has suffered delays and amendments since being passed in August 2018.

There is no doubt that the LGPD is a sorely needed piece of regulation for Brazil, as it is set to replace what is currently a patchwork of 40 different statutes governing the use of personal data by public and private entities. Conversely, LGPD is robust and unified in nature - offering a single set of laws that draw heavily from the principles set out in GDPR.

However, as Brazil, like most nations around the world, reel from the effects of the novel coronavirus, LGPD has taken a back seat and looks to be delayed until either January or May next year. This has sparked a debate in the country about the law's importance at this time, with some suggesting the focus should be elsewhere, while others say privacy laws have never been more important. We take a look at the structure of the LGPD, while also assessing the potential implications of delaying its implementation.


Overview of LGPD

The scope and structure of Brazil's LGPD regulation heavily reflects that of its European counterpart GDPR. The two sets of laws have a lot in common, with LGPD clearly inspired by GDPR in that it seeks to become a local equivalent. One obvious parallel between the two can be observed through the LDPD's nine rights for data subjects (i.e. rights of individuals/citizens). These rights include things like the right to access data, confirm the existence of processing, correct incomplete or inaccurate data, anonymise or block/delete unnecessary or excessive data, and consent-based rights.

These mirror the GDPR's eight fundamental rights, with any variations being mostly surface-level differences. For instance, the LGPD splits the GDPR's "right to be informed" into "right to be informed of the parties the controller has shared the data with" and the "right to be informed about the possibility of denying consent", although the specific implications of these two approaches remain basically identical. Similarly, the right of data portability has been split over two rights and is even slightly more extensive than it is in GDPR.

Like GDPR, LGPD also applies to any private or public entity that processes the personal data of Brazilian citizens, regardless of where that company is physically headquartered. This means that any international individual or organisation that has businesses dealings in Brazil, or that processes citizen data will have to comply. Personal data, according to LGPD, means any data that by itself or combined with other data, could identify a natural person, painting a broader scope than even GDPR.

It also specifically defines ‘sensitive personal data' as a subcategory of personal data which concerns "racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data." Allowances for processing this data are more limited than regular personal data, with requirements of "specific and distinct consent", for the "execution of public policies" by the public administration, or for "studies carried out by a research entity", with spatulations that this data is anonymised wherever possible.

In order to ensure these regulations are upheld, the LGPD stipulates the creation of a governing body called the Autoridade Nacional de Proteção de Dados or ANPD. While still yet to be created, the ANPD will be tasked with rulemaking and interpretive guidance on all data protection matters, investigation and enforcement of ANPD, and the education and promotion of data protection and privacy within Brazilian society.

Where structure is concerned, the ANPD is set to include a national council for the protection of personal data comprised of 23 representatives of multi-sectorial backgrounds. These include 11 from different sectors of the Brazilian government and 12 from private industry, academia, and civil society. The ANPD is therefore crucial to the LGPD, as they will be essentially tasked with enforcing it and promoting its values.

Essentially the core aspects of LGPD are very similar to GDPR and if organisations have already done the leg work to get up to speed with the EU's regulation then most of the work will already be done. Having said that, there are some key differences that organisations should be aware of.


Where LGPD differs from GDPR

One interesting difference between GDPR and LGPD (as the latter stands presently) is when it comes to appointing a data protection officer (DPO). While both sets of outline requirements for a DPO, the LGPD goes a little further in making it mandatory for all companies that process Brazilian personal data to have one, whereas this is only required in certain circumstances with GDPR. This is one of the few areas where LGPD is actually more stringent than GDPR and it is worth taking note of for applicable organisations. Having said that, DPOs under LGPD do not need to possess legal regulatory or technical training and can be from any field.

The LGPD and GDPR also vary to a degree when it comes to the legal basis for processing data. While, as with the rights of individuals, many of the differences are merely cosmetic in nature, one important difference here is that LGPD allows ‘protection of credit' as a legal basis (referring to credit score). This is a significant departure from GDPR, which doesn't allow such processing at all.  

There are also a few areas where LGPD is a bit more relaxed than GDPR, such as when it comes to Data Protection Impact Assessments (DPIAs). DPIAs in GDPR are thoroughly distinguished in regard to their purpose and use (used to evaluate potential risk of processing) and contain obligations for notifying data protection authorities in cases of high risk.

On the other hand, while LGPD stipulates the need for DPIAs, it doesn't specify how these are to be used and doesn't require notifications to authorities. Reporting requirements in general are also quite different, with the GDPR requiring data breach reports within 72 hours, while the LGPD doesn't give any firm deadlines, requiring reporting of security incidents "in a reasonable time period as defined by the national authority".

LGPD also differs from GDPR quite dramatically when it comes to fines, being far more lenient than its European counterpart. While GDPR demands maximum fines for severe violations of €20 million or 4% of annual global revenue (whichever is higher), LGPD fines are less severe by a significant margin. The maximum penalties violators are going to face under the Brazilian law is 2% of the entity's revenue in Brazil, up to a total of 50 million reals (which works out to be just under $8.5 million USD). While this means lower-level infractions could be similar to GDPR, the top penalties are unlikely to cause too many headaches to the more massive global institutions.


Delays, and implications

Despite its relative shortcomings, the LGPD is clearly a robust piece of legislation that will have a considerable impact on privacy in the region, while getting the country up to speed with many countries around the world. However, it hasn't been an easy path forward for the game-changing set of laws.

Initially passed in August 2018, the LGPD was supposed to come into effect in February 2020 (18 months after the bill was passed). However, it was delayed in a since passed provisional measure, orchestrated by outgoing President Michel Temer to provide more time for the ANPD to be established. This set the new date to August 2020, however, since the spread of the novel coronavirus in Brazil, two new measures have been introduced impacting the start date of both the ANPD and the LGPD in general.

The first was outlined in the Regime Jurídico Emergencial e Transitório das Relações Jurídicas de Direito Privado or RJET bill (designed to provide emergency measures and transitionary rules amid the spread of the virus), which pushed the LGPD eligibility date back to January 2021, with enforcement-related provisions to be in place from August 2021.

The second measure that seeks to delay LGPD comes about through the Provisional Measure (MP) 959/2020, which looks to push the effective date back even further to 3 May 2021, and doesn't stipulate a separate date for enforcement to be enacted. All of this has created a fair bit of legal uncertainty around the introduction of the bill, with some pundits suggesting that the government should focus purely on RJET, which gives more of a grace period to organisations before they are sanctioned for violations.

Much of the reason for delay—other than the spread of the virus—is also down to the fact that the government has not yet created the ANPD, meaning that there is no authoritative body to enforce the law, or offer guidance and support to organisations in their compliance preparations. Extending the date of the law's applicability serves to harm this, as organisations will most likely put off preparations and will thus take longer to ensure compliance.

While the RJET offers a better grace period for organisations where this is concerned, even this was critiqued by Brazilian Prosecutors Office, which suggested that enforcement-related provisions should be the only thing postponed, meaning organisations would continue working on compliance measures and the ANPD could still be established. Additionally, it's important to note that both RJET and MP 959 are only provisional measures and neither has yet been approved by the house of representatives. This in itself is causing debates of both bills to run over each other in the house.


Delays do not mean cancellations 

The delays to the law have certainly drawn a mixed reception in political and legal circles as well as amongst the media and privacy advocates. Some have lamented that delays to the law creates a lot of legal uncertainty and fuels a belief that the LGPD won't catch on, while letting Brazil fall behind when it comes to privacy of citizen's data. Although there are also perspectives that the delays were a necessary evil, as organisations weren't close to being ready for LGPD implementation, with bills preceding COVID-19 calling for delays citing a lack of understanding amongst organisations of the rules.

Overall, it could be said that this sense of confusion is certainly more prevalent now, with multiple bills being debated in the house of representatives and a looming (as of now effective) LGPD applicability date of August 2020. This has been exacerbated by the fact that the ANPD has not been instituted by the country yet, which takes any sort of regulatory teeth out of the equation and paints a muddy picture of what organisations should do to get up to speed.

Noting this significant shortcoming, privacy think tank and consulting practice the Centre of Information Policy Leadership (CIPL) has issued a whitepaper calling for the establishment of the ANPD immediately, regardless of the applicability date of the LGPD, while providing advice on the extent of its role. The organisation argues that—given the ANPD's central role in the interpretation, application and enforcement of the LGPD—its creation needs to remain a priority, despite LGPD's cloudy applicability date. This is especially important as there is a whole lot of work that the authority needs to undertake before LGPD comes into force.

Where delays to the bills are concerned, though, the argument could cut both ways. On one hand, there is a whole lot for both public and private entities to be concerned with right now and the last place they want to be funnelling capital and resources is into compliance. Economic hardships must of course be considered here, as many businesses are ailing as is. However, on the other side of the coin, privacy advocates have argued that there has never been a more important time to have privacy measures in effect, as many of the core privacy values that we usually operate under are being subverted to ensure safety.

Whatever the outcome might be, it is clear — despite delays and changes to the LGPD — that it is still coming, and organisations that process data of Brazilian citizens should not slow down preparations, wherever possible.