Inspired by GDPR, here is how Brazil’s new data privacy law will work

What is Brazil's new data privacy law, and what do companies doing business in Brazil need to know about it?

IDGConnect_dataprotection_brazil_shutterstock_1771018556_1200x675
Shutterstock

When GDPR came into force in 2018, other jurisdictions took notice, keen to see how it would work in practice and if it could be replicated.

Last month, Brazil’s Lei Geral de Proteção de Dados, or LGPD, came into effect. The regulation establishes a framework for how data is collected, stored and shared and consolidates some 40 different rules under one roof.

The previous system lacked clear certainty, which hindered Brazil’s competitiveness. The LGPD aims to provide that certainty and the economic benefits that come with it.

Approved in 2018, the law takes more than a few cues from GDPR and provided companies and public authorities with two years to get their houses in order.

It introduces curbs on the collection and use of private data without consent as well as any discriminatory use of data.

LGPD affirms several rights for individuals, such as the right to access data held on them, to correct or delete data, and to revoke consent. The law also provides for data portability where a person can request to move data from one service provider to another.

While the law will create a clearer legal basis for companies to operate within, it also brings a raft of new responsibilities around compliance and the potential for fines, according to Gil Mildar, the Latin American director of new business at Zoomd, a marketing technology company.

“The new Brazilian law requires a strategic approach to the handling of personal data, which represents, on the other hand, a great opportunity for serious companies wanting to gain trust with consumers,” says Mildar.

“Organisations can leverage the new regulations for obtaining a competitive advantage in the use of such data, with the correct planning and the application of good privacy practices.”

Compliance and differences

Odia Kagan, a partner and chair of GDPR compliance and international privacy at law firm Fox Rothschild, says that companies that have implemented GDPR standards in their global operations are “a very good part of the way toward compliance” with LGPD.

The European regime has become a “benchmark” for other laws but that does not mean that it is simply a case of cutting and pasting.

There are six legal bases under GDPR that allow for the processing data. Many of these overlap with LGPD but the Brazilian law has 10 bases in totals that provide some more specific instructions. One key difference is that the law specifically stipulates the protection of credit score data.

Furthermore, there are deviations around how to handle data requests by individuals, which can also present challenges.

“LGPD doesn't have a requirement for authenticating requests by individuals but in order to comply with a request filed by an individual, you need to make sure that it's the right individual,” Kagan explains.

Without guidelines in this case, it largely leaves companies on their own to determine if the person making the data request is who they say they are.

Another key difference is in the time period for alerting authorities of a breach or incident. Under GDPR, companies must alert authorities within 72 hours. LGPD on the other hand is not as specific as that, merely suggesting a “reasonable time period”. This can leave things open to interpretation.

“Companies are dealing with a high level of uncertainty around the expected scope of work,” says Sergio Rotman, certified compliance officer and PM, Privacy & Risk at Collibra.

“In the case of LGPD, a large number of decisions will be strongly dependent on the Data Protection Authority (ANPD) which only recently was created and faces questions from various industries on how to best approach the details of compliance,” he says.

While the law gave companies and organisations a two-year window to prepare, Rotman says he is still expecting there to be some confusion and miscommunication ahead.

“That ‘reasonable time’ is surely something that is creating a gap for now. From my perspective, the most appropriate suggestion is to be closely aligned to what we learned from GDPR, where this reasonable time is set for 72 hours. It does not necessarily have to be the same case here, but it would be rather hours or days than months to report a data breach.”

Fines

The early days of any regulation will have teething problems but the hopes for any regulation is that it will eventually have teeth to bare.

When GDPR came into force, advocates championed its fine regime as a major deterrent to prevent mismanagement of data. Save for Google’s €50 million fine in France, there haven’t been as many bumper fines against big tech companies that many expected.

Similarly in Brazil, there is now a fine system that’s tougher than before but the potential sums aren’t as high as GDPR. Companies can be fined per violation up to 2% of their revenue with a ceiling of R$50 million, which is currently about €7.5 million. This is noticeably lower than €20 million or up to 4% of revenue that GDPR allows for.

LGPD will have an impact outside of Brazil’s borders too. Any company doing business in Brazil and dealing with data on Brazilians will have to take notice.

“It applies to companies irrespective of the country in which they are headquartered or located. It basically applies to companies where data is either collected or processed in Brazil,” says Kagan.

“If you're an e-commerce provider and you are providing services to people in Brazil, even though you are outside then it can apply to you.”

It remains early days for LGPD in determining whether it will have the transformative effect promised but according to Kagan it’s another firm step toward cohesive global standards on data protection.

GDPR has become a yardstick on which regulations in other jurisdictions are measured and implemented, she adds.

This can be seen from the passing and implementation of the California Consumer Privacy Act but also in the adequacy agreements struck between the EU and other jurisdictions.

In order to do business with the EU when it comes to data transfers, the EU requires an adequacy agreement, which effectively says a third country’s equivalent regulation is of a high standard. Such decisions have been made with Canada, New Zealand and Japan to name a few but in South America, only Argentina and Uruguay have adequacy decisions so far.

“LGPD is another testament to the fact that GDPR is a strong benchmark,” says Kagan. “If you use GDPR as your benchmark, while it's not identical and while there's work to be done locally, the core principles are shared, that means that if you have a GDPR basis for your privacy framework, that is a very large part of the way towards compliance.”