Brazil’s New Data Protection Law

By Vishal Sunak

Brazil makes up more than 40 percent of Latin America’s economy and accounts for over half of its IT spending. It is expected to become the fifth largest consumer market in the world by 2023, so it’s understandable that Brazil would want to adopt legislation to safeguard consumer data. The General Data Protection Regulation (GDPR) has aimed to do the same for the European Union. The California Consumer Privacy Act brought this focus down to a state level in the United States. It took more than two years after passage for Brazil’s General Data Protection Law (LGPD) to reach its current form, yet some were still caught by surprise when it officially went into effect in September 2020. It sets regulations and creates a legal framework that addresses areas from data processing and transfers to individual rights, governance and accountability. Like the GDPR, the LGPD extends beyond borders. It applies to any organization processing the data of individuals in Brazil, regardless of where the entity is located or where the data is stored. Whether you have a physical office in Brazil or just sell services or products in the market doesn’t matter; companies that handle personal data of anyone living in the country must comply. Banking, finance, healthcare, software as a service, data security and social media are obviously subject to the LGPD because of the personal data they routinely handle. However, unlike similar regulations, the LGPD impacts businesses of all sizes. The following first steps should be taken by all:

• Determine liability by mapping personal data processing and that of any third parties to determine what is subject to the LGPD. • Conduct an analysis to see where processes fall short of LGPD regulations. • Overhaul and implement new data processing policies to meet compliance. • Review and update third-party contracts to ensure they are compliant.

Although there are comparisons to the GDPR, you’ll need to keep several differences in mind when approaching the LGPD.

Both the LGDP and the GDPR require that a Data Protection Officer (DPO) be appointed and that contract information be publicly available. The DPO must act as the go-between for the companies they represent, the Data Protection Authority and the data subjects. The DPO must make sure that the company is following the law. While the GDPR states that the controller and the processors must each appoint a DPO, the LGPD only requires the controller to make the appointment. There are no exceptions. All controllers are subject to the regulations. The legal bases for data processing in both the GDPR and the LGPD are similar. They include explicit consent, contractual performance, public task, vital interest, legal obligation and legitimate interest. The LGPD differs from other data protection initiatives in some important ways. It adds health protections in procedures conducted by health professionals and entities. It makes specific reference to Brazilian Arbitration Law. It makes exceptions for research bodies and their studies, provided anonymization techniques are put in place whenever possible. Protection of credit under the LGPD should be considered in light of other federal laws. For instance, the Positive Credit History Law requires express and prior consent for the collection of consumer payment data.

The LGPD has distinct requirements regarding security breaches. For example, the report to users must include the technical and security measures taken to protect the data. The GDPR requires 72-hour notification while the LGPD requires a report within “a reasonable time period” (Brazil’s Data Protection National Authority is working on a definition of what is reasonable). With respect to international data transfers, companies must have the express consent of the user and a guarantee by the controller that there are legal instruments in place to ensure an adequate level of protection. Both the controller and processor can be held jointly and separately liable for a security breach or improper use of personal data. Data Protection Officers must become an integral part of processing. They should act as the go-between for the controller, users and data protection authority. The LGPD broadly defines its personal data category as “related to an identified or identifiable natural person.” A deeper set of criteria is used for sensitive personal data. Anonymized data is exempt from the law unless it can be reversed. Public data is treated differently, and limited by the purpose that led to its disclosure. How disruptive is the LGPD for a typical legal team? Very disruptive, and more so for smaller teams. Few legal groups can spare the personnel to go through contracts, and they certainly don’t want to miss any crucial details. They also must make sure that the language is compliant; and since the LGPD just came into effect, there are no standard examples to follow. There will certainly be litigation in the future. But the more issues are brought to the surface, the better we’ll get at handling it. And with similar initiatives being considered across the globe, it’s clear that data protection regulation is only going to grow. If your company or your clients operate in various nations, or there is a desire to expand further, you don’t want to be starting from scratch. Your strategies for managing compliance and streamlining reviews will need to handle the digital and international growth ahead.

Vishal Sunak is CEO and founder of LinkSquares. He develops strategies aimed at assisting corporate legal and finance teams with review of their contracts. Prior to founding LinkSquares, he held positions in operations and product management at Backupify and InsightSquared.