What is LGPD – Brazil’s General Data Protection Law?

Like other data protection laws, the LGPD creates a legal framework for the governance of the collection and use of personal data. However, it is not merely a replica of the GDPR – differing in several significant ways.

Below we discuss the basics of the LGPD and the implications for businesses functioning in and outside of Brazil.

Previously, Brazil had more than 40 federal statutes governing personal data. The primary goal of the LGPD was to consolidate these various laws into a single overarching legal framework for data protection.

By doing so, Brazilian lawmakers aimed to improve Brazilian citizens’ control and rights over their personal data. But also, to simplify the complex web of former statutes, easing the regulatory environment for international and domestic businesses.

Those who are already GDPR compliant will also be compliant with the LGPD. There are key differences, however. The LGPD is organised around nine key rights, which collectively define personal data and create ten legal bases for the lawful processing of personal data.

The Nine Rights are described in Article 18 of the LGPD. It outlines Brazilian citizens’ rights to:

1. Confirm the existence of the processing of their data
2. Access their data
3. Correct incomplete, inaccurate, or out-of-date data
4. Anonymization, blocking, or deletion of unnecessary or excessive data or data processed in non-compliance with the provisions of the LGPD
5. Portability of data to another service provider or product provider – upon the request of the data subject
6. Delete their personal data
7. Be informed about the public and private entities with whom the data controller has shared personal data
8. Be informed about the possibility to deny consent and the consequences
9. Revoke consent

These rights are broadly similar to those described in the GDPR.

The GDPR is notable for its “extra-territorial effects,” which obligate compliance from all businesses globally that cater to EU citizens. There are similar effects in place in the LGPD.

In Article 3, the LGPD outlines the organizations to whom the LGPD applies:

For those familiar with the EU GDPR, there are some notable differences. Primarily, the LGPD covers not just Brazilian citizens’ personal data but all individuals located inside Brazilian territory.

Furthermore, like the GDPR, the LGPD has a territorial scope beyond the Brazilian borders. Any organisation offering the supply of goods or services to an individual located in Brazil must act in accordance with the LGPD.

Not everyone is regulated by the LGPD. The regulation does not apply if:

As discussed, under Article 7 of the LGPD, there are ten legal bases for lawful data processing:

1. With the consent of the data subject
2. For compliance with a legal or regulatory obligation by the data controller
3. By the public administration, for the processing and shared use of data necessary for the execution of public policies provided in laws or regulation, or based on contracts, agreement or similar instruments, subject to Chapter IV of the LGPD
4. For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data
5. When necessary for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject
6. For the regular exercise of rights in judicial, administrative, or arbitration procedures, the last pursuant to the Brazilian Arbitration Law
7. For the protection of life or physical of the data subject or a third party
8. To protect the health, exclusively, in a procedure carried out by health professionals, health services, or sanitary authorities
9. When necessary to fulfil the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties which requires personal data protection prevail
10. For the protection of credit

Rather than allowing the broad processing of personal data under the regulation, Brazilian authorities only permit the lawful processing of personal data in the above circumstances.

Failure to follow the letter of the LGPD can result in a maximum fine of up to 50 million reals (approximately €8 million) or 2% of an entity’s revenue in Brazil. That’s substantially lower than penalties under the GDPR which can reach €20 million or 4% of annual global revenue – whichever is highest.

With over 138 million internet users in Brazil, it is the fourth-largest internet market in the world. Therefore, compliance with the LGPD is often required of organizations with an international reach.

Thankfully, the Brazilian government shadowed the GDPR, meaning, for most organizations, the added work is minimal. Still, it is critical to be aware of the key differences between these landmark regulations. Otherwise, you may face significant fines on both sides of the Atlantic.