The European GDPR (General Data Protection Regulation) has created a buzz of privacy policies worldwide. For instance, the California Consumer Privacy Act (CCPA), which was implemented on January 1, 2020, follows several similar guidelines to GDPR.
Similarly, Brazil is also following the footsteps of those countries that take their users’ privacy quite seriously. The country has recently introduced its own General Data Protection Law by the name of (Lei Geral de Proteção de Dados Pessoais – LGPD).
In this post, we will discuss how the LGPD law aims to safeguard the privacy of Brazilian users. Moreover, we will elaborate on what type of data will be protected under this law and which organisations must comply with it. Besides, we will explore how it differentiates with GDPR.
What is the General Data Protection Law (LGPD)?
The LGPD, also known as Brazilian GDPR, is a legal framework that outlines the use and processing of personal data of users in Brazil no matter where the data processor is situated. The National Congress of Brazil passed the law in August 2019, which will come into effect on August 15, 2020.
As already mentioned, the LGPD is quite similar to GDPR. It applies to an individual, public, or private institution or organisation that collects and processes personal data in Brazil. The law is also applicable to organisations that provide their services to people within Brazilian territory.
When is the LGPD not applied?
Interestingly, there are a handful of situations where the Brazilian version of GDPR cannot be exercised. These are:
- A person processes the data for personal objectives
- If a data primarily relates to artists, journalists, or academic
- If a data needs to be used for national defence, national security, public safety, punishment tasks and criminal investigations
What do you mean by data subject rights?
According to article 18 of the law, nine (9) rights have been given to data subjects over their personal data consisting:
- Amendment or rectification
- Removal of unnecessary or excessive personal data, if the data is not processed as per the LGPD
- Personal data deletion that is being processed with the consent
- Revelation or exposure of third parties and subprocessors with whom personal information is shared
- Know about the consequences of refusing consent
- Consent revocation or cancelation
The LGPD law instructs processors and controllers to take all the possible steps, be it technical and administrative, to secure personal data from any data breach, data theft, alteration, unauthorised access, accidental or unlawful destruction.
Significant differences between GDPR and LGPD
Although both GDPR (General Data Protection Regulation) and LGPD (Lei Geral de Proteção de Dados Pessoais) have various things in common, however, they do differ with each other to a certain extent.
If we talk about the GDPR, it discusses the processing of marketing data in detail. On the other hand, the LGPD does not explain electronic marketing, particularly. Likewise, the GDPR offers individuals an exclusive right that allows them to stop their personal data processing.
But, the Brazilian version of GDPR (LGPD) sounds more like an implied authorisation. Therefore, companies in Brazil will use the Consumer Protection Code, a law that regulates advertising in Brazil when it comes to processing users’ personal data.
Compared to the GDPR, the LGPD offers an extensive definition of personal data that could be related to an identifiable or identified person. As per the LGPD, anonymous data can be safeguarded as “personal data” while using it for profiling purposes. Furthermore, it can be regarded as exempt at the same time.
Like personal data, sensitive data has also been defined under the LGPD law. You can consider sensitive data in the form of racial, religious, ethnic, and political that can be associated with a natural person.
As per article 13 of the LGDP law, public health research entities can make the health data anonymous as and when required. The organisations are bound to appoint a Data Protection Officer (DPO) to collaborate with the DPA and data subjects.
However, a Data Protection Officer (DPO) is only needed in certain situations under the GDPR. In case an incident of data breach occurs, the DPO has to notify the concerned authority within 72 hours. The LGPD law does not restrict organisations by giving a specific time frame when they need to report data breaches incidents to relevant authorities.
What next if an organisation does not comply with the LGPD?
If an organisation does not follow the LGPD law regulations, it will have to pay the fine of up to 2 per cent from its net profit if it works within the Brazilian territory. The penalty amount may go up to 50 million Brazilian Real (approximately EUR 11,395,140 or USD 12,894,500) on each offense.
The organisations working in Brazil should abide by the LGPD law and appoint a dedicated Data Protection Officer (DPO) when it comes to collecting and processing personal data.
The LGPD law highlights the importance of data privacy a great deal. There is a strong likelihood that all the countries will develop their own data privacy regulatory framework sooner or later. It is undoubtedly excellent news for privacy-conscious customers, as they can ask organisations about their personal data processing.
Companies, no matter if they are multinational or local, will have to follow the LGPD law accordingly. Otherwise, they will need to pay hefty fines in case they are found guilty of non-compliance.
Usman Hayat, digital privacy & security advocate, VPNRanks