Brazilian General Data Protection Law – Overview and Implications

LGPD (Lei Geral de Proteção de Dados), or the Brazilian General Data Protection Law, was passed in the August of 2018. After CCPA in the US and GDPR in the Europe, LGPD is the latest data protection regulation that is about to be enacted amidst increasing privacy woes around the world in general.

Existing Legal Frameworks for Privacy in Brazil

Brazil is not a stranger to privacy and data protection laws. In fact, the country has over 40 laws that deal with privacy protection at the federal level. However, none of these legal norms are applicable on a national scale but are rather designed for specific industries.

Thus, there is no single all-encompassing regulatory framework to govern data protection practices in Brazil. The LGPD aims to iron out the conflict that arises naturally due to the multiplicity of many laws relating to data protection in the state by replacing these laws with a single enforceable legal framework. The introduction of this law will result in better uniformity across industries by holding all businesses accountable to the same standards.

Key Characteristics and Definitions of LGPD

The law has seven articles (Articles 17-22) that specify the rights of the data holder (i.e. a person to whom the data belongs). In total, the law gives nine rights that pertain to an individual’s privacy and data protection. Here are some key highlights about LGPD:

  • General principles: The main principles that all private and public entities must take into account when processing personal data are purpose, adequacy, free access, data quality, security, prevention of damage, accountability, transparency, need limitation, and non-discrimination.
  • Scope: The LGPD will apply to all both public and private sectors of the economy and holds all businesses, whether big or small, to the same standards and regulations. This might be deemed unfair to smaller businesses.
  • Jurisdiction: Similar to GDPR, the LGPD has global applicability. This means that companies located all over the world will need to comply with LGPD if they are processing data of an individual located in Brazil regardless of nationality.
  • Definition of personal data: In LGPD, personal data is very broadly defined and refers to “information related to an identified or identifiable natural person”.
  • Definition of sensitive personal data: The law differentiates between personal data and sensitive personal data. Details such as race, ethnicity, religion and political affiliation, health and biometric data etc. are all included in the definition of sensitive personal data.
  • Definition of anonymized data: Data that cannot be identified and traced back to any individual with the use of “reasonable” technological means. Factors such as cost and time required to de-anonymize the information must be taken into account to determine what is reasonable.
  • Rights of data subjects: Broadly speaking, LGPD gives the following rights to subjects: confirmation of data processing treatment, access to data, correction of data, anonymization, consent, deletion of personal data (with some exceptions), information about use of data and entities data is shared with, and portability.
  • Breach notifications: LGPD makes it mandatory for companies to notify relevant data protection authorities in the event of a data breach.
  • Sanctions: Organizations found violating the LGPD can be found up to 2% of their annual turnover if these companies are established within Brazil. On a per violation basis, companies can be fined up to 50 million Brazilian Real.

The Brazilian Online Privacy Landscape

The LGPD is coming into force at a time when concerns about online privacy and the level of awareness of the public are at an all-time high in Brazil. Kaspersky’s survey on data privacy reports that 74% of Brazilian users that were surveyed mentioned trying to take down personal data from social media and other websites for privacy reasons.

In the same survey, 35% of the Brazilian users also revealed that they take extra measures to prevent websites from accessing their data without consent. It is unclear what the measures are, but these statistics clearly point towards a trend of growing privacy awareness among the public, highlighting the need for a much-needed law that may prompt improved data governance policies as relates the processing of sensitive information of the Brazilian public.

Implications

While the LGPD will certainly create a more transparent environment that holds companies accountable for their customer data processing procedures, serious questions about the fairness of the law remain. For instance, the governing body of LGPD, the National Data Protection Authority, is linked to the Brazilian government.

Without an independent body overseeing enforcement of the law, political conflicts of interests are likely to emerge, leading to an unfair application of LGPD. European governments have shown the same ineptitude in enforcing GDPR, which, two years after its enactment, is hardly living up to its promise of protecting user privacy. As such, fears about the efficacy of LGDP are unfortunately well-grounded.

Because the modern laymen is much more informed and aware about online privacy, governments that fail to impose data regulation frameworks equitably risk alienating the public. This is why it is imperative that adequate measures are taken to ensure fair enforcement of the LGPD, lest it should become another piece of legislation of no practical consequence for the general public.


Osama Tahir is a Cybersecurity Analyst at VPNRanks who writes about online privacy, science, and the sociological impact of technology. He staunchly believes in the importance of skeptical inquiry and research, which are all too often neglected in this era of hasty opinion-making.


What’s Hot on Infosecurity Magazine?