On August 14, Brazilian President Michel Temer signed into law the new General Data Privacy Law (Lei Geral de Proteção de Dados Pessoais or “LGPD”) (English translation), making Brazil the latest country to implement comprehensive data privacy regulation.
The law’s key provisions closely mirror the European Union’s General Data Privacy Regulation (“GDPR”), including significant extraterritorial application and vast fines of up to two percent of the company’s previous year global revenue (the GDPR allows for up to four percent in certain aggravated circumstances).
Scope. The LGPD claims broad applicability, even outside of Brazil, in provisions that may be even more extensive than those in GDPR. It applies to any processing: (1) “carried out in the national territory” (i.e., in Brazil); (2) associated with the offering of goods or services in the national territory or involving the personal data of individuals located in the national territory; or (3) of personal data collected in the national territory. As under the GDPR, this broad scope applies to processing activities conducted wholly outside of Brazil, but which affect or target Brazilian citizens.
Lawful Bases for Processing. Similarly, the LGPD recognizes lawful bases for processing, including most notably, consent, contractual necessity, and necessity to fulfill the legitimate interests of the controller or a third party. As under most privacy frameworks, additional protections apply to certain categories of data, such as the personal data of minors and “sensitive data.”
Unlike, the GDPR, however, the LGPD also lays out some additional, more specific bases, such as for the protection of health in a procedure carried out by health professionals and the protection of credit. The law also provides that the consent requirement will be considered waived where the data subject has “manifestly made public” his or her personal data.
Although the law was passed in the Senate back in July, the version signed by the President included several small, but potentially meaningful, changes. The President had until August 14 to approve the bill, reject it, or make line item vetoes and sign a modified version of the bill. The President opted to veto three provisions: the establishment of an independent data protection authority, the ability to suspend or prohibit data processing for violations of the law (though judges may still impose such penalties through other existing laws), and the requirement that public actors disclose transfers among government agencies (though the law still requires that government officials communicate when they carry out processing, for what purpose, and via which procedures).
Data protection advocacy groups worry that these vetoed provisions may serve to gut the protections arduously labored over for months in the legislature, but the President’s office suggests that these vetoes were the result of procedural defects and not an attempt to lessen the effectiveness of the law. For example, the President announced that his office would separately send a bill to Congress for the creation of a data protection authority.
In passing this law, Brazil has significantly increased its data protection regime, and may be looking to prove its “adequacy” under the EU standard for data transfers. This would make Brazil one of the few countries to provide comparable data privacy protections as those offered to EU residents.
The law goes into effect 18 months after signing, giving companies until 2020 to bring their data processing practices into compliance.