How to prepare for Brazil’s new Data Protection Law

. Jun 07, 2019
LGPD prepare for Brazil's new Data Protection Law

In a recent article in the Financial Times, Shoshana Zuboff, writer and professor at Harvard Business School, wrote about a project initiated by the Georgia Institute of Technology in the year 2000, called “Aware Home.” The computer scientists and engineers working on it imagined a perfect symbiosis between humans and their homes, with sensors inserted in objects, clothes, or human bodies themselves, in order to facilitate our lives. The entire dataset (including up-to-date information on health) produced from this project was only to be stored on private computers, in order to ensure the privacy of each user’s information.

</span></p> <p><span style="font-weight: 400;">Ms. Zuboff fast-forwarded to 2017, looking at a study carried out by University of London scholars on Google’s smart thermostat Nest. The paper said the Nest ecosystem is composed of multiple connected features and applications, each with burdensome terms and conditions and privacy policies, adding up to around 1,000 contracts. If a user does not accept these terms, the functionality and security of the thermostat would be seriously affected, and updates would no longer be available.</span></p> <p><span style="font-weight: 400;">&#8220;Aware Home is a record of what we have lost and what we must now find again: the rights to know and decide who knows about our lives and our futures. Such rights have been and remain the only possible foundations for human freedom and a functional democratic society,” Ms. Zuboff wrote.</span></p> <p><span style="font-weight: 400;">In January 2019, in what could be a response to Ms. Zuboff’s call to action, France&#8217;s data protection authority fined Google EUR 50 million, arguing that the company&#8217;s data consent policies weren’t easily accessible or transparent. What made this conviction possible was the new European Data Protection Regulation (GDPR), which passed in May 2018 and is celebrating its first anniversary this month. GDPR is a sign that users are taking back control of their personal data and now have legal tools to do so. California followed this move by passing the California Consumer Privacy Act, which will come into force on January 1, 2020. And the most recent major actor to <a href="">take a stance</a> on this issue is Brazil.</span></p> <p><span style="font-weight: 400;">Brazil&#8217;s </span><a href=""><span style="font-weight: 400;">Data Protection Law</span></a><span style="font-weight: 400;"> (LGPD) was approved in 2018, and is planned to come into force in </span><b>August 2020</b><span style="font-weight: 400;">.</span></p> <h2>What does the LGPD say?</h2> <p><b>Who is affected?</b><span style="font-weight: 400;"> The LGPD applies to any individual or public or private entity with personal data processing activities that: (i) are carried out in Brazil; (ii) involve personal data collected in Brazil; or (iii) are for the purpose of supplying goods or services in Brazil, or concern individuals physically located in Brazil. The data processing entity is called the </span><b>Data Controller</b><span style="font-weight: 400;">.</span></p> <p><b>What is “personal data”?</b><span style="font-weight: 400;"> The LGPD defines personal data all information related to a person, or </span><b>Data Subject</b><span style="font-weight: 400;"> (including name, address, phone, age, email, behavior, etc.). The law also includes special restrictions on &#8220;sensitive personal data,&#8221; which is defined as information relating to an individual&#8217;s religious beliefs, racial or ethnic origin, political opinion, health, or genetic or biometric data. Therefore, </span><b>companies should be concerned, not only about their users’ personal data, but also about that of their employees or clients.</b></p> <h2>What rights do data subjects have?</h2> <ul> <li><span style="font-weight: 400;">Their </span><b>informed consent </b><span style="font-weight: 400;">will be required for all data processing activities. Data subjects may provide their consent in writing or by other means (e.g., by checking an &#8220;unticked box&#8221;). Consent can be revoked by the Data Subject at any time.</span></li> <li><span style="font-weight: 400;">Data Subjects have the right to access and rectify their data, including asking to anonymize or eliminate unnecessary personal data or information that is not being processed in compliance with the LGPD.</span></li> <li><span style="font-weight: 400;">Data Subjects can request the portability of their personal data, which means that they can ask to obtain and reuse their personal data for their own purposes across different services. </span></li> <li><span style="font-weight: 400;">Data controllers are required to disclose information on all third parties who will have access to the data.</span></li> </ul> <h2>What are the penalties involved?</h2> <p><span style="font-weight: 400;">Penalties for non-compliance with LGPD provisions include warnings, fines, and suspensions of processing activities that violate the law. The fines can be up to 2 percent of a company&#8217;s gross revenue in Brazil in the previous year, or BRL 50 million (whichever is larger), per violation. </span></p> <h2>How can companies prepare for the LGPD?</h2> <p><span style="font-weight: 400;">At the moment, the wording of the LGPD is still relatively broad and it will be regulated by the Data Protection Agency, which is set to be instated in the coming months. However, some measures required by the LGPD can already be prepared and implemented by organizations. </span></p> <ul> <li><span style="font-weight: 400;">Companies should create and maintain a </span><b>data inventory</b><span style="font-weight: 400;"> or &#8220;data map&#8221; of the personal data they collect and process. </span></li> <li><span style="font-weight: 400;">Internal procedures should be implemented in order to </span><b>track consent and revocations</b><span style="font-weight: 400;"> by data subjects. </span></li> <li><b>Internal policies and procedures should be developed</b><span style="font-weight: 400;"> in order to respond to: (i) data subject requests, (ii) incidents, (iii) privacy by design requirements (meaning that an internal privacy governance program must be implemented) and (iv) security requirements (safeguards must be adopted to protect personal data from unauthorized or unlawful processing).</span></li> <li><span style="font-weight: 400;">Companies will also need to </span><b>update privacy notices</b><span style="font-weight: 400;"> in order to provide information to data subjects about: the purpose of the processing, the form and duration of the processing, the data controller, any third party which will receive or process the data, and the data subjects&#8217; rights mentioned above.</span></li> <li><span style="font-weight: 400;">Finally, the LGPD requests that all organizations that process personal data appoint a data protection officer (DPO). The DPO (who may be internal or external) will be responsible for receiving complaints and communications from data subjects, communicating with the Data Protection Agency, training employees, and carrying out other tasks with regard to the company&#8217;s personal data processing activities.</span></li> </ul> <p>The best way to prepare is to start early with the points above. Depending on the company&#8217;s size and activity, LGPD compliance could be a long process that can take over a year.</p> <p><span style="font-weight: 400;">Privacy experts expect LGPD requirements to be very similar to the European GDPR. Formats for policies and data inventories as required by the GDPR will also be used for LGPD compliance purposes. A small light at the end of the tunnel: companies or organizations which have already taken action to comply with GDPR will have a tremendous advantage in the long journey of LGPD compliance.

Read the full story NOW!

Astrid de Pelleport

Astrid is a data privacy consultant based in São Paulo. After years as an IP and tech lawyer in China and the Netherlands, she worked on GDPR projects throughout Europe. She now advises companies on privacy matters, including LGPD.

Our content is protected by copyright. Want to republish The Brazilian Report? Email us at