In their first years at law school, students learn that one of the main differences between laws and ethical standards is that the law, when violated, comes with sanctions. In 2018, Brazil enacted a National Data Protection Law (LGPD) providing rules on the treatment of personal data in the country, but it only became a law in the strictest sense on August 1 of this year. Companies were given two years to adapt to the new framework before sanctions came into force, a period that was extended by another year due to the Covid-19 crisis.
Now, all companies that handle private data in Brazil must observe the rules handed down by the LGPD, facing administrative punishment in the event of violations.
While the LGPD is not the first data privacy legislation in Brazil — the Constitution and other legal codes already contain crucial rights and concepts regarding the protection of sensitive information and privacy — it brought with it greater detail, strengthening and extending the scope of data issues.
In broad terms, the LGPD is based on the European Union’s General Data Protection Regulation (GDPR), outlining how companies should legally collect, process, protect, handle, and dispose...