LGPD - the Brazilian GDPR
There are over 140 million internet users in Brazil, representing the largest internet market in Latin America and the fourth largest in the world in terms of number of users. Brazil has over 40 legal rules at the federal level that refer to data protection and privacy, so, obviously, a legislative framework for this issue is already in place.
However, these laws are sectoral, meaning that they refer specifically to banking, real estate, consumer protection and other similar limited areas where they can be applied.
LGPD (Lei Geral de Proteção de Dados Pessoais) - is meant to replace this segmented legal landscape with a general regulatory framework that encompasses all others.
The role of the LGPD is to give people in Brazil a set of general rights, in a simplified manner that will replace the sectorally applied laws that are in force today. The set of laws is modeled according to the General Data Protection Regulation of the European Union, the similarities between these two being obvious and easy to observe.
This similarity led to the assignment of a new name to the LGPD, that of the "Brazilian GDPR". This resemblance is not exaggerated at all, because if you are following the provisions of the GDPR, you can almost breathe a sigh of relief, because most of them are also found in the LGPD.
However, there are some differences. So it is important to study the provisions of the LGPD and the differences between this law and the GDPR. In this way, you will not be surprised when the provisions of the LGPD come into force.
To make this process easier for you, we will list below the significant differences between LGDP and GDPR. But first, we will present to you what LGPD is and in which cases it applies exactly.
What is the General Law on Data Protection (LGPD)?
The law on data protection in Brazil is called Lei Geral de Proteção de Dados Pessoais, which means "the general law of personal data protection".
It is officially abbreviated to LGPDP, although it is most commonly known and called LGPD.
It was adopted on August 14, 2018 and finally sanctioned by President Bolsonaro in July 2019. It contains sixty-five articles.
The effective date of the LGPD application should be 16 August 2020, but, as a result of several legislative blockages, it still needs to be voted on until 27 August 2020 at the latest. Some articles may be applied only starting with August 2021. That is also the time when we will start seeing the first sanctions for those who do not comply.
LGPD brings much-needed clarifications to the Brazilian legal framework. LGPD aims to unify more than 40 different statutes that currently legislate personal data by replacing certain regulations and supplementing others. This unification of previously dispersed and often contradictory regulations is just a similarity it shares with the EU General Data Protection Regulation, the document from which it was inspired.
The LGPD focuses on the national specifics, illustrated by the fact that the legal basis of this data protection law are based on liability, limitation of purposes, minimization of data processing, security and privacy.
The rights of data subjects
Article 18 explains the nine fundamental rights that data subjects have, namely:
- The right to consent to data processing;
- The right to access information;
- The right to correct inaccurate, outdated or incomplete data;
- The right to delete, anonymize or block unnecessary data that is not processed in accordance with the LGPD;
- The right to data portability to another service or product provider, by express request;
- The right to delete personal information processed with the agreement of the data subject;
- The right to information about public and private entities with which the controller shared personal data;
- The right to information about the possibility of refusing the agreement and the consequences of such denial;
- The right to revoke the data processing agreement.
Although the GDPR is known for granting data subjects eight fundamental rights, they do not differ much from those mentioned by the LGPD. The main difference is that the LGPD explicitly mentions “The right to information about public and private entities with which the controller has shared data” while “GDPR” has formulated this right in a more general manner, namely “The right to be informed ”.
Who is the LGPD for?
Brazil’s new law on data protection applies to any private or public person or company that processes personal data that:
- takes place in Brazil;
- is collected in Brazil;
- involves the supply of goods or services in Brazil or refers to data subjects who are geographically located in Brazil;
The LGPD also includes an extraterritorial aspect and will apply to global enterprises that meet these criteria mentioned above. The location of these companies is not relevant.
When does LGPD not apply?
LGPD law does not apply in the following cases:
- A person who processes data for personal purposes;
- Where the data are academic, journalistic and artistic;
- Whether information should be used for public safety, national security, criminal investigations, national defense.
How does LGPD differ from GDPR?
There are many similarities between LGPD and GDPR. One of these is that LGPD, like GDPR, has global applicability, as any website that processes personal data from individuals in Brazil is required to comply with it. However, there are some differences as well.
LGPD vs GDPR - legal basis for processing data
Probably the most significant difference between LGPD and GDPR relates to what qualifies as a legal basis for data processing. The GDPR has six legal bases for processing, and a data controller must choose one of them as a justification for using a data subject's information. Unlike the GDPR, the LGPD mentions a list of 10 legal reasons for data processing:
- With the consent of the data subject;
- To follow a legal or administrative commitment of the controller;
- To execute public policies provided for in laws or regulations based on contracts, agreements or similar documents;
- For the performance of studies did by research entities that guarantee, whenever possible, the anonymization of personal information;
- To perform a contract or preliminary proceedings relating to a contract to which the data subject is a party, at the request of the data subject;
- Exercising rights in judicial, administrative or arbitration proceedings;
- To protect the life or physical security of the data subject or a third party;
- To protect health, in a procedure carried out by health professionals or healthcare entities;
- To fulfill the legitimate interests of the controller or a third party, unless the fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail;
- To protect credit (referring to a credit score).
Credit protection as a legal basis for data processing is a major difference from the GDPR.
LGPD vs GDPR - data breaches
In the GDPR, a so-called DPIA (Data Protection Impact Assessment) is established to assess the potential risks of data processing. It is also necessary for processors to notify those data protection authorities if the high risks associated with the data processing are assessed.
The LGPD also establishes the DPIA, but does not indicate how they will be used, nor does it set out requirements for the warning to any administrative authority.
The LGPD imposes an obligation on companies to have a Data Protection Officer (DPO), while this is only required in certain circumstances in the GDPR.
The time limits for notifying data breaches are clearly defined in the GDPR as 72 hours, while the LGPD freely provides for data breaches to be reported to the authorities in a "reasonable time".
LGPD vs GDPR - fines
Compared to the GDPR, the LGPD is much less severe in fining and penalizing violations and non-compliance.
The maximum fines for non-compliance with the GDPR are set at EUR 20 million or 4% of a company's overall annual turnover, taking into account the highest amount. LGPD sets its maximum fines at 50 million Brazilian reals (approximately 11 million euros) or 2% of the company's annual turnover.
LGPD vs GDPR - territorial applications
The LGPD treats the international transfer of personal data similarly to the General Data Protection Law, assessing whether the foreign country has an adequate level of data security laws. And, of course, based on the prior, explicit and express consent of the data subject.
However, the LGPD (unlike the GDPR) does not apply to the transmission of data through Brazil without further processing.
In this global context in which personal data becomes an essential aspect of internet privacy, it is very important that your website and your analytics tool comply with all these provisions.
Visitor Analytics is 100% GDPR & CCPA & LGPD compliant. We use an independent cookieless tracking system that has received various awards. The website owner is the sole owner of the information and is in absolute control of it. There is no cross-tracking and we do not sell data to third parties.