An Overview about the scope of Brazilian Data Protection Law
by: Raphael Valentim
On August 2018, Brazil issued its long-waited Data Protection Law (Law N 13,709/2018), known as LGPD (“Lei Geral de Proteção de Dados”). Besides the noticeable inspiration on the European General Data Protection Law, known as GDPR, the Brazilian law has some unique characteristics and scope, which we will bring light upon on the following paragraphs.
- What kind of “data” is under protection of this law?
By means of the LGPD there are two different types of data to be protected: personal data and sensible data. “Personal data” is defined as any information related to an already identified individual or that is capable of being identified. In its turn, “sensible data” is a kind of personal data with special protection, related to racial or ethnic origin, religious conviction, political ideology, union membership, health or sexual orientation, genetic or biometric data.
The collection and processing of personal data must be supported by a direct consent of the owner, in written or other way that demonstrates the manifestation of the owner. In case of sensible data, it can only be collected by a specific consent of the owner, expressly mentioning the information to be collected and the processing to be done with it. Besides, in case of collection of data of people under 18 years old, it must be authorized by their relatives or legal representatives.
Despite the high level of convergence between the LGPD and the GDPR there is some differences in the normatives, while in GDPR there is a difference from identified data to anonymous data and pseudonymous data, this last one related to the data anonymization process, in Brazil there are only two classes of data: identified and anonymous. The reverse process of anonymization means in the terms of this law as an identification process.
- Who shall be subjected to the LGPD?
Likewise the European law, the LGPD is applicable to any entity regardless of the country it is headquartered or the place where the data are located.
The Brazilian law is mandatory to all private entities that process Brazilian or foreign citizens’ personal data if the data is collected or processed in Brazil, or if the company processes its data for the purpose of offering or providing goods or services in Brazil.
For example, a services app hosted in Brazil that collects handful data from the users (Brazilian or foreigners) will be subjected to LGDP. The same situation applies to those who collects only foreigner data to be processes by Brazilian companies, like hotels or resorts. In such case, it is important to point out that those companies may also be subject to GDPR, since the data collected is owned by a European citizen.
There are some cross border aspects to be pointed out. The Brazilian entities can only transfer the data to other jurisdiction on the following situations: in case the receiving jurisdiction provides data protection rules similar to the LGPD, in case there is a global corporate police allowing such transfer or in case of specific consent of the owner of the data.
The cross border aspect was one of the most discussed, since it can hamper the exchange of information between the headquarters and Brazilian subsidiary depending on which country the headquarters is located. However, German companies may have no problems, considering the GDPR covers all the data protection rules provided on the LGPD.
- What are the principles of this law?
Similarly to GDPR, the LGPD provides some principles that must be observed while data processing. Those principles focused in data protection, and are complemented by good faith. They are the following: (i) purpose: the purpose of the data processing must be explicit to the owner of the data; (ii) adequacy: the information required must be related to the purpose to be achieved; (iii) necessity: the processing should be limited to the minimum necessary to achieve the purpose explicit to the individual; (iv) free access: the entity must grant free access of the data collected to the owner of the data; (v) data quality: the data should be as correct and updated as its purpose requires; (vi) transparency: the entity should grant to the owner easy access to the information; (vii) security: the entity must grant technical and administrative measures to protect the data for unauthorized access or data leakage; (viii) prevention: the entity must adopt measures to prevent damages that might occur because of the data processing; (ix) non-discrimination: the data must not be used to discriminatory purposes; (x) accountability: the entity must demonstrate the adoption of effective measures to protect the data.
- What the entities must do?
The penalties may range from warnings to fines up to 2% of the company’s gross revenue in Brazil in the previous year, limited to 50 million Brazilian Reais per violation. It is important to point out that the penalties are calculated upon Brazilian revenue only. Even foreigner companies may be subject to such penalties.
In order to avoid the risks of being punished by the Brazilian authorities, even if the company is already subject to the GDPR, it is mandatory to take some measures to adjust the internal procedures to attend the Brazilian law.
Among other things, the LGPD requires some activities of the entities related to both data protection and data processing. They are the following:
- Start a due diligence process in order to identify what kind of data is collected and processed in the company. In case of apps, it is also important to check if any information is collected while the user interacts with it;
- Analyze if the entity practices comply with LGPD, and in case they are not in compliance with it, develop measures to regularize it;
- Assign a Data Protection Officer (DPO) responsible for direct communication with the owners of the data also with the authorities. The DPO, together with the entity counsel, should implement data security measures;
- Observe the requirements of data collection, by obtaining the proper authorization to collect and process them accordingly to the principles mentioned;
- Grant data access to the owner, the right data to be corrected, anonymized or deleted upon prior request by the owner;
- Adopt technical and administrative data security measures to protect the data from unauthorized access, alterations or any other harmful acts;
- In case any data breach is detected, notifies immediately the authorities and the data owner.
In a few words, besides of each law particularities, they have some similarities that no need for adequacy and allow companies from Brazil and Germany exchange data since the data protection laws are observed.
Texto no site oficial: http://www.ahkbrasilien.com.br/pt/publicacoes/newsletter-recht-steuern/