Data Privacy Law in Brazil: Differences and Similarities with International Legislations

By Otávio Almeida and Layon Lopes

The General Law on Personal Data Protection of Brazil (as known Lei Geral de Proteção de Dados or LGPD – Law No. 13.709/2018) is the norm that regulates the treatment of personal data. After eight years of proceedings, the Brazilian framework on data protection is born in a context of international efforts to have greater security on information and data privacy.

After the occurrence of several international scandals and the advance of social networks, the matter of data protection became relevant in the public debate – stressing that it is not a new matter, but there had never been so much talk about it.

The goal of the LGPD, as well as the legislations of other countries, tries to establish a new culture in the era of BigData, in which citizens have control over the treatment of their personal data.

Almost a year after the LGPD came into force, it is possible to indicate that the reality of the holders of personal data, as well as those who process data, whether from the public or private sector, are being strongly impacted by the need to adapt to the legislation.

Certainly, following the example of the European Union, sanctions to those who violate or improperly handle personal data will be strongly punished. Among differences and similarities, Brazil must follow several international practices, which it already does, however, following its own path, considering its unique social and business reality.

This text is intended to introduce the LGPD, drawing some comparisons with data protection practices already practiced around the world, in particular, the European legislation.

The international importance of legal frameworks for data protection:

The International Community, especially in the last decade, has promoted many data security policies, including a great characteristic of this movement was and still is the definition that one of the requirements for the establishment of commercial relations is that the players – in this case, the countries – are minimally adequate for this reality.

The economic block of the European Union is a great example of this, since after the enactment of the GDPR (General Data Protection Resolution) it was established the policy that member states and companies require their international partners to have adopted compliance and data security policies aiming to protect the interests of European citizens.

By market demand, companies are having to reinvent themselves and adapt to the privacy design required so not to lose competitiveness. And in Brazil it is no different.

In the European case, if the countries where the companies come from do not have specific laws on the issues, contracts with them should have binding corporate rules, which greatly increases bureaucracy.

This automatically encouraged many countries to speed up the enactment of their data privacy legislation in order not to lose competitiveness with their more mature rivals on the subject.

The confluence was such that the data privacy legislative process became a big wave, as can be seen in David Banisar’s new General Data Protection Laws map, where 118 of the 193 UN member countries already have data protection laws; and, 32 are in the process.

Now that you know there is a global demand for privacy and laws requiring compliance, let’s check out some legal tips if you want to be compliant with LGPD:

1. Being compliant with the law of your country that has a law similar to Brazil’s does not mean you are compliant with LGPD.
2. In Brazil, there is permission to treat sensitive data, which is different from the European case; therefore, being a point that deserves much attention if your company will operate in the country.
3. The LGPD applies to all data processing, with the exception of private use, so it has a broad application, which differs from the legislation of the U.S. state of California, which states that only companies with annual gross revenue exceeding 25 million dollars, companies whose revenue is obtained through the sale of data means more than fifty percent, or companies that process the data of 50,000 consumers will be subject to the law.
4. While obtaining the data subject’s consent is a legal basis for almost all data protection laws, there are different understandings about the appropriate ways to obtain it.
5. Following a global trend, infringing the LGPD may lead to sanctions such as a fine of up to 2% of the gross revenue that the company had in Brazil in the last year, stoppage in the treatment of data performed; fine of up to 50 million reais.
6. The international transfer of data will only occur to countries that have procedures in accordance with data protection frameworks, but in Brazil there are no clear guidelines for defining what would be a suitable country for international transfer purposes, which must still be established by the Brazilian data protection agency.
7. Data Mapping of the life cycle and flow of personal data is one of the main tasks to be adequate to LGPD; promote risk analysis, in addition to maintaining an effective privacy program.
8. Prepare, analyze and review documents, such as privacy policies and contracts, terms of use, and other instruments.

Make no mistake, this text does not have the deep mission of analyzing the international laws in comparison with the Brazilian ones, but it has the clear intention of passing the message that “be careful, although very similar, the data protection laws have particularities that cannot be ignored”.

Follow more of our publications. We will talk more about our General Data Protection Act and the influence it can have on your business. See you next time!

* Layon Lopes is the CEO of Silva | Lopes and Otávio Almeida is a member of the Silva | Lopes team.