What is the LGPD? Meet Brazil’s New Powerful Data Protection Law

Whether you live in Brazil. or do business with or in Brazil, you probably have already heard about the country’s new data protection law, the Lei Geral de Proteção de Dados Pessoais (General Law of Protection of Personal Data), or LGPD for short.

Brazil is Latin America’s largest technology hub and has the eighth-largest economy by GDP. Getting to know the ins and outs of LGPD is essential for doing business there.

What is the LGPD?

The LGPD is the new overarching law for the protection of personal data in Brazil (see details below for its full scope). Brazil’s parliament passed the LGPD as Law # 13,709 on August 2018. Since then, the law has been modified twice and went into effect on August 15, 2020.

The LGPD is not Brazil’s first data protection law. Brazil has been very active in data protection academic research and legislation. Even before the LGPD was signed, around 40 data protection-relevant laws and regulations already existed in the country.

LGPD Concepts and Terms

Before explaining the LGPD’s rules and impact, let’s introduce a few concepts and terms surrounding the law.

Personal data: This is data “about” a person. It is data that is stored in a computer (or on paper) and is either explicitly labeled as referring to a person or that, with a limited amount of work, can be identified as referring to a particular person. Examples are names, birthdates, bank account numbers, data about what you did last Thursday between 2 p.m. and 3 p.m., your genetic data, information about your membership in a trade union, etc., etc.

Data subject: A “data subject” is the person that personal data is “about.” For example, If I am a bank and maintain your bank account number in my banking system, then you are the data subject. We are all data subjects.

Data protection: Protection of personal data against misuse.

Data collection: Any way of obtaining personal data, for example: asking a person for personal data on a Web form, tracking their online behavior, measuring their body temperature, etc.

Processing: Processing of personal data means to collect, store, or distribute that data, or to run analyses on it.

Controller: A controller is any person or organization that collects personal data. For example, if I am a bank and you have an account with me, naturally I have data about you such as your bank account number.  That makes me a data controller.

Processor: A processor is any person or organizations that has been tasked by the controller with processing personal data. For example, if I am a bank and I store your account number in the cloud, then the cloud service provider is a data processor.

Processing agents: The LGPD’s term for controllers and processors combined. In the above example, my bank and the cloud provider that I use are both processing agents.

Purpose of the LGPD

“Data protection” is a somewhat misleading term. Data protection is really people protection. The goal of data protection is to protect people's privacy through the protection of their data. The LGPD provides (or demands) that kind of protection and imposes duties and limitations on processing agents in order to enforce the protection.

What is new with the LGPD in comparison to previous Brazilian laws and regulations, some of which it complements, is the comprehensive scope of the LGPD. The LGPD was modelled after the European Union’s General Data Protection Regulation (GDPR), which is in turn, rooted in United Nations conventions. The central idea of both LGPD and GDPR is that the protection of personal data is a human right. This means data protection is not limited to specific areas. Previous data protection legislation in Brazil had been “sectoral,” meaning it applied to personal areas such as the health system, the financial industry, etc. The LGPD is a different beast: It demands data protection in any walk of life and impacts almost any area of business and administration.

When Does the LGPD Apply?

The LGPD applies in either of the following scenarios:

1. When processing of personal data is a) carried out in Brazil and b) the purpose of the processing is to offer or provide goods or services.
2. When personal data is processed that was collected from individuals who were in Brazil when that data was collected.

Most notably, and again mirroring the GDPR’s approach, the LGPD defines a right to data protection regardless of the county in which personal data is processed. If my bank collects data about you and you live in, or even just were visiting, São Paulo, then the LGPD applies to my bank’s processing, regardless of whether the bank is registered or physically processes your data in São Paulo, in San Francisco, Calif., or in Saarbrücken, Germany.

Excluded or partially excluded from the LGPD are processing activities in a number of areas, such as national defense, law enforcement, journalism, and statistics. Also, data that is processed for purely private purposes is not in the law’s scope.

When Is Personal Data Processing Allowed?

Personal data processing is forbidden by default. It is only allowed if a legitimate cause for the processing is present. The LGPD specifies a list of legitimate causes in Article 7. The most important causes are:

• The data subject has consented to the data processing. Consent must be informed, unambiguous, and voluntary
• The processing is necessary for the implementation of a contract that the data subject has entered into (essentially, a kind of indirect consent)
• The controller has a legal obligation to process the data
• For the exercise of law enforcement
• To protect the life or physical safety of a person
• For matters of credit protection

The list contained in the LGPD is comprehensive, that is, if your sole cause for processing personal data is that “it will benefit our bottom-line,” you’re out of luck! It is not allowed!

What Are a Data Subject’s Rights?

A data subject can demand the following from the controller:

1. Confirmation of existence of data processing of personal data (about the data subject her/himself only, of course!)
2. Access to the data subject's personal data
3. Correction of incomplete, inaccurate, or outdated data
4. Anonymization of, blocking of, or deletion of, unnecessary or excessive data or illegally processed  data
5. Portability of the data to another service or product provider (e.g., porting data when you move from one health insurance to another)
6. Deletion of personal data processed with the consent of the data subject
7. Information about any organization with which the controller has shared data (including processors)
8. Information about the possibility of denying consent and the consequences of such denial
9. Revocation of consent

Note that the controller is the party that a data subject must contact, not the processor. The controller is the “interface” the data subject must use for any of the above requests.

Institutions for LGPD Concerns

At the federal level, Brazil has created a national data protection agency, the Autoridade Nacional de Proteção de Dados (ANPD). This agency can demand information on personal data processing from organizations, levy fines, and is generally tasked with ensuring that the LGPD is followed.

At the organizational level, each controller must designate a Data Protection Officer (DPO). The DPO’s job is to push the organization they work for towards implementing the LGPD. They are also the organization’s “interface” for rights-of-the-data-subject requests, and the organization’s point of contact for the ANPD.

Responsibilities of Processing Agents

Processing agents are obligated to “adopt security, technical, and administrative measures able to protect personal data from unauthorized accesses and accidental or unlawful situations of destruction, loss, alteration, communication, or any type of improper or unlawful processing” (Article 46). In other words, they must show a reasonable amount of effort to secure the personal data. Controllers are additionally obliged to ensure that processors are aware of this responsibility (e.g. by including it in contracts with the processor).

Processing agents are also obliged to keep the processing of data to the minimum that is required to implement the legitimate causes. They must not collect or keep data that is not needed for, for instance, the fulfillment of their contract with the data subject. Data that is no longer required must be deleted or made unusable.

Controllers are obliged to inform both the authorities and the data subjects if they experience a security breach. This informing must be done in a “reasonable time period” from the discovery of the breach. What is “reasonable” is not defined in the LGPD; the ANPD, which at time of writing is still being established, is expected to provide a definition.

Controllers are required to provide to the ANPD, on demand, and with documentation of:

• Their personal-data processing activities
• Risks associated with the activities
• Measures (organizational and technical) that were taken to reduce the risks

LGPD Fines

If an organization violates the LGPD, the ANPD has a number of measures they can use to discipline the offending organization. Most importantly, the ANPD can levy a fine of up to two percent of the offending organization’s (or its group’s) total revenue in Brazil, for up to 50 million Brazilian Reais (about $11 million US). If a company suffers multiple security breaches, that amount can be levied for each breach.

Furthermore, if a data processor violates data protection law and in doing so, causes damage for data subjects or any other persons, the data processor can be held liable in court for the damages (Articles 42–45). This section of the LGPD seems influenced by US law, where tort law has long been a kind of stand-in for a general data protection law.

Role of Technology in the LGPD

There is no single technology that would allow organizations to just “flip the switch” and be LGPD-compliant. Implementing a fundamental paradigm like that of the LGPD  is a multi-step process. It requires organizations to step back from day-to-day operations and reconsider what they are doing. Only then can they decide how to use technologies to implement their goals.

At the core, these are the steps required for an organization to become LGPD-compliant:

1. Understand the goals of the LGPD
2. Based on the goals of the LGPD, and existing processes, data, and organizational goals, adjust process definitions to protect personal data
3. Based on the design of the new processes, implement measures to enforce the new processes

It’s at the third step that solutions for cybersecurity, compliance reporting, automation, data backup, etc. are most relevant. For instance, a bank may

1. Understand that access to the account data of their customers must be limited
2. Define which persons and processes must be allowed access to the personal data and which must not
3. Use encryption as a technology to enforce the intended access

For more complex organizations those three steps would be further differentiated into smaller steps that would include things like a discovery process and data protection impact assessments.

What’s next for LGPD?

The LGPD is sure to shake up the way that companies conduct business in Brazil and with Brazilians. Also, as Gilberto Gil once said, “Brazil was, is, and will be in fashion.” Expect other countries in Latin America to adopt similar legislation in years to come.

Now that the basic concepts behind the LGPD have been outlined, you can start considering what steps your organization must take to become LGPD-compliant. Stay tuned for future articles that delve into what the LGBG means for IT teams.

Reviewing your organization’s cybersecurity health is a great place to start.