After a series of proceedings in the Brazilian Congress and a two-year moratorium, the General Law on Data Protection of Brazil (Lei Geral de Proteção de Dados, LGPD) comes into force in September 2020.
This law was approved in August 2018, and it aims to update Brazilian legislation by replacing more than 40 laws related to the protection of personal data and the privacy of individuals.
The forthcoming enforcement of the LGPD has not been without complications. It was due to come into force in August this year, but because of the coronavirus pandemic potentially hindering the implementation of the measures legally required for companies, the Brazilian government proposed to postpone it until May next year. The Chamber of Deputies then ratified the text, but changed the date to December of this year and, finally, while being processed in the Senate, it was decided to void said postponement, and to bring the law into force immediately.
Inspired on the similar regulations in place in the European Union (General Data Protection Regulation (GDPR), the Brazilian law will create the National Data Protection Authority (Autoridade Nacional de Proteção de Dados, ANPD), a public entity under the charge of the Executive Power and responsible for applying the regulations to data processing entities, whether public or private. Its main functions are to oversee, implement, and supervisee the observation of Law 13,709 or General Law on Data Protection of Brazil.
The ANPD will be led by a Director General. There will be a Board of Directors with 5 members, who will be appointed by the Executive Power and ratified by the Senate, with a 4-year mandate, renewable for a period of equal duration.
Within the main competences of the ANPD is the guaranteed protection of personal data and privacy, to audit and penalize any noncompliance with the LGPD, and to promote the adoption of data protection standards, in addition to preventing cyber-attacks.
What does law 13,709 say?
In its first provision, the General Law of Protection of Data indicates that its purpose is to regulate the processing of personal data, including digital media, both of individuals and of public or private legal entities, and that its purpose is to safeguard the essential rights of freedom, privacy, and the free development of people.
The LGPD establishes that all data processing entities, i.e., those that collect, store, and transfer data, whether individuals or public or private legal entities, are subject to these regulations. This application is independent of the medium used and is extraterritorial; meaning the country where the data is located, providing that the data processing is carried out in Brazil.
The law, however, makes some exceptions to the processing of personal data by individuals for purely private and non-financial purposes, or those made for journalistic or artistic purposes. The processing of data for academic purposes, national defence and security, public security, and for investigations into and the penalization of criminal offenses are also excluded.
What data does the LGPD consider?
The regulation establishes three data categories:
- Personal data: Identifying data of a person (name, address, identification number).
- Sensitive personal data: This is data used to identify ethnic or racial origin, political opinion, membership with any trade union or with a religious, philosophical, or political organisation, information concerning health or sex life, biometric data, all in relation to individuals.
- Anonymous data: data concerning a holder who cannot be identified.
The regulation considers two ways in which to obtain personal data: with the express consent of the holder and in strict adherence with a legal or regulatory obligation from the party charged with said data processing. In this regard, the LGPD defines those who are the holders of specific data, establishes the conditions for the use of said data and penalizes any irregularities. Fines for companies that misuse data or which suffer from a security breach leading to the disclosure of the data can be up to 50 million Reales for said infringement, as well as the partial or total suspension of the exercising of data processing activities.
According to the data protection regulations, companies must have a protection officer who will be responsible for the compliance within the organisation. The protection officer will receive complaints and enquiries from the holders, they will take preventive measures, receive communications and guidance from the National Authority, and will implement good practices within the organisation.
When any irregularities arise, companies shall be obliged to notify their users with detailed information on the affected data and the measures taken to ensure their safety and protection, while also having to warn of the risks involved in the incident.
The LGPD also defines that a data recording register must be created indicating the type of data to be collected, the purpose of its use, the legal basis for obtaining it, the withholding time, and the applicable security procedures for its recording and storage.
It also defines that, in those cases in which the purpose for why the data was obtained has been fulfilled, or if the data collected is no longer of use, or the processing time has expired, any personal data must cease to be used. It also establishes the revocation rights of the holder and cancellation rights of the authority if there is any violation of the LGPD.
In regard to data protection for children and adolescents, in general terms, the law establishes that the processing of their data must be with the consent of one of their parents or legal guardians. The data recording entity must make every reasonable effort to verify this authorization, taking into account any available technology.