Brazilian Data Protection Act comes into force

The Brazilian General Data Protection Act (“LGPD”, Lei Geral de Proteção de Dados) came into force on Friday, September 18, putting an end two two years of vacatio legis since it was passed in August 2018.

According to its first draft, the LGPD should have come into force in February of this year, but following a number of legislative initiatives brought by the government of Jair Bolsonaro to push the legislation forward to January 2021, the Brazilian Senate has finally forced its hand and set August 2021 as the date on which breaching the new regulations will become subject to penalties. 

The LGPD, or Act 13,709, has drawn much inspiration from the European Union General Data Protection Regulation (“GDPR” or EU Regulation 679/2016), as the Brazilian Senate admits on its own website, and it has been designed to regulate data use, protection and transfer in Brazil.  The LGPD seeks to guarantee that the public have greater control over their data, with the introduction of the data subject’s explicit consent to collect and process the data and the option to view, correct and remove such data.

Differences between the LGPD and the GDPR

Given the similarities between the European regulation and the new Brazilian regulation, there should be no great difficulty for regulated entities operating under the GDPR in adapting their compliance programs to process data in the South American country. However, they must take into account some key differences between both legal frameworks, including the following:

• In the processing of minors’ data, the Brazilian Data Protection Act includes more restrictive consent requirements than the GDPR since, although the GDPR imposes enhanced protection on the under 16s (even extending it to an age no lower than 13 at the discretion of Member States), the Brazilian law imposes it up to the legal age. The Brazilian regulation also imposes more requirements about data processing information offered to minors, including the obligation to use audio-visual methods to make it easier for minors to understand it.

• The Brazilian Act imposes fines of 2% of the domestic turnover on a company in breach, capped at 50 million reals (approximately 7.8 million euro), while the GDPR’s penalties are markedly higher, at up to 20 million euro for very serious breaches, and if the breaching party is a company, up to 4% of global turnover. 

• The Brazilian LGPD imposes less specific and restrictive deadlines for reporting security breaches than the GDPR.  While the GDPR imposes a 72-hour deadline for informing the competent authority of an incident that puts the right and freedoms of individuals at risk, the Brazilian Act just requires breaches to be reported within a reasonable period, without specifying more details.

• In terms of data transfers to a third country or international organization, although the Brazilian Act contains mechanisms and requirements similar to those included in the GDPR (such as adequacy decisions and appropriate safeguards), it does not include a list of exceptions and requirements as the GDPR does. This kind of transfer, therefore, is more restrictive under the Brazilian Act and will require adaptation according to eventual clarification by the Brazilian Data Protection Authority (“ANPD,” Autoridade Nacional de Proteção de Dados), the supervisory body in charge of enforcing the Data Protection Act.

The pending challenge: implementing the National Data Protection Authority

One month after the LGPD was approved in August 2018, the previous Brazilian President Michel Temer vetoed the possible creation of a National Data Protection Authority included in the approved draft bill since, under Brazilian law, creating a quasi-governmental body is the prerogative of the executive branch.  However, as we explain in this blog entry, Temer eventually passed Provisional Measure 869/2018 (Medida Provisória 868/2018) in December of that year, which introduced the creation of the National Data Protection Authority as a body reporting to the Office of the President. 

Although the Authority was set up to have technical autonomy, its relationship to the Office of the President sparked controversy due to the potential risk of interference resulting from its hierarchical subordination and lack of independence.

In July 2019, under the new executive led by Jair Bolsonaro, the Brazilian legislature passed Law 13,853, making certain changes to the creation of the ANPD, defining the structure and composition of its bodies, but keeping it subordinated to the Office of the President.

The institutional design, the powers effectively assumed and the autonomous operation of the ANPD will be crucial for a free transfer of personal data with the European Union.  Under the GDPR, the European Commission has the power to use an adequacy decision to determine whether a non-EU Member State offers an appropriate level of data protection with solid guarantees for the free exchange of data. An adequacy decision in the case of Brazil would offer a competitive advantage to Brazilian businesses with interests in the European Union over other countries in the region that do not yet have a full, robust data protection regulation.

Despite the entry into force of the LGPD last Friday, there have yet to be any appointments to the ANPD, and its budget has not been approved yet, which will have to be included in the next state budget (Orçamento Geral da União). All in all, together with the lack of organic and hierarchical independence, this could be an obstacle to a possible adequacy decision by the European Union, which will need to wait prudently for the effective implementation of penalties under the LGPD in August 2021 and the gradual launch of the Data Protection Authority’s oversight powers, as well as additional regulations. 

Authors: Pedro Santos e Silva y Miquel Peguera