Brazilian Data Protection Law (“LGPD”) – How Does it Compare to GDPR?
Both Brazil and Europe have passed data protection laws to protect the rights of their citizens. The LGPD carries many similarities with the EU’s General Data Protection Regulation (GDPR), however, it is leaner in comparison. However, being compliant in one jurisdiction does not mean you are compliant in the other jurisdiction. Comparing the two laws, what exactly are the similarities and differences between them?
Similarities – Both sets of laws seek to unify disparate regulations in their countries into one unified regulation. Each set of laws require entities to come into compliance with requirements related to the processing of personal data.
Differences – Brazil passed its comprehensive general data protection law, the Brazil’s Lei Geral de Proteção de Dados (LGPD) on 14 August 2018, which was set to come into force on August 15, 2020. The General Data Protection Regulation (GDPR) became effective on May 25, 2018.
TERRITORIAL SCOPE – EXTRATERRITORIAL JURISDICTION
Similarities – LGPD and GDPR both have extraterritorial application to companies who are processing data that are located outside of their territories. Both laws apply to all companies offering goods or services to data subjects in the EU or Brazil, regardless of where they are located.
Differences – However, there is one notable difference. GDPR explicitly includes organizations that are not established in the EU, but that monitor the behavior of individuals located in it. The LGPD has no such provision. The LGPD will also not apply to data flows that originate outside of Brazil and are merely transmitted, but not further processed in the country.
PERSONAL DATA – PROTECTED DATA
Similarities – LGPD and GDPR both define personal data very broadly.
Differences – However, LGPD defines personal data as “any information regarding an identified or identifiable natural person”. GDPR is more specific, but has wide scope as well. GDPR states “personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” LGPD takes a broad view of what data qualifies as personal data, even more expansive than the GDPR.
ANONYMIZED DATA & PSEUDONYMIZED DATED
Similarities – Anonymized Data falls outside the scope of both laws as long as reasonable steps have been taken to ensure that it cannot be re-identified.
Differences – However, LGPD makes an exception for anonymized data, making it personal data, where “data is considered personal when used for the behavior profiling of a particular natural person, if that person is identified”. Pseudonymized data meanwhile falls under the scope of GDPR since it’s considered information on an identifiable natural person, but LGPD does not mention it except in the context of research undergone by public health agencies.
DATA SUBJECT RIGHTS
Similarities – Both laws give their citizens wide fundamental rights. GDPR is known for granting 8 fundamental rights, whereas LGPD grants 9 fundamental rights. However, they are essentially the same.
Differences – The difference is LGPD split “The right to information about public and private entities with which the controller has shared data” out of the GDPR’s more general “Right to be informed” to make it more explicit. Here is a list of LGPD’s 9 fundamental rights:
- The right to confirmation of the existence of the processing;
- The right to access the data;
- The right to correct incomplete, inaccurate or out-of-date data;
- The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD;
- The right to the portability of data to another service or product provider, by means of an express request
- The right to delete personal data processed with the consent of the data subject;
- The right to information about public and private entities with which the controller has shared data;
- The right to information about the possibility of denying consent and the consequences of such denial; and
- The right to revoke consent.
DATA PROTECTION OFFICERS
Similarities – Both acts require businesses and organizations to hire a Data Protection Officer (DPO).
Differences – GDPR outlines when a DPO is required. Under GDPR, data controllers and processors whose core activities consist either of processing operations which require regular and systematic monitoring of data subjects on a large scale, or processing on a large scale of special categories of data, are required to appoint a data protection officer (DPO). Alternatively, LGPD requires data controllers to appoint a DPO. Article 41 in the LGPD simply says, “The controller shall appoint an officer to be in charge of the processing of data,” which suggests that any organization of any type and size that processes the data of people in Brazil will need to hire a DPO. This is one of the few areas where the LGPD is more stringent than the GDPR.
LEGAL BASIS FOR PROCESSING DATA
Similarities – Both laws require legal basis for processing of data, but there are major differences.
Differences – This category is probably the most significant difference between LGPD and GDPR. GDPR has 6 lawful bases for processing (explicit consent, contractual performance, public task, vital interest, legal obligation and legitimate interest), and a data controller must choose one of them as a justification for using a data subject’s information. However, in Article 7, the LGPD lists 10. LGPD states these as a lawful basis for processing data. The last category, “to protect credit”, as a legal basis for processing of data is substantially different from GDPR.
- With the consent of the data subject;
- To comply with a legal or regulatory obligation of the controller;
- To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments;
- To carry out studies by research entities that ensure, whenever possible, the anonymization of personal data;
- To execute a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject;
- To exercise rights in judicial, administrative or arbitration procedures;
- To protect the life or physical safety of the data subject or a third party;
- To protect health, in a procedure carried out by health professionals or by health entities;
- To fulfill the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties, which require personal data protection, prevail; or
- To protect credit (referring to a credit score).
DATA SUBJECT ACCESS REQUESTS
Similarities – Both LGPD and GDPR guarantee individuals have rights to their data. Under both laws, data subjects can request access to the data a company has collected about them and can request further actions concerning it. Specifically, its portability, deletion or correction.
Differences – The GDPR allows organizations 30 days to answer data subjects’ access requests, while the LGPD only gives them 15 days. There is also a difference in the cost of the requests. LGPD makes them mandatorily free of charge, while the GDPR makes gratuity optional.
DATA PROCESSING AGREEMENT – LINK BETWEEN CONTROLLER AND PROCESSOR
Similarities – GDPR and LGPD both mention the processing of data by contract.
Differences – However, GPDR specifically provides what is to be included in the contract in Article 28. Under Article 28, GDPR requires a contract or legal relationship between the controller and the processor, which is responsible for the data processing. Alternatively, LGPD does not make such a requirement, merely stating that the processor must process the information according to the controller’s instructions under Article 39. With LGPD’s recent effective date (August 15, 2020), it is uncertain whether the LGPD will require data processing agreements between the collectors and processors, as is required by GDPR Article 28. There is no functional equivalent of GDPR Article 28 in LGPD. Nevertheless, it is recommended to implement a data processing agreement so that the parties fully understand their respective responsibilities with respect to the collection, use, and protection of personal data, and if there is ever an incident involving personal data. This is particularly true under the LGPD, where liability is joint and several absent an agreement limiting a processor’s liability.
REPORTING DATA BREACHES – MANDATORY NOTIFICATIONS
Similarities – Both GDPR and the LGPD mandate organizations to report data breaches to the local data protection authority.
Differences – The exact level of specificity varies widely between the two laws in terms of what to report to the local data protection authority. GDPR is explicit: an organization must report a data breach within 72 hours of its discovery. LGPD does not give any firm deadline, but it must be done in a “reasonable” time. LGPD Article 48 merely states that “the controller must communicate to the national authority and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects… in a reasonable time period, as defined by the national authority.” As of yet, there has been no guidance for what constitutes a “reasonable time period.” The LGPD requires companies to also notify data subjects of data breaches, something that is not a requirement under the GDPR.
Similarities – Both LGPD and GDPR have substantial fines for violations of the law.
Differences – GDPR fines are more severe and substantial, requiring organizations that commit grave GDPR violations to pay to up to €20 million or 4% of annual global revenue, whichever is higher (approximately $22 million). LGPD, fines are much less severe. Article 52 states that the maximum fine for a violation is “2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reals” (which is approximately $13 million). LGPD also lists possible daily penalties to enforce compliance. LGPD fines are in line with GDPR’s fines for less egregious infractions. Government agencies fall outside the scope of LGPD fines, while the GDPR leaves it up to DPAs to decide on this matter.
While LGPD and GDPR appear similar, there are nuances in the law that can trip up companies doing business in both jurisdictions. Hiring experienced legal counsel is necessary to navigate both LGPD’s and GDPR’s requirements in order to understand all the risks involved. Fines for noncompliance can reach millions of dollars. Choose a law firm with expertise and experience.