Chronique du CTI – Are you ready for the LGPD: Brazil’s version of GDPR?
Par Tara Mandjee, lawyer
Tara Mandjee, avocate
In the last few years, companies
have been forced to rethink their data gathering practices with new privacy regulations
coming into force, broadening the definition of what constitutes “personal
data” and extending their territorial reach beyond borders. It all started with
the coming into force of the General Data
Protection Act (“GDPR”) in May 2018, which not only disrupted customer engagement
strategies but also stirred privacy overhauls in several jurisdictions. Signed
in June 2018, the California Consumer Privacy Act (“CCPA”) was the first major US
privacy legislation adopted in the wake of the GDPR, with other states now
following the course. In the last two months, Canada has also manifested its
intention to bring its privacy laws in line with GDPR with the introduction of Bill 64 – An Act to
modernize legislative provisions as regards the protection of personal
Quebec’s government in June 2020 and the launch of a privacy consultation by the Ontario’s Ministry of
Government and Consumer Services in August 2020.
While everyone’s focus has been on
this side of the continent, the Lei Geral de Protecao de Dados (“LGPD”) – Brazil’s General Data
Protection Law strongly inspired by GDPR – has gone somewhat unnoticed. Yet, it
will come into force any day now and although its sanctions are postponed to 2021,
by now we all know that 12 months can fly by when it comes to data privacy
compliance. So what do you need to know now and what should you start doing
Some uncertainties as to timing
Immediate effective date…
After years of debate and
consultation, the LGPD was finally implemented on August 14, 2018 with the
objective of unifying over 40 different statutes governing personal data in
Brazil. Heavily mirroring its EU counterpart, this legislation was supposed to
come into force in February 2020 but in light of the crisis caused
by the COVID-19 pandemic and the delay in operationalizing the National Data
Protection Authority (“ANPD”) – the body responsible for regulating,
interpreting, defending and applying this law – the LGPD’s effective date was
postponed until 2021.
A complex interplay of provisional
measures and proposals from various governmental bodies then ensued, followed
by a major plot twist on August 26 2020
when the Senate reversed the planned postponement and set an immediate date of
enactment of August 27 2020. As a result, the LGPD will
become effective as soon as the Brazilian President sanctions the Senate’s proposal
or, if the President does not veto it within 15 days of receiving it, it will
take effect automatically on September 16, 2020.
… with delayed administrative penalties
GDPR caught everyone’s attention in
part due to its stiff fines that can go up to 20 million euros or 4% of a company’s
entire global turnover of the preceding fiscal year, whichever is higher
(Article 83). In comparison, the LGPD’s fines can
go to the highest of 50 million reals (approximately $12 million CAD) or 2
percent of the company’s or economic group’s gross revenue in Brazil in
the preceding fiscal year (Article 52). Although substantially lower than
under GDPR, the LGPD fines are not negligible and is it important to note when
they will become enforceable.
President Bolsonaro issued Decree 10,474 on August 26 formally creating the
ANPD, establishing its governance structure and granting it investigation and
enforcement rights but the ANPD does not have the ability to bring enforcement
actions under the LGPD until August 1, 2021. Nevertheless, private lawsuits and
public prosecutor actions based on LGPD violations are possible as of August
27, 2020 under Brazil’s Consumer Rights Law,
Internet Law, or Civil Code.
Preliminary questions to consider
the face of uncertainty around the effective date of the LGPD, many companies
have not paid much attention to this new privacy regulation. They would however
be well advised to at least answer the following 3 preliminary questions given
the fast-approaching enforcement date of August 1, 2021:
Are you subject to the LGPD?
Similar to GDPR, the LGPD has an
extraterritorial reach: it applies to all companies offering goods or services
to data subjects located in Brazil, regardless of where the company is headquartered.
In general, you should assume that the LGPD
applies to your company if you either process the personal data of people
located in Brazil or process the personal data of anyone, regardless of
nationality, within the Brazilian territory.
What are your processing activities governed by the LGPD & what was
your gross revenue in Brazil last year?
Companies processing personal data are
encouraged to implement protective measures corresponding to the level of risk
of their data processing activities and taking into consideration their risk
As a result, you should do an inventory of your
personal data processing activities governed by the LGPD, followed by a gap
analysis to identify which of those activities and processes might require
remediation. Evaluating your gross revenue in Brazil in the preceding fiscal
year might also be relevant as part of your risk-based approach, noting however
that fines under the LGPD can always go up to 50 million reals, irrespective of
your company’s turnover.
Are you already GDPR-compliant?
If you are already GDPR compliant, then you
have done the bulk of the work necessary to comply with the LGPD. You should
make sure however that the processes you have adopted in order to comply with
GDPR are also being applied with respect to your processing activities governed
by the LGPD or can be easily extended, with some adjustments. There are indeed
some differences between LGPD and GDPR that will require some additional work,
as highlighted below.
If you are not already GDPR compliant, you
should definitely put together a team dedicated to the LGPD compliance and
consider hiring external experts to support this important initiative. Indeed,
some provisions may require the development of new tools or processes that
involve some engineering effort while others will require significant
GDPR vs. LGPD: key differences to consider
While we often assume that GDPR is
the most exhaustive privacy regulation, GDPR compliance does not ensure LGPD
compliance since there are areas where the Brazilian law is stricter than its
European cousin. For instance, the LGPD requires companies to answer data
subjects’ access requests within 15 days as compared to 30 days under GDPR.
Other differences between these two
pieces of legislation should be clarified and further explained in the interpretive guidance to be issued by the ANPD. Indeed,
there are many intentionally broad provisions in the Brazilian law that are
subject to adjustment from the ANPD in the months leading up to its
enforcement. These guidelines will undoubtedly affect how the LGPD requirements
will be interpreted, implemented and enforced, but in the meantime, companies
should start their LGPD compliance program.
GDPR outlines when a DPO is required (processing operations that
Les chroniques du CTI sont rédigées par un ou plusieurs membres du Comité Technologies de l’information (CTI)
dans le but de susciter les discussions et de soulever les réflexions
au sein de la communauté juridique à propos des nouvelles technologies
et le droit. Les auteurs sont donc seuls responsables du contenu des
articles et l’opinion qui y est véhiculée n’est pas celle du JBM, mais
bien celle des auteurs. Si vous désirez rédiger une chronique, envoyez
un courriel au email@example.com.