04 Sep 2020

Chronique du CTI – Are you ready for the LGPD: Brazil’s version of GDPR?

Par Tara Mandjee, lawyer

Tara Mandjee, avocate


 

 

In the last few years, companies
have been forced to rethink their data gathering practices with new privacy regulations
coming into force, broadening the definition of what constitutes “personal
data” and extending their territorial reach beyond borders. It all started with
the coming into force of the General Data
Protection Act
(“GDPR”) in May 2018, which not only disrupted customer engagement
strategies but also stirred privacy overhauls in several jurisdictions. Signed
in June 2018, the California Consumer Privacy Act (“CCPA”) was the first major US
privacy legislation adopted in the wake of the GDPR, with other states now
following the course. In the last two months, Canada has also manifested its
intention to bring its privacy laws in line with GDPR with the introduction of Bill 64 – An Act to
modernize legislative provisions as regards the protection of personal
information
by
Quebec’s government in June 2020 and the launch of a privacy consultation by the Ontario’s Ministry of
Government and Consumer Services in August 2020.

While everyone’s focus has been on
this side of the continent, the Lei Geral de Protecao de Dados (“LGPD”) – Brazil’s General Data
Protection Law strongly inspired by GDPR – has gone somewhat unnoticed. Yet, it
will come into force any day now and although its sanctions are postponed to 2021,
by now we all know that 12 months can fly by when it comes to data privacy
compliance. So what do you need to know now and what should you start doing
tomorrow?

Some uncertainties as to timing

Immediate effective date…

After years of debate and
consultation, the LGPD was finally implemented on August 14, 2018 with the
objective of unifying over 40 different statutes governing personal data in
Brazil. Heavily mirroring its EU counterpart, this legislation was supposed to
come into force in February 2020 but in light of the crisis caused
by the COVID-19 pandemic and the delay in operationalizing the National Data
Protection Authority (“ANPD”) – the body responsible for regulating,
interpreting, defending and applying this law – the LGPD’s effective date was
postponed until 2021. 

A complex interplay of provisional
measures and proposals from various governmental bodies then ensued, followed
by a major plot twist on August 26 2020
when the Senate reversed the planned postponement and set an immediate date of
enactment of August 27 2020. As a result, the LGPD will
become effective as soon as the Brazilian President sanctions the Senate’s proposal
or, if the President does not veto it within 15 days of receiving it, it will
take effect automatically on September 16, 2020.  

… with delayed administrative penalties

GDPR caught everyone’s attention in
part due to its stiff fines that can go up to 20 million euros or 4% of a company’s
entire global turnover of the preceding fiscal year, whichever is higher
(Article 83). In comparison, the LGPD’s fines can
go to the highest of 50 million reals (approximately $12 million CAD) or 2
percent of the company’s or economic group’s gross revenue in Brazil in
the preceding fiscal year (Article 52). Although substantially lower than
under GDPR, the LGPD fines are not negligible and is it important to note when
they will become enforceable.

President Bolsonaro issued Decree 10,474 on August 26 formally creating the
ANPD, establishing its governance structure and granting it investigation and
enforcement rights but the ANPD does not have the ability to bring enforcement
actions under the LGPD until August 1, 2021. Nevertheless, private lawsuits and
public prosecutor actions based on LGPD violations are possible as of August
27, 2020 under Brazil’s Consumer Rights Law,
Internet Law, or Civil Code
.

Next steps

Preliminary questions to consider

               In
the face of uncertainty around the effective date of the LGPD, many companies
have not paid much attention to this new privacy regulation. They would however
be well advised to at least answer the following 3 preliminary questions given
the fast-approaching enforcement date of August 1, 2021:

1.     
Are you subject to the LGPD?

Similar to GDPR, the LGPD has an
extraterritorial reach: it applies to all companies offering goods or services
to data subjects located in Brazil, regardless of where the company is headquartered.

In general, you should assume that the LGPD
applies to your company if you either process the personal data of people
located in Brazil or process the personal data of anyone, regardless of
nationality, within the Brazilian territory.

2.     
What are your processing activities governed by the LGPD & what was
your gross revenue in Brazil last year?

Companies processing personal data are
encouraged to implement protective measures corresponding to the level of risk
of their data processing activities and taking into consideration their risk
exposure.

As a result, you should do an inventory of your
personal data processing activities governed by the LGPD, followed by a gap
analysis to identify which of those activities and processes might require
remediation. Evaluating your gross revenue in Brazil in the preceding fiscal
year might also be relevant as part of your risk-based approach, noting however
that fines under the LGPD can always go up to 50 million reals, irrespective of
your company’s turnover.  

3.     
Are you already GDPR-compliant?  

If you are already GDPR compliant, then you
have done the bulk of the work necessary to comply with the LGPD. You should
make sure however that the processes you have adopted in order to comply with
GDPR are also being applied with respect to your processing activities governed
by the LGPD or can be easily extended, with some adjustments. There are indeed
some differences between LGPD and GDPR that will require some additional work,
as highlighted below.

If you are not already GDPR compliant, you
should definitely put together a team dedicated to the LGPD compliance and
consider hiring external experts to support this important initiative. Indeed,
some provisions may require the development of new tools or processes that
involve some engineering effort while others will require significant
investment of resources and personnel (ie to review your privacy policy or
third-party contracts).

 

 

GDPR vs. LGPD: key differences to consider

While we often assume that GDPR is
the most exhaustive privacy regulation, GDPR compliance does not ensure LGPD
compliance since there are areas where the Brazilian law is stricter than its
European cousin. For instance, the LGPD requires companies to answer data
subjects’ access requests within 15 days as compared to 30 days under GDPR.

Other differences between these two
pieces of legislation should be clarified and further explained in the interpretive guidance to be issued by the ANPD. Indeed,
there are many intentionally broad provisions in the Brazilian law that are
subject to adjustment from the ANPD in the months leading up to its
enforcement. These guidelines will undoubtedly affect how the LGPD requirements
will be interpreted, implemented and enforced, but in the meantime, companies
should start their LGPD compliance program.

 

GDPR

LGPD

Personal
data

Both
GDPR and the LGPD protect any information relating to an identified or
identifiable natural person.

Pseudonymized
data
falls under
the scope of the GDPR since it is considered information on an identifiable
natural person, but the LGPD does not mention it except in the context of
research undergone by public health agencies.

(Article 4)

The LGPD
does not however have a detailed definition of what is “personal data,”
making its scope very broad.

(Article 1)

Territorial
scope

GDPR
explicitly includes organizations that are not established
in the EU but monitor the behavior of individuals located there.

(Article 3)

The LGPD
does not include such a provision. The LGPD will also not apply to data flows
that originate outside of Brazil and are merely transmitted, but not
further processed in the country.

(Article 3)

 

Data
subject rights

 Eight fundamental rights

(Chapter 3)

The LGPD
has the same fundamental rights, except that it splits “the right to information about public and private
entities with which the controller has shared data
” out of the GDPR’s more general
“Right to be informed” to make it more explicit.

There is
also a difference in the cost of requests: the LGPD requires that
they be free, while under GDPR, requests may optionally be free (Article 6).

GDPR
allows organizations 30 days to answer data subjects’ access requests,
while the LGPD only gives them 15 days (Article 19).

Data protection
officer (DPO)

GDPR outlines when a DPO is required (processing operations that
require systematic monitoring of data subjects in a
large-scale, or extensive processing of special categories of data)

(Article 37)

The LGPD
suggests that any organization that processes the data of people in Brazil
will need to hire a DPO.

(Article 41)

Legal
basis for processing data

Six
lawful bases for processing data: explicit consent, contractual performance,
public task, vital interest, legal obligation and legitimate interest

(Article 6)

The LGPD
has the same 6 lawful basis plus another four, for a total of 10:

–       
studies by a research body

–       
exercise of rights in legal proceedings

–       
health protection

–       
credit protection

(Article 7)

Reporting
data breaches

A
company must report a data breach within 72 hours of its
discovery

(Article 33)

The
controller must communicate to the national authority the occurrence of a
security incident that may create risk or relevant damage to the data
subjects… in a reasonable time period, as defined by the national
authority”. This should be further defined by the ANPD.  

The LGPD
requires companies to also notify data subjects of data breaches,
something that is not a GDPR requirement (Article 48).

 


Les chroniques du CTI sont rédigées par un ou plusieurs membres du Comité Technologies de l’information (CTI)
dans le but de susciter les discussions et de soulever les réflexions
au sein de la communauté juridique à propos des nouvelles technologies
et le droit. Les auteurs sont donc seuls responsables du contenu des
articles et l’opinion qui y est véhiculée n’est pas celle du JBM, mais
bien celle des auteurs. Si vous désirez rédiger une chronique, envoyez
un courriel au cti@ajbm.qc.ca. 

Commentaires (0)

L’équipe du Blogue vous encourage à partager avec nous et nos lecteurs vos commentaires et impressions afin d’alimenter les discussions sur le Blogue. Par ailleurs, prenez note du fait qu’aucun commentaire ne sera publié avant d’avoir été approuvé par un modérateur et que l’équipe du Blogue se réserve l’entière discrétion de ne pas publier tout commentaire jugé inapproprié.

Laisser un commentaire