After Months of Uncertainty Brazil’s Data Protection Law Takes Effect
After several months of uncertainty, Brazil’s new data protection law, the Lei Geral de Proteção de Dados (“LGPD”) took effect on September 18, 2020. The LGPD was slated to take effect in February 2020, but was postponed due to the Coronavirus pandemic. The Brazilian government then postponed the LGPD to 2021. The most recent postponement was passed by Brazil’s House of Representatives on August 25, 2020, which delayed the effective date of the LGPD until December 31, 2020. Immediately thereafter, Brazil’s Senate responded and raised a “question of order” that upon approval by the president would remove the delayed effective date. On September 17, 2020, President Bolsonaro approved the senate’s bill such that the LGPD took effect on September 18, 2020. While the LGPD is now in effect, penalties under the LGPD will not take effect until August 2021 (pending approval from the Brazilian congress).
The LGPD mirrors the European Union’s General Data Protection Regulation (“GDPR”) providing expansive rights for individuals in their personal data, which is broadly defined as “information regarding an identified or identifiable natural person.” Like the GDPR, the LGPD has extraterritorial applicability and applies to all companies, regardless of location, if the companies process (carry out any operation with personal data) personal data of individuals either (1) within Brazil, (2) for the purpose of offering goods or services to Brazilian residents, or (3) where the personal data was collected in Brazil.
Additionally, as with the GDPR, a company (the controller) that controls how the personal data is processed must have consent from the individual or one of nine other lawful bases for processing the personal data. Controllers must also provide clear and transparent notice of their processing activities. While penalties for non-compliance with the LGPD are less than the GDPR, they are not without any financial teeth. Maximum penalties under the LGPD are 2% of a company’s revenue in Brazil (as measured in the prior fiscal year and excluding taxes), up to a maximum of 50 million reals (roughly equivalent to $9,000,000). Companies that conduct any processing activities within Brazil, or offer their goods or services to individuals in Brazil should evaluate the applicability of the LGPD.