DLA Piper Intelligence

Data Protection
Laws of the World

Electronic Marketing

Brazil has no specific law regulating electronic marketing communications. However, it is important to point out that, according to the LGPD, all processing of consumers’ personal data (which includes the collection, storage, and sending of marketing communications) can only occur upon the appropriate legal basis for such purpose. Under this scenario, two available legal bases could be used, depending on the analysis of the concrete case: (1) the data subject’s consent, or (2) the controller’s legitimate interest.

Despite the lack of a specific statute, general provisions on privacy and intimacy rights, as well as consumer protection rights, also apply to electronic marketing. Therefore, the sender should immediately cease sending any electronic marketing if the consumer requests (i.e., offering an opt-out option to electronic marketing).

Last modified 28 Jan 2024
Law
Brazil

After several discussions and postponements, the Brazilian General Data Protection Law (LGPD), Federal Law no. 13,709/2018, entered into force on September 18, 2020. The LGPD is Brazil’s first comprehensive data protection regulation, and it broadly aligns with the EU General Data Protection Act (GDPR).

Although the law has been in force since 2020, the penalties issued by the LGPD only became enforceable on August 1, 2021. However, public authorities (such as consumer protection bodies and public prosecutors) and data subjects could enforce their rights under the LGPD as of September 18, 2020.

Before the enactment of the LGPD, data privacy regulations in Brazil consisted of various provisions spread across Brazilian legislation. For example, Federal Law no. 12,965/2014 and its regulating Decree no. 8,771/16 (together, the Brazilian Internet Act) imposed requirements regarding security and the processing of personal data and other obligations on service providers, networks, and applications providers, and provided rights for Internet users.

The following laws also contain general provisions and principles applicable to data protection:

  • The Federal Constitution
  • The Brazilian Civil Code, and
  • Laws and regulations that address
    • Certain types of relationships (g., Consumer Protection Code [1] and employment laws);
    • Regulated sectors (g., financial institutions, health industry, or telecommunications); and
    • Particular professional activities (g., medicine and law).

Additionally, there are laws that regulate the processing and safeguarding of documents and information handled by governmental entities and public bodies.

The LGPD applies to any processing operation carried out by a natural person or a legal entity (of public or private law), irrespective of (1) the means used for the processing, (2) the country in which its headquarter is located, or (3) the country where the data are located, provided that:

  • The processing operation is carried out in Brazil;
  • The purpose of the processing activity is to offer or provide goods or services, or the processing of data of individuals located in Brazil; or
  • The personal data was collected in Brazil.

On the other hand, the law does not apply to the processing of personal data that is:

  • Carried out by a natural person exclusively for private and non-economic purposes;
  • Performed for journalistic, artistic, or academic purposes;
  • Carried out for purposes of public safety, national security, and defense or activities of investigation and prosecution of criminal offenses (which will be the subject of a specific law);
  • Originated outside the Brazilian territory and are not the object of communication; or
  • Shared data use with Brazilian processing agents or the object of international transfer of data with another country that is not the country of origin, provided that the country of origin offers a level of personal data protection adequate to that established in the Brazilian law.

In addition, on October 20, 2021, the Brazilian Senate unanimously approved the Proposed Amendment to the Constitution (“PEC”) no. 17/2019, which includes in the Federal Constitution the protection of personal data, including in digital media, as a fundamental right, and to refer privately to the Union (federal government) the responsibility to legislate on this subject. As of February 10, 2022, data protection is now encompassed by the Federal Constitution as a fundamental right.

Footnotes

  1. Due to a broad interpretation established in case law, practically every Internet user is considered a 'consumer' for the purposes of the consumer protection.
Last modified 28 Jan 2024
Definitions

Definition of personal data

The LGPD defines personal data as any information related to an identified or identifiable natural person.

Anonymized data is not considered personal data, except when the process of anonymization has been reversed or if it can be reversed applying reasonable efforts.

Definition of sensitive personal data

The LGPD defines sensitive personal data as any personal data concerning:

  • Racial or ethnic origin
  • Religious belief
  • Political opinion
  • Trade union
  • Religious, philosophical or political organization membership
  • Health or sex life
  • Genetic or biometric data
Last modified 28 Jan 2024
Authority

The LGPD established the National Data Protection Authority (ANPD). On October 25, 2022, Law 14,460/2022 was published, altering ANPD’s role into a special and independent autarchic regime with administrative and budgetary autonomy as opposed to linking the ANPD to the Presidency of the Republic. The   ANPD is also given technical and decision-making autonomy with jurisdiction over the Brazilian territory. In addition, the ANPD will have its own appointed public attorneys, which enables the National Authority to independently take judicial measures that it deems appropriate.

The ANPD is now in operation and it is headquartered in the Federal District. Its structuring process started on August 27, 2020, with the publication of Decree No. 10,474/2020, which approved and regulated the regulatory structure of the ANPD, and its board of commissioned positions and nominated trust functions. On November 6, 2020, this Decree entered into force with the appointment of the Director-President and the members of the Board of Directors of the ANPD, after having been approved by the plenary of the Federal Senate. On March 9, 2021, the ANPD’s Internal Regulations were published, establishing the competencies and organization of the National Authority.

The ANPD is composed of:

  • A Board of Directors
  • A national council for Personal Data and Privacy Protection (Council)
  • Bodies of direct and immediate assistance to the Board of Directors (General Secretariat, General Coordination of Administration, General Coordination of Institutional and International Relations)
  • An Internal Affairs Office (inspection body)
  • An ombudsman
  • The Prosecution
  • Its own legal advisory body, and
  • Administrative and specialized units for the enforcement of the LGPD (ie, General Coordination of Standardization; General Coordination of Supervision; and General Coordination of Technology and Research)

The ANPD has the authority to issue sanctions for violations of the LGPD. This sanctions authority came into force on August 1, 2021. On October 29, 2021, the ANPD issued Regulation CD/ANPD 01/2021 for the Regulation of the Inspection Process and the Sanctioning Administrative Process, establishing the procedures regarding the supervision and enforcement of the LGPD. However, the Regulation is still pending further instructions relating to the parameters of calculation of such penalties, which are expected to be regulated by the end of 2023.

In August 2021, the President of the Republic appointed representatives of the National Council for Personal Data and Privacy Protection (Council). The Council contributes to the performance of the ANPD and has the authority to, among other things:

  • Oversee the protection of personal data
  • Issue regulations and procedures related to personal data protection
  • Deliberate, at an administrative level, upon the interpretation of the LGPD and matters omitted in its redaction
  • Supervise and apply sanctions in the event of data processing performed in violation of the legislation
  • Implement simplified mechanisms for recording complaints about the processing of personal data in violation of the LGPD

In addition, the ANPD Council is responsible for, among other functions:

  • Proposing strategic guidelines and allowance for the creation of the National Policy for the Protection of Personal Data and the operation of ANPD
  • Suggesting actions to be carried out by the ANPD
  • Preparing studies and conducting public debates and hearings about the protection of personal data

Since the ANPD started its operations, several actions have already been implemented to protect personal data, including:

  • Determining the procedures regarding the inspection and application of administrative sanctions
  • Providing specific regulation regarding small-sized data processing agents
  • Publishing guidelines regarding cookie policy and banner
  • Opening public consultation regarding international transfers
  • Publishing guidance on reporting a security incident with personal data and its assessment to the ANPD
  • Explaining availability of a claim by the data subject against controller
  • Providing educational materials on data protection, such as (1) guidelines for defining personal data processing agents and the DPO, (2) how consumers should protect their personal data, and (3) information security for small processing agents.

However, there are still several provisions of the LGPD requiring further regulation and interpretation by the ANPD, which stakeholders should monitor for future compliance.

Last modified 28 Jan 2024
Registration

There is currently no requirement to register with the National Data Protection Authority under Brazilian law.

Last modified 28 Jan 2024
Data Protection Officers

The LGPD creates the position of Chief of Data Processing, which is the data protection officer (DPO) in charge of data processing operations. The DPO is responsible for the following:

  • Accepting complaints and communications from data subjects and the National Authority
  • Providing guidance to employees about good practices and carrying out other duties as determined by the controller or set forth in complementary rules

The LGPD provides the National Data Protection Authority the power to further establish supplementary rules concerning the definition and the duties of the DPO, including scenarios in which the appointment of such person may be waived, according to the nature and the size of the entity or the volume of data processing operations.

Currently, with the exception mentioned below, every company, public or private, should appoint a DPO. This general obligation extends to all types of activities and volumes of data processing subject to the LGPD (as set out in the “Guidance on Processing Agents and DPO” published by ANPD in May 2021). In any case, all companies should monitor this space for future guidance. On December 23, 2022, the ANPD published updated breach guidelines, which require companies to provide the DPO’s nomination declaration as a necessary document to report any breaches. Therefore, although is not expressly required by the LGPD, it must practically be considered as essential and necessary documentation.

On August 30, 2021, the ANPD issued a Public Consultation related to a Resolution with special rules on the application of the LGPD to small businesses, startups, and innovative companies, as defined by the law, except for those performing data processing activities which incur in high risks for data subjects.1  As a result, on January 28, 2022, the ANPD published Regulation CD/ANPD 02/2022, which establishes simpler obligations for small businesses, including an exception to nominate a DPO.

There is no prohibition against companies using an external DPO or against DPOs performing the same function for more than one company simultaneously. Likewise, the LGPD does not distinguish whether the DPO must be an individual or a legal entity.

Due to the absence of legal or regulatory requirements, there is no need to communicate or record the identity and contact information of the DPO with the ANPD.

Footnotes

FN 1:

The following entities are considered Small-Sized Processing Agents:

  • micro-enterprises and small size businesses, as defined by Art. 41, Law No 14,195/2021
  • entrepreneur, as defined by the Civil Code No 10,406/2002
  • start-ups, as defined by Law No 182/2021
  • non-profits organizations
  • natural persons and depersonalized private entities who carry out treatment of personal data, assuming typical controller or operator obligations.

Small-Sized Processing Agents must not earn gross revenue higher than BRL 4.800.000,00, or, in the case of start-ups BRL 16.000.000,00, nor belong to an economic group whose global revenue exceeds the limits, as defined by the corresponding laws or perform high-risk processing. According to the Regulation, a high-risk data processing activity meets at least one general and one specific criteria among those listed in the Regulation. General criteria are: (i) processing of personal data in large scale; and (ii) processing of personal data which may significantly affect the data subjects’ interests and fundamental rights, while specific criteria is (i) use of emerging or innovative technologies; (ii) vigilance or control of public accessible areas; (iii) decisions made exclusively with basis on automated data processing; and (iv) use of sensitive data or personal data belonging to children, adolescents and elderly people. 

Last modified 28 Jan 2024
Collection & Processing

Under the LGPD, collecting and processing are referred to as "data treatment", and defined as all operations carried out with personal data, such as:

  • Collection
  • Production
  • Reception
  • Classification
  • Utilization
  • Access
  • Reproduction
  • Transmission
  • Distribution
  • Processing
  • Filing
  • Storage
  • Elimination
  • Evaluation
  • Control
  • Modification
  • Communication
  • Transfer
  • Diffusion, or
  • Extraction

The processing of personal data may only be carried out based on one of the following legal bases:

  • With data subject consent
  • To comply with a legal or regulatory obligation by the controller
  • By the public administration, for the processing and shared use of data which are necessary for the execution of public policies provided in laws or regulations or contracts, agreements or similar instruments
  • For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data
  • For the execution of a contract or preliminary procedures related to a contract to which the data subject is a party
  • For the regular exercise of rights in judicial, administrative or arbitration procedures
  • As necessary for the protection of life or physical safety of the data subject or a third party
  • For the protection of health, exclusively, in a procedure carried out by health professionals, health services or sanitary authorities
  • To fulfill the legitimate interests of the controller or a third party, except in the case of prevailing the fundamental rights and freedoms of the data subject, and
  • For the protection of credit

Notwithstanding the above, personal data processing must be carried out in good faith and based on the following principles:

  • Purpose
  • Suitability
  • Necessity
  • Free access
  • Quality of the data
  • Transparency
  • Security
  • Prevention
  • Nondiscrimination, and
  • Accountability

As for the processing of sensitive personal data, the processing can only occur when the data subject or their legal representative consents specifically and in highlight, for specific purposes; or, without consent, under the following situations:

  • As necessary for the controller’s compliance with a legal or regulatory obligation
  • Shared data processed as necessary for the execution of public policies provided in laws or regulations by the public administration
  • For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data
  • For the regular exercise of rights, including in a contract or in a judicial, administrative or arbitration procedure
  • Where necessary for the protection of life or physical safety of the data subject or a third party
  • The protection of health, exclusively, in a procedure performed by health professionals, health services or sanitary authorities, or
  • To prevent fraud and protect the safety of the data subject

The controller and operator must keep records of the data processing operations they carry out, mainly when the processing is based on a legitimate interest.

In this sense, the ANPD may determine that the controller must prepare an Impact Report on Protection of Personal Data, including sensitive data, referring to its data processing operations, pursuant to regulations, subject to commercial and industrial secrecy. The report must contain at least a description of the types of data collected, the methodology used for collection and for ensuring the security of the information, and the analysis of the controller regarding the adopted measures, safeguards and mechanisms of risk mitigation.

On January 28, 2022, the ANPD published Regulation CD/ANPD 02/2022, which provides special rules on the application of the LGPD to small businesses, startups, and innovative companies, as defined by the law, except to those performing data processing activities which incur in high risks for data subjects.1 This Regulation includes certain exemptions and flexibilities, reducing obligations under the law.  For example a simplified template of records of data processing activities, which will be made available by the ANPD.

Footnotes

FN 1: 

The following entities are considered Small-Sized Processing Agents:

  • micro-enterprises and small size businesses, as defined by Art. 41, Law No 14,195/2021
  • entrepreneur, as defined by the Civil Code No 10,406/2002
  • start-ups, as defined by Law No 182/2021
  • non-profits organizations
  • natural persons and depersonalized private entities who carry out treatment of personal data, assuming typical controller or operator obligations.

Small-Sized Processing Agents must not earn gross revenue higher than BRL 4.800.000,00, or, in the case of start-ups BRL 16.000.000,00, nor belong to an economic group whose global revenue exceeds the limits, as defined by the corresponding laws or perform high-risk processing. According to the Regulation, a high-risk data processing activity meets at least one general and one specific criteria among those listed in the Regulation. A general criteria is (i) processing of personal data in large scale; and (ii) processing of personal data which may significantly affect the data subjects’ interests and fundamental rights, while specific criteria is (i) use of emerging or innovative technologies; (ii) vigilance or control of public accessible areas; (iii) decisions made exclusively with basis on automated data processing; and (iv) use of sensitive data or personal data belonging to children, adolescents and elderly people. 

Last modified 28 Jan 2024
Transfer

The transfer of personal data to other jurisdictions is allowed only subject to compliance with the requirements of the LGPD. Prior specific and informed consent is needed for such transfer, unless:

  • The transfer is to countries or international organizations with an adequate level of protection of personal data
  • There are adequate guarantees of compliance with the principles and rights of data subject provided by LGPD, in the form of
    • Specific contractual clauses for a given transfer
    • Standard contractual clauses
    • Global corporate norms, or
    • Regularly issued stamps, certificates and codes of conduct
  • The transfer is necessary for international legal cooperation between public intelligence, investigative and prosecutorial agencies
  • The transfer is necessary to protect the life or physical safety of the data subject or a third party
  • The ANPD has provided authorization
  • The transfer is subject to a commitment undertaken through international cooperation
  • The transfer is necessary for the execution of a public policy or legal attribution of public service
  • The transfer is necessary for compliance with a legal or regulatory obligation, execution of a contract or preliminary procedures related to a contract, or the regular exercise of rights in judicial, administrative or arbitration procedures

On May 05, 2022, ANPD opened a public consultation regarding international transfers regulation. However, such regulation is pending but expected to be published sometime in 2023.

Last modified 28 Jan 2024
Security

Controllers and processors must adopt technical and administrative security measures designed to protect personal data from:

  • Unauthorized accesses, and
  • Accidental or unlawful situations of:
    • Destruction
    • Loss
    • Alteration
    • Communication, or
    • Any improper or unlawful processing

The LGPD grants the ANPD authority to establish minimum technical standards for companies to implement.

On 4 October 2021, the ANPD launched information security guidelines aimed at small data processing agents (such as microenterprises, small businesses, and startups) to assist them with good practices in implementing technical and administrative information security measures for the protection of personal data. The guidelines also contain a checklist to facilitate the visualization of suggestions, such as awareness and training programs, agreements management, access controls, data storage guidelines, and vulnerability management.

On November 04, 2022, the ANPD published its Regulatory Agenda for 2023/2024 and made the regulation of technical and administrative security measures a priority for the period, determining the start of the regulation procedures until the beginning of 2024.

The Brazilian Internet Act further establishes that service providers, networks and applications providers should keep access records (such as IP addresses and logins) confidential and in a secured and controlled environment. Guidelines issued under the Internet Act established guidelines on appropriate security controls, including:

  • Strict control on data access by defining the liability of persons who will have the possibility of access and exclusive access privileges to certain users
  • Prospective of authentication mechanisms for records access, using, for example, dual authentication systems to ensure individualization of the controller records
  • Creation of detailed inventory of access to connection records and access to applications containing the time, duration, the identity of the employee or the responsible person for the access designated by the company and the accessed file
  • Use of records management techniques that ensure the inviolability of data, such as encryption or equivalent protective measures
Last modified 28 Jan 2024
Breach Notification

According to the LGPD, any unauthorized accesses and from accidental or unlawful situations of destruction, loss, alteration, communication or diffusion is considered a breach. The controller is responsible for reporting to ANPD and the data subject within a reasonable timeframe if the breach is likely to result in risk or harm to data subjects. The LGPD itself does not set a specific deadline for notifying the ANPD in the event of security incidents. However, according to guidance published by the National Authority on February 22, 2021, the communication must be made within two (2) working days, counted from the date of receiving knowledge of the incident.

In addition, according to these guidelines, the company or person responsible for the data must internally assess the incident and ascertain the nature, category, and number of data subjects affected. 

On December 23, 2022, the ANPD published updated breach guidelines, which include additional recommendations (as further specified below) as well as an updated breach reporting form, which must be used for regulator notification if notification is required under the law.  In the event of significant risk or damage to data subjects, individuals may need to be notified as well.  Notification may be submitted by the Controller’s DPO or the legal representative, with the corresponding nomination documentation or power of attorney.

The notice must contain, at least, the following key information:

  • Description of the nature of the affected personal data
  • Information regarding the data subjects involved
  • Indication of the security measures used
  • The risks generated by the incident
  • The reasons for a delay in communication (if any)
  • The measures that were or will be adopted
  • Information regarding the communication to the affected data subjects

Additionally, the ANPD must verify the seriousness of the incident and may, if necessary to safeguard the data subject's rights, order the controller to adopt measures, such as the broad disclosure of the event in communications media, as well as measures to reverse or mitigate the effects of the incident.

The updated guidelines indicate that an unjustified delay in reporting a security incident that could cause significant risk or damage to data subjects may subject agents to the administrative sanctions provided under the LGPD. In case the Controller is unable to provide a complete breach notification within the two (2) working days period, the Controller must submit a preliminary notice with the corresponding justification. The preliminary notice must be supplemented as soon as possible and, at the latest, within 30 calendar days.

Although it is not necessary to provide the list of affected data subjects to the ANPD, the ANPD may request the Controller, at any time, to present a copy of the notice to the data subjects regarding the breach. Such notice to the data subject must be made individually, whenever possible, and can be carried out by any means, such as e-mail, letter or electronic message.

An additional recommendation, which is not legally required, is to implement contractual clauses establishing the obligations regarding notification of breaches between controllers and processors, seeking to expedite the assessment and minimize the risks to the data subjects.

On January 28, 2022, the ANPD published Regulation CD/ANPD 02/2022 which grants to small businesses, startups, and innovative companies, as defined by the law, except to those performing data processing activities which incur in high risks for data subjects the double deadline extension in the communication of security incidents, as well  responding to data subjects’ requests, for communicating severe security incidents to the ANPD and affected data subjects, and for responding to ANPD’s requests.

Last modified 28 Jan 2024
Enforcement

The LGPD provides for penalties in case of violations its provisions. Data processing agents that commit infractions can be subject to administrative sanctions, in a gradual, single or cumulative manner, including a fine, simple or daily, of up to 2% of the revenues of a private legal entity, group or conglomerate in Brazil, up to a total maximum of R$50 million per infraction.

Other sanctions can include:

  • Warning
  • Publicizing of the violation
  • Blocking the personal data to which the infraction refers to until its regularization
  • Deletion of the personal data to which the infraction refers
  • Partial suspension of the database operation to which the infringement refers for a maximum period of six (6) months, extendable for the same period, until the processing activity is corrected by the controller;
  • Suspension of the personal data processing activity to which the infringement refers for a maximum period of six (6) months, extendable for the same period;
  • Partial or total prohibition of activities related to data processing.

Although the LGPD became effective September 18, 2020, the penalties provided by the law were only enforceable from August 1, 2021. In addition, the ANPD is now in operation and, on October 29, 2021, published the Regulation of the Inspection Process and the Sanctioning Administrative Process, which establishes the procedures applicable to ANPD’s inspection process and the rules to be observed during the administrative sanctioning process. However, it is still pending further instructions relating to the parameters of calculation of such penalties, which are expected to be regulated until the end of 2023. Because the ANPD has not imposed sanctions regarding violations to the LGPD yet, the level of enforcement activity is still uncertain.

Public authorities (such as consumer protection bodies and public prosecutors) are already monitoring data protection matters and applying penalties based on the LGPD obligations and other applicable laws. Additionally, data subjects may file lawsuits if any of the rights provided by the LGPD are violated. Under the law, a controller or processor that causes material, moral, individual, or collective damage to others is liable to individuals for such damages, including through a class action.

Exceptions to the obligation to remedy a violation exist only if:

  • The agent (ie, controller or the processor) did not carry out the data processing
  • There was no violation of the data protection legislation in the processing, or
  • The damage arises due to exclusive fault of the data subject or a third party
Last modified 28 Jan 2024
Electronic Marketing

Brazil has no specific law regulating electronic marketing communications. However, it is important to point out that, according to the LGPD, all processing of consumers’ personal data (which includes the collection, storage, and sending of marketing communications) can only occur upon the appropriate legal basis for such purpose. Under this scenario, two available legal bases could be used, depending on the analysis of the concrete case: (1) the data subject’s consent, or (2) the controller’s legitimate interest.

Despite the lack of a specific statute, general provisions on privacy and intimacy rights, as well as consumer protection rights, also apply to electronic marketing. Therefore, the sender should immediately cease sending any electronic marketing if the consumer requests (i.e., offering an opt-out option to electronic marketing).

Last modified 28 Jan 2024
Online Privacy

The Brazilian Internet Act has several provisions concerning the storage, use, disclosure, and other processing of data collected on the Internet. The established rights of privacy, intimacy, and consumer rights apply equally to electronic media, such as mobile devices and the Internet. Violations of these rights may also be subject to civil enforcement.

Furthermore, as explained in prior sections, identifiable data are also encompassed under the scope of protection of the LGPD. Thus, if cookies and location data are associated with a natural person, their collection should also observe the same obligations provided by the Brazilian data protection law. However, the obligation does not apply to anonymized data, which is not considered personal data under the LGPD unless the process of anonymization has been reversed or can be reversed using reasonable efforts.

That said, a proper legal basis is needed when using cookies and similar technologies that involve the processing of a user’s personal data from (e.g., the information is linked or linkable to a particular user, IP address, a device, or other particular identifier). Under this scenario, two available legal bases could be used, depending on the analysis of the concrete case: the data subject’s consent or the controller’s legitimate interest (in the case of essential cookies, for example).

On October, 2022, the ANPD published Cookie Guidelines establishing recommendations for cookie policy disclosures, such as to inform the categories of relevant cookies, their purposes, retention periods and whether the data collected through cookies is shared. Such disclosures must be provided to the data subject in a simplified and understandable format and manner. Further, the guidelines require collection of affirmative opt-in consent, for example through cookie banners, and provide the data subject with the possibility to reject the cookies at that time and revoke consent at any time later on.  

Last modified 28 Jan 2024
Contacts
Paula Mena Barreto
Paula Mena Barreto
Partner
Campos Mello Advogados
T +55 21 3262 3028
Last modified 28 Jan 2024