DLA Piper Intelligence

Data Protection
Laws of the World

Law

Brazil
Brazil

Brazil recently enacted the Brazilian General Data Protection Law (LGPD), Federal Law no. 13,709/2018, which was published on August 15, 2018. The LGPD is Brazil’s first comprehensive data protection regulation and it is largely aligned to the EU General Data Protection Act (GDPR).

On December 28, 2018, the Provision Measure no. 869/2018 was published, which amended certain LGPD provisions and created the National Data Protection Authority (ANPD). Among other modifications, the LGPD will go into full force in August 2020, rather than February 2020 as required when the LGPD was first published. The LPGD, as amended, will take effect in August 2020.

Prior to the LGPD, data privacy regulations in Brazil consisted of various provisions spread across Brazilian legislation. For example, Federal Law no. 12,965/2014 and its regulating Decree no. 8,771/16 (together, the Brazilian Internet Act), which imposes some requirements regarding on security and the processing of personal data and other obligations on service providers, networks and applications providers, as well as rights of Internet users.

General provisions and principles applicable to data protection are also found in:

  • The Federal Constitution
  • The Brazilian Civil Code, and
  • Laws and regulations that address
    • Particular types of relationships (eg, Consumer Protection Code [1] and employment laws)
    • Particular sectors (eg, financial institutions, health industry, or telecommunications), and
    • Particular professional activities (eg, medicine and law)

Additionally, there are laws on the treatment and safeguarding of documents and information handled by governmental entities and public bodies.

The LGPD applies to any processing operation carried out by a natural person or a legal entity, of public or private law, irrespective of the means used for the processing, the country in which its headquarter is located or the country where the data are located, provided that:

  • The processing operation is carried out in Brazil
  • The purpose of the processing activity is to offer or provide goods or services, or the processing of data of individuals located in Brazil, or
  • The personal data was collected in Brazil

On the other hand, the law does not apply to the processing of personal data which is:

  • Carried out by a natural person exclusively for private and non-economic purposes
  • Performed for journalistic, artistic or academic purposes
  • Carried out for purposes of public safety, national security and defense or activities of investigation and prosecution of criminal offenses (which will be the subject of a specific law), or
  • Originated outside the Brazilian territory and are not the object of communication
  • Shared data use with Brazilian processing agents or the object of international transfer of data with another country that is not the country of origin, provided that the country of origin offers a level of personal data protection adequate to that established in the Brazilian law

Footnotes

  1. Due to a broad interpretation established in case law, practically every Internet user is considered a 'consumer' for consumer protection purposes.
Last modified 28 Jan 2019
Law
Brazil

Brazil recently enacted the Brazilian General Data Protection Law (LGPD), Federal Law no. 13,709/2018, which was published on August 15, 2018. The LGPD is Brazil’s first comprehensive data protection regulation and it is largely aligned to the EU General Data Protection Act (GDPR).

On December 28, 2018, the Provision Measure no. 869/2018 was published, which amended certain LGPD provisions and created the National Data Protection Authority (ANPD). Among other modifications, the LGPD will go into full force in August 2020, rather than February 2020 as required when the LGPD was first published. The LPGD, as amended, will take effect in August 2020.

Prior to the LGPD, data privacy regulations in Brazil consisted of various provisions spread across Brazilian legislation. For example, Federal Law no. 12,965/2014 and its regulating Decree no. 8,771/16 (together, the Brazilian Internet Act), which imposes some requirements regarding on security and the processing of personal data and other obligations on service providers, networks and applications providers, as well as rights of Internet users.

General provisions and principles applicable to data protection are also found in:

  • The Federal Constitution
  • The Brazilian Civil Code, and
  • Laws and regulations that address
    • Particular types of relationships (eg, Consumer Protection Code [1] and employment laws)
    • Particular sectors (eg, financial institutions, health industry, or telecommunications), and
    • Particular professional activities (eg, medicine and law)

Additionally, there are laws on the treatment and safeguarding of documents and information handled by governmental entities and public bodies.

The LGPD applies to any processing operation carried out by a natural person or a legal entity, of public or private law, irrespective of the means used for the processing, the country in which its headquarter is located or the country where the data are located, provided that:

  • The processing operation is carried out in Brazil
  • The purpose of the processing activity is to offer or provide goods or services, or the processing of data of individuals located in Brazil, or
  • The personal data was collected in Brazil

On the other hand, the law does not apply to the processing of personal data which is:

  • Carried out by a natural person exclusively for private and non-economic purposes
  • Performed for journalistic, artistic or academic purposes
  • Carried out for purposes of public safety, national security and defense or activities of investigation and prosecution of criminal offenses (which will be the subject of a specific law), or
  • Originated outside the Brazilian territory and are not the object of communication
  • Shared data use with Brazilian processing agents or the object of international transfer of data with another country that is not the country of origin, provided that the country of origin offers a level of personal data protection adequate to that established in the Brazilian law

Footnotes

  1. Due to a broad interpretation established in case law, practically every Internet user is considered a 'consumer' for consumer protection purposes.
Last modified 28 Jan 2019
Definitions

Definition of personal data

The LGPD defines personal data as any information related to an identified or identifiable natural person.

Anonymized data is not be considered personal data, except when the process of anonymization has been reversed or if it can be reversed applying reasonable efforts.

Definition of sensitive personal data

Sensitive personal data is defined as any personal data concerning:

  • Racial or ethnic origin
  • Religious belief
  • Political opinion
  • Trade union
  • Religious, philosophical or political organization membership
  • Health or sex life
  • Genetic or biometric data
Last modified 28 Jan 2019
Authority

The LGPD (as amended) established the National Data Protection Authority (ANPD), which will be composed of:

  • A board of directors
  • A national council (Council)
  • An inspection body
  • An ombudsman body
  • Its own legal advisory body, and
  • Administrative and specialized units for the enforcement of the LGPD

The ANPD will have the authority to issue sanctions for violations of LGPD. The Council of the ANPD has the authority to, among other things:

  • Oversee the protection of personal data
  • Issue regulations and procedures related to personal data protection
  • Deliberate, at an administrative level, upon the interpretation of the LGPD and matters omitted in its redaction
  • Supervise and apply sanctions in the event of data processing performed in violation of the legislation
  • Implement simplified mechanisms for recording complaints about the processing of personal data in violation of the LGPD
  • Request information, at any time, to controllers and processors of personal data that carry out processing operations of personal data

In addition, the ANPD Council will be responsible for, among other functions:

  • Propose strategic guidelines for the creation of the National Policy for the Protection of Personal Data
  • Suggest actions to be carried out by the ANPD
  • Prepare studies and conduct public debates and hearings about the protection of personal data
Last modified 28 Jan 2019
Registration

There is currently no registration requirement before the National Authority under Brazilian law.

Last modified 28 Jan 2019
Data Protection Officers

The LGPD creates the position of Chief of Data Treatment, which is the data protection officer (DPO) in charge for the data processing operation. The DPO will be responsible for the following:

  • Accepting complaints and communications from data subjects and the National Authority
  • Orienting employees about good practices and carrying out other duties as determined by the controller or set forth in complementary rules

The LGPD provides that the National Authority may further establish complementary rules about the definition and the duties of the DPO, including scenarios in which the appointment of such person may be waived, according to the nature and the size of the entity or the volume of data processing operations.

Last modified 28 Jan 2019
Collection & Processing

Under LGPD collection and processing is referred to as data treatment, and defined as all operations carried out with personal data, such as:

  • Collection
  • Production
  • Reception
  • Classification
  • Utilization
  • Access
  • Reproduction
  • Transmission
  • Distribution
  • Processing
  • Filing
  • Storage
  • Elimination
  • Evaluation
  • Control
  • Modification
  • Communication
  • Transfer
  • Diffusion, or
  • Extraction

The treatment of personal data may only be carried out based on one of the following legal bases, which largely align to the GDPR:

  • With data subject consent
  • To comply with a legal or regulatory obligation by the controller
  • By the public administration, for the processing and shared use of data which are necessary for the execution of public policies provided in laws or regulations or contracts, agreements or similar instruments
  • For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data
  • For the execution of a contract or preliminary procedures related to a contract of which the data subject is a party
  • For the regular exercise of rights in judicial, administrative or arbitration procedures
  • As necessary for the protection of life or physical safety of the data subject or a third party
  • For the protection of health, in a procedure carried out by health professionals or by health entities
  • To fulfill the legitimate interests of the controller or a third party, and
  • For the protection of credit

Notwithstanding the above, personal data processing shall be done in good faith and based on the following principles:

  • Purpose
  • Suitability
  • Necessity
  • Free access
  • Quality of the data
  • Transparency
  • Security
  • Prevention
  • Nondiscrimination, and
  • Accountability

As for the processing of sensitive personal data, the treatment can only occur when the data subject or her or his legal representative consents specifically and in highlight, for specific purposes; or, without consent, under the following situations:

  • As necessary for the controller’s compliance with a legal or regulatory obligation
  • Shared data processed as necessary for the execution of public policies provided in laws or regulations
  • For studies carried out by a research entity
  • For the regular exercise of rights, including in a contract or in a judicial, administrative and arbitration procedure
  • Where necessary to for the protection of life or physical safety of the data subject or a third party
  • The protection of health, carried out by health professionals or by health entities, or
  • ensuring the prevention of fraud and the safety of the data subject

The controller and operator must keep records of the data treatment operations they carry out, mainly when the processing is based on a legitimate interest.

In this sense, the ANPD may determine that the controller must prepare an Impact Report on Protection of Personal Data, including sensitive data, referring to its data processing operations, pursuant to regulations, subject to commercial and industrial secrecy. The report must contain at least a description of the types of data collected, the methodology used for collection and for ensuring the security of the information, and the analysis of the controller regarding the adopted measures, safeguards and mechanisms of risk mitigation.

Last modified 28 Jan 2019
Transfer

The transfer of personal data to other jurisdictions is allowed only subject to compliance with the requirements of the LGPD. Also, prior consent is needed for such transfer, unless:

  • The transfer is to countries or international organizations with an adequate level of protection of personal data
  • There are adequate guarantees of compliance with the principles and rights of data subject provided by LGPD, in the form of
    • Specific contractual clauses for a given transfer
    • Standard contractual clauses
    • Global corporate norms, or
    • Regularly issued stamps, certificates and codes of conduct
  • The transfer is necessary for international legal cooperation between public intelligence, investigative and prosecutorial agencies
  • The transfer is necessary to protect life or physical safety of the data subject or of third party
  • Authorization has been provided by the ANPD
  • The transfer is subject to a commitment undertaken through international cooperation
  • The transfer is necessary for the execution of a public policy or legal attribution of public service
  • The transfer is necessary for compliance with a legal or regulatory obligation, execution of a contract or preliminary procedures related to a contract, or the regular exercise of rights in judicial, administrative or arbitration procedures
Last modified 28 Jan 2019
Security

Controllers and processors must adopt security, technical and administrative measures able to protect personal data from:

  • Unauthorized accesses, and
  • Accidental or unlawful situations of:
    • Destruction
    • Loss
    • Alteration
    • Communication, or
    • Any type of improper or unlawful processing

The LGPD grants the ANDP authority to establish minimum technical standards which are required to be implemented.

The Brazilian Internet Act further establishes that service providers, networks and applications providers should keep access records (such as IP addresses and logins) confidential, in a secured and controlled environment. Guidelines issued pursuant to the Internet Act established guidelines on appropriate security controls, including:

  • Strict control on data access by defining the liability of persons who will have the possibility of access and exclusive access privileges to certain users
  • Prospective of authentication mechanisms for records access, using, for example, dual authentication systems to ensure individualization of the controller records
  • Creation of detailed inventory of access to connection records and access to applications containing the time, duration, the identity of the employee or the responsible person for the access designated by the company and the accessed file
  • Use of records management techniques that ensure the inviolability of data, such as encryption or equivalent protective measures
Last modified 28 Jan 2019
Breach Notification

The controller must report to ANDP and the data subject in a reasonable time period (to be further defined by the ANDP), if the breach is likely to result in risk or harm to data subjects.

The notice must contain, at least, the following:

  • Description of the nature of the affected personal data
  • Information regarding the data subjects involved
  • Indication of the security measures used
  • The risks generated by the incident
  • The reasons for delay of communication (if any)
  • The measures that were or will be adopted

Additionally, the ANDP shall verify the seriousness of the incident and may, if necessary to safeguard the data subject's rights, order the controller to adopt measures, such as the broad disclosure of the event in communications media, as well as measures to reverse or mitigate the effects of the incident.

Last modified 28 Jan 2019
Enforcement

The LGPD provides for penalties in case of violations its provisions. Data processing agents that commit infractions can be subject to administrative sanctions, in a gradual, single or cumulative manner, including a fine, simple or daily, of up to 2% of the revenues of a private legal entity, group or conglomerate in Brazil, up to a total maximum of R$50 million per infraction.

Other sanctions can include:

  • Warning
  • Publicizing of the violation
  • Blocking the personal data to which the infraction refers to until its regularization
  • Deletion of the personal data to which the infraction refers to

Until the LGPD takes effect, the level of enforcement by the ANDP is uncertain. The controller or the processor which causes material, moral, individual or collective damage to others is liable to individuals for such damages, including through a class action.

Exceptions to the obligation to repair occurs only if:

  • The agent (ie, controller or the processor) did not carry out the data processing
  • There was no violation of the data protection legislation in the processing, or
  • The damage arises due to exclusive fault of the data subject or a third party
Last modified 28 Jan 2019
Electronic Marketing

The LGPD does not specifically address electronic marketing and Brazil has no other specific legislation in this regard.

Obtaining opt-in consent from consumers prior to sending marketing emails is recommended. However, according to 'Brazilian Code of Best Practice of Marketing E-mail', a soft opt-in is also possible in scenarios of prior and verifiable commercial or social relationship with the user. In this case, it will be being necessary to:

  • Send the message by an email address linked to the company’s domain name (where the company has a prior commercial relationship with the recipient)
  • The subject of the message shall be related to its content, and
  • Opt-out must be offered or available to user, preferably in the message

In spite of the lack of a specific statute, general provisions on privacy and intimacy rights, as well as consumer protection rights also apply to electronic marketing; thus, the sender should immediately cease sending any sort of electronic marketing if so requested by the consumer.

Last modified 28 Jan 2019
Online Privacy

The Brazilian Internet Act has several provisions concerning the storage, use, disclosure and other treatment of data collected on the Internet. Also, the established rights of privacy, intimacy and consumer rights apply equally to electronic media, such as mobile devices and the Internet. So, violations of these rights may be subject to civil enforcement as well.

Furthermore, as explained in prior sections, identifiable data are also encompassed under the scope of protection of the LGPD. Thus, in case cookies and location data are associated with a natural person, their collection should also observe the same obligations provided by the Brazilian data protection law. The obligation doesn’t apply, however, to anonymized data, which is not considered personal data under the LGPD unless the process of anonymization has been reversed or can be reversed applying reasonable efforts.

That said, consent to cookies is generally necessary where they involve the collection and handling of personal data from a user (eg, the information is linked or linkable a particular user, IP address, a device or other particular identifier) unless such collection and treatment can be justified under another legal basis set forth by the LGPD (please refer to the prior section on Collection and Processing).

Last modified 28 Jan 2019
Contacts
Paula Mena Barreto
Paula Mena Barreto
Partner
Campos Mello Advogados
T +55 21 3262 3028
Manoela Quintas Esteves
Manoela Quintas Esteves
Associate
Campos Mello Advogados
T +55 21 3262 3042
Last modified 28 Jan 2019