DLA Piper Intelligence

Data Protection
Laws of the World

Transfer

The transfer of personal data to other jurisdictions is allowed only subject to compliance with the requirements of the LGPD. Prior specific and informed consent is needed for such transfer, unless:

  • The transfer is to countries or international organizations with an adequate level of protection of personal data
  • There are adequate guarantees of compliance with the principles and rights of data subject provided by LGPD, in the form of
    • Specific contractual clauses for a given transfer
    • Standard contractual clauses
    • Global corporate norms, or
    • Regularly issued stamps, certificates and codes of conduct
  • The transfer is necessary for international legal cooperation between public intelligence, investigative and prosecutorial agencies
  • The transfer is necessary to protect the life or physical safety of the data subject or a third party
  • The ANPD has provided authorization
  • The transfer is subject to a commitment undertaken through international cooperation
  • The transfer is necessary for the execution of a public policy or legal attribution of public service
  • The transfer is necessary for compliance with a legal or regulatory obligation, execution of a contract or preliminary procedures related to a contract, or the regular exercise of rights in judicial, administrative or arbitration procedures
Last modified 24 Jan 2022
Law
Brazil

After several discussions and postponements, the Brazilian General Data Protection Law (LGPD), Federal Law no. 13,709/2018, entered into force on September 18, 2020. The LGPD is Brazil’s first comprehensive data protection regulation, and it broadly aligns with the EU General Data Protection Act (GDPR).

Although the law has been in force since 2020, the penalties issued by the LGPD only became enforceable on August 1, 2021. However, public authorities (such as consumer protection bodies and public prosecutors) and data subjects could enforce their rights under the LGPD as of September 18, 2020.

Before the enactment of the LGPD, data privacy regulations in Brazil consisted of various provisions spread across Brazilian legislation. For example, Federal Law no. 12,965/2014 and its regulating Decree no. 8,771/16 (together, the Brazilian Internet Act) imposed requirements regarding security and the processing of personal data and other obligations on service providers, networks, and applications providers, and provided rights for Internet users.

The following laws also contain general provisions and principles applicable to data protection:

  • The Federal Constitution
  • The Brazilian Civil Code, and
  • Laws and regulations that address
    • Certain types of relationships (g., Consumer Protection Code [1] and employment laws);
    • Regulated sectors (g., financial institutions, health industry, or telecommunications); and
    • Particular professional activities (g., medicine and law).

Additionally, there are laws that regulate the processing and safeguarding of documents and information handled by governmental entities and public bodies.

The LGPD applies to any processing operation carried out by a natural person or a legal entity (of public or private law), irrespective of (1) the means used for the processing, (2) the country in which its headquarter is located, or (3) the country where the data are located, provided that:

  • The processing operation is carried out in Brazil;
  • The purpose of the processing activity is to offer or provide goods or services, or the processing of data of individuals located in Brazil; or
  • The personal data was collected in Brazil.

On the other hand, the law does not apply to the processing of personal data that is:

  • Carried out by a natural person exclusively for private and non-economic purposes;
  • Performed for journalistic, artistic, or academic purposes;
  • Carried out for purposes of public safety, national security, and defense or activities of investigation and prosecution of criminal offenses (which will be the subject of a specific law);
  • Originated outside the Brazilian territory and are not the object of communication; or
  • Shared data use with Brazilian processing agents or the object of international transfer of data with another country that is not the country of origin, provided that the country of origin offers a level of personal data protection adequate to that established in the Brazilian law.

In addition, on October 20, 2021, the Brazilian Senate unanimously approved the Proposed Amendment to the Constitution (“PEC”) no. 17/2019, which aims to include in the Federal Constitution the protection of personal data, including in digital media, as a fundamental right, and to refer privately to the Union (federal government) the responsibility to legislate on this subject. However, this amendment will only be valid when the National Congress enacts the PEC, which is still pending.

Footnotes

  1. Due to a broad interpretation established in case law, practically every Internet user is considered a 'consumer' for the purposes of the consumer protection.
Last modified 24 Jan 2022
Definitions

Definition of personal data

The LGPD defines personal data as any information related to an identified or identifiable natural person.

Anonymized data is not considered personal data, except when the process of anonymization has been reversed or if it can be reversed applying reasonable efforts.

Definition of sensitive personal data

The LGPD defines sensitive personal data as any personal data concerning:

  • Racial or ethnic origin
  • Religious belief
  • Political opinion
  • Trade union
  • Religious, philosophical or political organization membership
  • Health or sex life
  • Genetic or biometric data
Last modified 24 Jan 2022
Authority

The LGPD established the National Data Protection Authority (ANPD). The ANPD is part of the federal public administration, (pertaining to the Presidency of the Republic), and is given technical and decision-making autonomy with jurisdiction over the Brazilian territory. The ANPD isheadquartered in the Federal District. The legal nature of ANPD is transitory and may be amended by the Public Authority into an entity of the indirect federal public administration, subject to special autarchic regime and linked to the Presidency of the Republic, within two (2) years of its regimental structure coming into force.

 The ANPD is now in operation. Its structuring process started on August 27, 2020, with the publication of Decree No. 10,474/2020, which approved and regulated the regulatory structure of the ANPD, and its board of commissioned positions and nominated trust functions. On November 6, 2020, this Decree entered into force with the appointment of the Director-President and the members of the Board of Directors of the ANPD, after having been approved by the plenary of the Federal Senate. On March 9, 2021, the ANPD’s Internal Regulations were published, establishing the competencies and organization of the National Authority.

The ANPD is composed of:

  • A Board of Directors
  • A national council for Personal Data and Privacy Protection (Council)
  • Bodies of direct and immediate assistance to the Board of Directors (General Secretariat, General Coordination of Administration, General Coordination of Institutional and International Relations)
  • An Internal Affairs Office (inspection body)
  • An ombudsman
  • Its own legal advisory body, and
  • Administrative and specialized units for the enforcement of the LGPD (ie, General Coordination of Standardization; General Coordination of Supervision; and General Coordination of Technology and Research)

The ANPD has the authority to issue sanctions for violations of the LGPD. This sanctions authority came into force on August 1, 2021. In August 2021, the President of the Republic appointed representatives of the National Council for Personal Data and Privacy Protection (Council). The Council contributes to the performance of the ANPD and has the authority to, among other things:

  • Oversee the protection of personal data
  • Issue regulations and procedures related to personal data protection
  • Deliberate, at an administrative level, upon the interpretation of the LGPD and matters omitted in its redaction
  • Supervise and apply sanctions in the event of data processing performed in violation of the legislation
  • Implement simplified mechanisms for recording complaints about the processing of personal data in violation of the LGPD

In addition, the ANPD Council is responsible for, among other functions:

  • Proposing strategic guidelines and allowance for the creation of the National Policy for the Protection of Personal Data and the operation of ANPD
  • Suggesting actions to be carried out by the ANPD
  • Preparing studies and conducting public debates and hearings about the protection of personal data

Since the ANPD started its operations, several actions have already been implemented to protect personal data, including:

  • Publishing guidance on reporting a security incident with personal data and its assessment to the ANPD
  • Explaining availability of a claim by the data subject against controller
  • Providing educational materials on data protection, such as (1) guidelines for defining personal data processing agents and the DPO, (2) how consumers should protect their personal data, and (3) information security for small processing agents.

However, there are still several provisions of the LGPD requiring further regulation and interpretation by the ANPD, which stakeholders should monitor for future compliance.

Last modified 24 Jan 2022
Registration

There is currently no requirement to register with the National Data Protection Authority under Brazilian law.

Last modified 24 Jan 2022
Data Protection Officers

The LGPD creates the position of Chief of Data Processing, which is the data protection officer (DPO) in charge of data processing operations. The DPO is responsible for the following:

  • Accepting complaints and communications from data subjects and the National Authority
  • Providing guidance to employees about good practices and carrying out other duties as determined by the controller or set forth in complementary rules

The LGPD provides the National Data Protection Authority the power to further establish supplementary rules concerning the definition and the duties of the DPO, including scenarios in which the appointment of such person may be waived, according to the nature and the size of the entity or the volume of data processing operations.

Currently, and until the ANPD provides more detailed instructions on the subject, it is assumed that every company (public or private) should appoint a DPO. This general obligation extends to all types of activities and volumes of data processing subject to the LGPD (as set out in the “Guidance on Processing Agents and DPO” published by ANPD in May 2021). In any case, all companies should monitor this space for future guidance.

On August 30, 2021, the ANPD issued a Public Consultation related to a Resolution with special rules on the application of the LGPD to small businesses, startups, and innovative companies. This Resolution includes exemptions and flexibilities, such as the exemption of these companies from appointing a DPO. However, this is still a draft Resolution and needs to be further confirmed and published.

There is no prohibition against companies using an external DPO or against DPOs performing the same function for more than one company simultaneously. Likewise, the LGPD does not distinguish whether the DPO must be an individual or a legal entity.

Due to the absence of legal or regulatory requirements, there is no need to communicate or record the identity and contact information of the DPO with the ANPD.

Last modified 24 Jan 2022
Collection & Processing

Under the LGPD, collection and processing is referred to as "data treatment", and defined as all operations carried out with personal data, such as:

  • Collection
  • Production
  • Reception
  • Classification
  • Utilization
  • Access
  • Reproduction
  • Transmission
  • Distribution
  • Processing
  • Filing
  • Storage
  • Elimination
  • Evaluation
  • Control
  • Modification
  • Communication
  • Transfer
  • Diffusion, or
  • Extraction

The processing of personal data may only be carried out based on one of the following legal bases:

  • With data subject consent
  • To comply with a legal or regulatory obligation by the controller
  • By the public administration, for the processing and shared use of data which are necessary for the execution of public policies provided in laws or regulations or contracts, agreements or similar instruments
  • For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data
  • For the execution of a contract or preliminary procedures related to a contract to which the data subject is a party
  • For the regular exercise of rights in judicial, administrative or arbitration procedures
  • As necessary for the protection of life or physical safety of the data subject or a third party
  • For the protection of health, exclusively, in a procedure carried out by health professionals, health services or sanitary authorities
  • To fulfill the legitimate interests of the controller or a third party, except in the case of prevailing the fundamental rights and freedoms of the data subject, and
  • For the protection of credit

Notwithstanding the above, personal data processing must be carried out in good faith and based on the following principles:

  • Purpose
  • Suitability
  • Necessity
  • Free access
  • Quality of the data
  • Transparency
  • Security
  • Prevention
  • Nondiscrimination, and
  • Accountability

As for the processing of sensitive personal data, the processing can only occur when the data subject or their legal representative consents specifically and in highlight, for specific purposes; or, without consent, under the following situations:

  • As necessary for the controller’s compliance with a legal or regulatory obligation
  • Shared data processed as necessary for the execution of public policies provided in laws or regulations by the public administration
  • For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data
  • For the regular exercise of rights, including in a contract or in a judicial, administrative or arbitration procedure
  • Where necessary for the protection of life or physical safety of the data subject or a third party
  • The protection of health, exclusively, in a procedure performed by health professionals, health services or sanitary authorities, or
  • To prevent fraud and protect the safety of the data subject

The controller and operator must keep records of the data processing operations they carry out, mainly when the processing is based on a legitimate interest.

In this sense, the ANPD may determine that the controller must prepare an Impact Report on Protection of Personal Data, including sensitive data, referring to its data processing operations, pursuant to regulations, subject to commercial and industrial secrecy. The report must contain at least a description of the types of data collected, the methodology used for collection and for ensuring the security of the information, and the analysis of the controller regarding the adopted measures, safeguards and mechanisms of risk mitigation.

On August 30, 2021, the ANPD issued a Public Consultation related to a Resolution with special rules on the application of the LGPD to small businesses, startups, and innovative companies. This Resolution includes exemptions and flexibilities, such as the exemption of these companies from maintaining records of data processing activities and flexibility in conducting Data Protection Impact Assessments (“DPIA”). However, this is still a draft Resolution, which must be confirmed and published further.

Last modified 24 Jan 2022
Transfer

The transfer of personal data to other jurisdictions is allowed only subject to compliance with the requirements of the LGPD. Prior specific and informed consent is needed for such transfer, unless:

  • The transfer is to countries or international organizations with an adequate level of protection of personal data
  • There are adequate guarantees of compliance with the principles and rights of data subject provided by LGPD, in the form of
    • Specific contractual clauses for a given transfer
    • Standard contractual clauses
    • Global corporate norms, or
    • Regularly issued stamps, certificates and codes of conduct
  • The transfer is necessary for international legal cooperation between public intelligence, investigative and prosecutorial agencies
  • The transfer is necessary to protect the life or physical safety of the data subject or a third party
  • The ANPD has provided authorization
  • The transfer is subject to a commitment undertaken through international cooperation
  • The transfer is necessary for the execution of a public policy or legal attribution of public service
  • The transfer is necessary for compliance with a legal or regulatory obligation, execution of a contract or preliminary procedures related to a contract, or the regular exercise of rights in judicial, administrative or arbitration procedures
Last modified 24 Jan 2022
Security

Controllers and processors must adopt technical and administrative security measures designed to protect personal data from:

  • Unauthorized accesses, and
  • Accidental or unlawful situations of:
    • Destruction
    • Loss
    • Alteration
    • Communication, or
    • Any improper or unlawful processing

The LGPD grants the ANPD authority to establish minimum technical standards for companies to implement.

On 4 October 2021, the ANPD launched information security guidelines aimed at small data processing agents (such as microenterprises, small businesses, and startups) to assist them with good practices in implementing technical and administrative information security measures for the protection of personal data. The guidelines also contain a checklist to facilitate the visualization of suggestions, such as awareness and training programs, agreements management, access controls, data storage guidelines, and vulnerability management.

The Brazilian Internet Act further establishes that service providers, networks and applications providers should keep access records (such as IP addresses and logins) confidential and in a secured and controlled environment. Guidelines issued under the Internet Act established guidelines on appropriate security controls, including:

  • Strict control on data access by defining the liability of persons who will have the possibility of access and exclusive access privileges to certain users
  • Prospective of authentication mechanisms for records access, using, for example, dual authentication systems to ensure individualization of the controller records
  • Creation of detailed inventory of access to connection records and access to applications containing the time, duration, the identity of the employee or the responsible person for the access designated by the company and the accessed file
  • Use of records management techniques that ensure the inviolability of data, such as encryption or equivalent protective measures
Last modified 24 Jan 2022
Breach Notification

The controller must report to ANPD and the data subject within a reasonable timeframe if the breach is likely to result in risk or harm to data subjects. The LGPD itself does not set a specific deadline for notifying the ANPD in the event of security incidents. However, according to guidance published by the National Authority on February 22, 2021, the communication must be made within two (2) working days, counted from the date of receiving knowledge of the incident.

In addition, according to this guideline, the company or person responsible for the data must internally assess the incident and ascertain the nature, category, and number of data subjects affected. The National Authority must also be communicated in the event of relevant risk or damage to data subjects, using a form available on the ANPD’s page.

The notice must contain, at least, the following:

  • Description of the nature of the affected personal data
  • Information regarding the data subjects involved
  • Indication of the security measures used
  • The risks generated by the incident
  • The reasons for a delay in communication (if any)
  • The measures that were or will be adopted

Additionally, the ANPD must verify the seriousness of the incident and may, if necessary to safeguard the data subject's rights, order the controller to adopt measures, such as the broad disclosure of the event in communications media, as well as measures to reverse or mitigate the effects of the incident.

On August 30, 2021, the ANPD issued a Public Consultation related to a Resolution with special rules on the application of the LGPD to small businesses, startups, and innovative companies. The Resolution includes exemptions and flexibilities, such as the exemption or flexibility in the communication of security incidents, as well as the flexibility regarding deadlines for responding to data subjects’ requests, for communicating severe security incidents to the ANPD and affected data subjects, and for responding to ANPD’s requests. However, this is still a draft Resolution, which must be confirmed and published further.

Last modified 24 Jan 2022
Enforcement

The LGPD provides for penalties in case of violations its provisions. Data processing agents that commit infractions can be subject to administrative sanctions, in a gradual, single or cumulative manner, including a fine, simple or daily, of up to 2% of the revenues of a private legal entity, group or conglomerate in Brazil, up to a total maximum of R$50 million per infraction.

Other sanctions can include:

  • Warning
  • Publicizing of the violation
  • Blocking the personal data to which the infraction refers to until its regularization
  • Deletion of the personal data to which the infraction refers
  • Partial suspension of the database operation to which the infringement refers for a maximum period of six (6) months, extendable for the same period, until the processing activity is corrected by the controller;
  • Suspension of the personal data processing activity to which the infringement refers for a maximum period of six (6) months, extendable for the same period;
  • Partial or total prohibition of activities related to data processing.

Although the LGPD became effective September 18, 2020, the penalties provided by the law were only enforceable from August 1, 2021. In addition, the ANPD is now in operation and, on October 29, 2021, published the Regulation of the Inspection Process and the Sanctioning Administrative Process, which establishes the procedures applicable to ANPD’s inspection process and the rules to be observed during the administrative sanctioning process. However, so far, the ANPD still has not imposed sanctions regarding violations to the LGPD, so its level of enforcement activity is still uncertain.

Public authorities (such as consumer protection bodies and public prosecutors) are already monitoring data protection matters and applying penalties based on the LGPD obligations and other applicable laws. Additionally, data subjects may file lawsuits if any of the rights provided by the LGPD are violated. Under the law, a controller or processor that causes material, moral, individual, or collective damage to others is liable to individuals for such damages, including through a class action.

Exceptions to the obligation to remedy a violation exist only if:

  • The agent (ie, controller or the processor) did not carry out the data processing
  • There was no violation of the data protection legislation in the processing, or
  • The damage arises due to exclusive fault of the data subject or a third party
Last modified 24 Jan 2022
Electronic Marketing

Brazil has no specific law regulating electronic marketing communications. However, it is important to point out that, according to the LGPD, all processing of consumers’ personal data (which includes the collection, storage, and sending of marketing communications) can only occur upon the appropriate legal basis for such purpose. Under this scenario, two available legal bases could be used, depending on the analysis of the concrete case: (1) the data subject’s consent, or (2) the controller’s legitimate interest.

Despite the lack of a specific statute, general provisions on privacy and intimacy rights, as well as consumer protection rights, also apply to electronic marketing. Therefore, the sender should immediately cease sending any electronic marketing if the consumer requests (i.e., offering an opt-out option to electronic marketing).

Last modified 24 Jan 2022
Online Privacy

The Brazilian Internet Act has several provisions concerning the storage, use, disclosure, and other processing of data collected on the Internet. The established rights of privacy, intimacy, and consumer rights apply equally to electronic media, such as mobile devices and the Internet. Violations of these rights may also be subject to civil enforcement.

Furthermore, as explained in prior sections, identifiable data are also encompassed under the scope of protection of the LGPD. Thus, if cookies and location data are associated with a natural person, their collection should also observe the same obligations provided by the Brazilian data protection law. However, the obligation does not apply to anonymized data, which is not considered personal data under the LGPD unless the process of anonymization has been reversed or can be reversed using reasonable efforts.

That said, a proper legal basis is needed when using cookies and similar technologies that involve the processing of a user’s personal data from (e.g., the information is linked or linkable to a particular user, IP address, a device, or other particular identifier). Under this scenario, two available legal bases could be used, depending on the analysis of the concrete case: the data subject’s consent or the controller’s legitimate interest (in the case of essential cookies, for example).

Last modified 24 Jan 2022
Contacts
Paula Mena Barreto
Paula Mena Barreto
Partner
Campos Mello Advogados
T +55 21 3262 3028
Manoela Quintas Esteves
Manoela Quintas Esteves
Associate
Campos Mello Advogados
T +55 21 3262 3042
Last modified 24 Jan 2022