Episode 53 - Brazil’s New Personal Data Privacy Law
Brazil’s General Personal Data Protection Law or “LGPD” entered into force on September 18, 2020. In this podcast, Thiago Luís Santos Sombra of the prominent Brazilian law firm Mattos Filho, www.mattosfilho.com.br, explains the basic approach to personal data privacy of South America’s largest country.
Highlights:
• Brazil chose the European Union’s basic approach (GDPR), but there are differences between GDPR and LGPD.
• Personal data is defined broadly to include identifiers such as email address, geo-location and similar information particular to a person.
• Data mapping and risk assessment are the immediate steps a business should take that collects or processes personal data of Brazilians.
• Companies must assess whether consent or legitimate interest is the basis of holding particular personal data and decide a compliant approach thereafter. Brazil’s Code is broader than GDPR in providing various bases to hold and process personal data. Businesses will look to express consent as a last resort rather than the first in complying with the law.
• A privacy-compliant notice should be posted.
• A prevention and emergency plan should be in place for handling breaches.
• If a business is compliant with GDPR (or thinks it is), this does not guarantee Brazilian compliance, as there are differences from GDPR. There is probably more flexibility in Brazil for businesses than exists under GDPR, but until an Authority is in place, there is no regulator to discuss ambiguities or obtain advance guidance.
• Cross-border transfers take the European approach, with no data localization as required by China, Russia, or India. The data protection authority to be appointed will need to issue standard contractual clauses or otherwise specify what is required. Brazil and the USA are already negotiating about data transfers, with no clear guidance from the Code about what is required of another country’s level of protection by law.
• Data Protection Officers (DPO’s) must be appointed for controllers but not processors, with no threshold or de minimis test for this (unlike GDPR). No specific liability is specified for DPO’s, except for willful misconduct common to any relationship. DPO’s can be internal or outsourced. While there is no requirement that the DPO reside in Brazil, Portuguese language skill is practically essential for a DPO.
• Regulations will follow in time. Individuals will need to be appointed to the Authority and approved by the legislature, with the aim of having an enforcement agency ready to act by August 2021.
Because of Brazil’s prominent position as the giant of South America, one could expect an Iberian approach to personal data privacy throughout South America. Similar but not identical comprehensive codes exist in Chile, Colombia and many other South American countries.
If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.
Brazil’s General Personal Data Protection Law or “LGPD” entered into force on September 18, 2020. In this podcast, Thiago Luís Santos Sombra of the prominent Brazilian law firm Mattos Filho, www.mattosfilho.com.br, explains the basic approach to personal data privacy of South America’s largest country.
Highlights:
• Brazil chose the European Union’s basic approach (GDPR), but there are differences between GDPR and LGPD.
• Personal data is defined broadly to include identifiers such as email address, geo-location and similar information particular to a person.
• Data mapping and risk assessment are the immediate steps a business should take that collects or processes personal data of Brazilians.
• Companies must assess whether consent or legitimate interest is the basis of holding particular personal data and decide a compliant approach thereafter. Brazil’s Code is broader than GDPR in providing various bases to hold and process personal data. Businesses will look to express consent as a last resort rather than the first in complying with the law.
• A privacy-compliant notice should be posted.
• A prevention and emergency plan should be in place for handling breaches.
• If a business is compliant with GDPR (or thinks it is), this does not guarantee Brazilian compliance, as there are differences from GDPR. There is probably more flexibility in Brazil for businesses than exists under GDPR, but until an Authority is in place, there is no regulator to discuss ambiguities or obtain advance guidance.
• Cross-border transfers take the European approach, with no data localization as required by China, Russia, or India. The data protection authority to be appointed will need to issue standard contractual clauses or otherwise specify what is required. Brazil and the USA are already negotiating about data transfers, with no clear guidance from the Code about what is required of another country’s level of protection by law.
• Data Protection Officers (DPO’s) must be appointed for controllers but not processors, with no threshold or de minimis test for this (unlike GDPR). No specific liability is specified for DPO’s, except for willful misconduct common to any relationship. DPO’s can be internal or outsourced. While there is no requirement that the DPO reside in Brazil, Portuguese language skill is practically essential for a DPO.
• Regulations will follow in time. Individuals will need to be appointed to the Authority and approved by the legislature, with the aim of having an enforcement agency ready to act by August 2021.
Because of Brazil’s prominent position as the giant of South America, one could expect an Iberian approach to personal data privacy throughout South America. Similar but not identical comprehensive codes exist in Chile, Colombia and many other South American countries.
If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.