Data Risk Intelligence
Automated Data Mapping
Do Not Sell/Do Not Share
Cookie Banner Solutions
Consent & Preferences
Data Rights RequestsPrimer on the LGPD: the Brazilian Data Protection Law (Part IV)
Following a period of uncertainty regarding its effective date, Brazil’s General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”), originally passed in Augusts of 2018, took effect on September 18, 2020.
With approximately a third of the Latin America’s population, Brazil is the region’s largest telecom market, the largest regional market for software outsourcing, and has had a growing IT market even through the COVID pandemic. As the two largest economies in the Western Hemisphere, the United States and Brazil have enjoyed a robust trade relationship with the American companies expanding their footprint in Brazil and vice versa.
The LGPD creates a new legal framework for the use of personal data in Brazil, replacing and/or supplementing a sectoral regulatory framework. The law, largely modeled on the European Union’s GDPR, deals with the concept of personal data, lists the legal bases that authorize its use, and provides various rights to data subjects. Given the LGPD’s broad jurisdictional scope and applicability, it will likely affect most U.S. companies doing business with the Latin American market.
In this Part IV of the Primer on the LGPD, we discuss enforcement and penalties under the new law.
Enforcement and Penalties under the LGPD
The LGPD provides that the newly established National Data Protection Authority will have the authority to levy administrative sanctions for violations of the law. The authorized sanctions vary from a warning requiring a corrective action within a certain period of time to a total prohibition of data processing. The Authority will also be permitted to impose monetary penalties up to 2 percent of the company’s revenue in Brazil, but not to exceed 50 million BRL ($8.8 million).
While the LGPD’s administrative sanctions do not come into force until August 1, 2021, local consumer agencies, public prosecutors, and individuals already have the ability to seek redress under the law. Indeed, the first public civil action based on the LGPD was filed by Brazil’s Public Ministry of the Federal District and Territories on September 22, 2020, just days after the law came into effect. As the Brazilian Constitution gives all citizens a private right of action, there is no need for the law to specifically authorize private lawsuits and class actions like in the United States.
Notably, under the LGPD, controllers and processors can both be liable for information security incidents, improper use of data, or for non-compliance with the law. Given that the LGPD applies to any processing of personal data collected in Brazil, data processors and sub-processors located in other jurisdictions could face potential legal exposure for failure to comply with the LGPD’s requirements.
Since the enactment of the LGPD, affected businesses need to promptly review their privacy and data management systems, programs, and practices to assess their compatibility with the new legal requirements and to map out a path to compliance.
Take a tour of Clarip’s patented data privacy technology and learn how Clarip can help your enterprise comply with emerging data subject rights regulations. Call Clarip today at 1-888-252-5653 or schedule a Demo Online!
