Primer on the LGPD:  Brazilian Data Protection Law (Part I)

Following a period of uncertainty regarding its effective date, Brazil’s General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”), originally passed in Augusts of 2018, took effect on September 18, 2020.

With approximately a third of the Latin America’s population, Brazil is the region’s largest telecom market, the largest regional market for software outsourcing, and has had a growing IT market even through the COVID pandemic.  As the two largest economies in the Western Hemisphere, the United States and Brazil have enjoyed a robust trade relationship with the American companies expanding their footprint in Brazil and vice versa.

The LGPD creates a new legal framework for the use of personal data in Brazil, replacing and/or supplementing a sectoral regulatory framework. The law, largely modeled on the European Union’s GDPR, deals with the concept of personal data, lists the legal bases that authorize its use, and provides various rights to data subjects. Given the LGPD’s broad jurisdictional scope and applicability, it will likely affect most U.S. companies doing business with the Latin American market.

In this Part I of the Primer on the LGPD, we’ll discuss the jurisdictional scope and applicability of, as well as legal grounds for processing data under the new Brazilian law.

Jurisdictional Scope and Applicability

The LGPD applies to processing of personal data – defined as any information regarding an identified or identifiable person – by a natural person or a private or public entity if (1) the processing is carried out in Brazil; (2) the processing is aimed at offering or providing goods or services to, or at the processing of data of, individuals located in Brazil; or (3) the personal data being processed was collected in Brazil.   The LGPD applies to personal data of natural persons, regardless of whether data was collected in the context of a person being a customer, employee, or a business contact of an organization.

Like the GDPR, the LGPD applies extraterritorially, that is the duty of compliance exceeds the geographical limits of Brazil.  Any U.S. company that has a branch in Brazil or offers services to the Brazilian market will be subject to the LGPD.  Furthermore, companies that process personal data collected in Brazil are also subject to the LGPD irrespective of whether they do any business in the country.

Legal Grounds for Data Processing

The LGPD restricts data collection and processing to ten enumerated basis:  (1) consent of a data subject; (2) compliance with legal obligations of the controller; (3) processing by public authorities for the purpose of execution of public policies, or based on contracts or similar instruments; (4) for carrying out studies by research entities; (5) when necessary for the contract of which data subject is a party; (6) for the exercise of rights in judicial, administrative, or arbitration proceedings; (7) for the protection of life or physical safety of the data subject or a third party; (8) for protection of health when processing is carried out by health professionals or services or public health authorities; (9) for the protection of credit; and (10) when necessary to fulfill the legitimate interests of the controller or a third party.   A controller’s legitimate interests may include (but are not limited to) support and promotion of the controller’s activity, protection of data subject’s regular exercise of his/her rights, and provision of services that benefit the data subject.

Consent required in the law must be given in writing or by other means able to demonstrate the manifestation of the data subject’s will.  Written consent must be included in the clause that stands out from the other contractual clauses.  Furthermore, the LGPD does not allow a generic authorization for processing of personal data and requires that consent refer to the particular purposes.

The LGPD requires that processing of sensitive personal data – i.e., data on person’s racial or ethnic origin, religious belief, political opinion, trade union or religion, philosophical or political organization membership, health or sexual life data, and genetic or biometric data – be conducted in most cases with the data subject’s specific and distinct consent for the specified purpose.  The law, however, does not define what constitutes “specific and distinct” consent for processing of sensitive data as opposed as consent sufficient for processing of other types of personal data.

In the next article in the Primer on the LGPD series, we’ll discuss data subject rights and requests under the new Brazilian law.

Take a tour of Clarip’s patented data privacy technology and learn how Clarip can help your enterprise comply with emerging data subject rights regulations. Call Clarip today at 1-888-252-5653 or schedule a Demo Online!