Primer on the LGPD:  the Brazilian Data Protection Law (Part III)

Following a period of uncertainty regarding its effective date, Brazil’s General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”), originally passed in Augusts of 2018, took effect on September 18, 2020.

With approximately a third of the Latin America’s population, Brazil is the region’s largest telecom market, the largest regional market for software outsourcing, and has had a growing IT market even through the COVID pandemic.  As the two largest economies in the Western Hemisphere, the United States and Brazil have enjoyed a robust trade relationship with the American companies expanding their footprint in Brazil and vice versa.

The LGPD creates a new legal framework for the use of personal data in Brazil, replacing and/or supplementing a sectoral regulatory framework. The law, largely modeled on the European Union’s GDPR, deals with the concept of personal data, lists the legal bases that authorize its use, and provides various rights to data subjects. Given the LGPD’s broad jurisdictional scope and applicability, it will likely affect most U.S. companies doing business with the Latin American market.

In this Part III of the Primer on the LGPD, we’ll discuss obligations of data controllers and processors under the new law.

General Requirements for Data Processing and Governance

The LGPD requires that controllers and processors conduct data processing activities in good faith and subject to the following principles:  purpose limitation, necessity, adequacy, quality of data, free access, transparency, security and breach prevention, non-discrimination, and accountability which makes it mandatory for controllers and processors to demonstrate the adoption of effective measures capable of proving compliance with the rules for the protection of personal data.

While companies’ data protection and governance frameworks must incorporate these principles, the LGPD also mandates a risk-based approach to data processing that will require organizations to take into consideration the nature, scope, probability, and seriousness of risks to data subjects, along with the benefits that result from the processing activity.

Record of Data Processing Activities

stent with the accountability principle, the LGPD requires that controllers and processors record all personal data processing activities, indicating the types of personal data they are collecting and the purpose for its collection, the legal basis that authorizes data use, with whom data may be shared, its retention time, and the information security practices implemented with respect to that data.

Data Protection Impact Assessment

Under the LGPD, data protection impact assessments may be required in situations that pose risk to civil liberties and data subjects’ fundamental rights, at the request of the data protection authority, and where the processing of data is based on the controller’s legitimate interest.  The DPIA will require, at a minimum, a description of the processing activity, applicable risks, as well as measures, safeguards and mechanisms to mitigate those risks.

Data Protection and Security

The LGPD mandates that data controllers and processors implement technical, security, and administrative measures to protect personal data from unauthorized access and accidental or unlawful destruction, loss, alteration, transmission, or any other type of improper or unlawful processing.  Consistent with the principle of data protection by design, the LGPD requires these information security principles to be implemented from the conception phase of any product or service through its implementation.

The LGPD provides that controllers might show their commitment to data protection principles by implementing a privacy governance program that will (a) establish policies and procedures to ensure broad compliance with rules and good practices regarding the protection of personal data; (b) be applicable to the entire set of personal data under the controller’s control, regardless of the means used to collect data; (c) be adapted to the structure, scale, and volume of the organization’s operations and the sensitivity of data; (d) establish adequate policies and safeguards based on a process of systematic evaluation of the impacts and risks to privacy; (e) have the purpose of establishing a relationship of trust with the data subjects by means of transparent operations that ensure participation of the data subjects, (f) be integrated into the organization’s general governance structure; (g) have plans to respond to security incidents; and (h) be constantly updated based on information obtained from continuous monitoring and evaluations.

Breach Notification

In case of a data breach that might pose risk or damage to the data subjects, the LGPD requires controllers to notify the data protection authority within a “reasonable” time period.   The data protection authority might, in turn, require controllers to publicly disclose the incident in order to protect the rights of the data subjects.

Data Protection Officers

The LGPD requires all controllers subject to the law to appoint a data protection officer to be in charge of processing personal data.  The DPOs will be responsible for accepting complaints and communications from the data subjects, receiving communications from the data protection authority and implementing any corresponding measures, educating company’s employees and contractors regarding data protection practices, as well as carrying other duties as determined by the controller and the future regulations.

Cookie Consent

Although the LGPD does not specifically refence cookies, it strongly suggests that cookies and similar tracking technologies containing personal data would require notice and consent from the data subjects. Cookie consent might also be required by other Brazilian laws, such as the Brazilian Civil Rights Framework for the Internet which provides for “the expressed consent for the collection, use, storage and processing of personal data” and “non-disclosure to third parties of users’ personal data, including connection records and records of access to internet applications, unless with express, free and informed consent . . .”  Cookie consent in compliance with these requirements must be in writing or obtained by other means that demonstrate the data holder’s will.  Furthermore, consent must be specific to particular purposes, including with respect to sharing personal data with the third parties.  A right to withdraw consent must also be clearly provided.

In the next week’s installment of the Primer on the LGPD, we’ll discuss enforcement and penalties, and the obligations of data controllers and processors under the Brazilian Privacy law.