Brazil's Best Counsel - Chapter Opening: Data Protection

Data Protection has been a recurring subject in Brazil for the last decade. While discussions around a bill of general data protection law lingered for years, the Internet Act (2014) introduced data protection rights to Brazilian internet users for the first time, igniting important case law discussions. However, Brazil’s fragmented regulations on the matter revealed a substantial lack of legal certainty and exposed the urgent need for a general data protection regime.

The new regime started to take shape last May: the debates about the extraterritorial application of the European Union’s General Data Protection Regulation helped to trigger the swift and unanimous approval of Brazil’s first General Data Protection Act by the Chamber of Deputies in May and by the Senate in July, followed by the presidential sanction on August 14. The law was published on August 15, 2018, as Law 13,709/18, and is commonly referred to by its acronym in Portuguese - LGPD.

The newly-approved and principle-infused Act modernizes data protection in Brazil as it supersedes the current fragmented regulations and establishes a comprehensive unified system of personal data protection.

Scope of Application

Heavily inspired by Directive 95/46/ EC, as of February 15, 2020, LGPD will apply to any data processing operations collecting data domestically as well as to foreign data processing operations offering products and services to the Brazilian market. On the other hand, LGPD will not apply to data processing operations involving journalistic, academic, artistic and personal non-financial purposes. Additional legislation will be needed to rule on data processing operations related to public security, national defense and crime fighting activities.

Impact for Private Companies

LGPD creates a large set of obligations for private companies, with horizontal effects over areas like marketing, human resources, IT, law and compliance. Compliance efforts must include the mapping of corporate data processing operations, the creation of operations logs, the update and/or upgrade of security standards, the review of corporate information security policies, insurance policies, employment contracts and consumer contracts, among several other initiatives. The complex road towards LGPD compliance shall demand substantial human, technical and monetary resources.

Although the agency responsible for overseeing enforcement is yet to be created, LGPD provides specific administrative sanctions for violations (from fines amounting up to R$50 million to technical sanctions such as the removal of personal data from databases), without prejudice of civil liability to be verified and punished by courts.

Perspectives

LGPD is expected to generate a cultural change on privacy issues in Brazil, to the extent that government bodies, corporations and individuals become more aware of their corresponding data protection rights and duties. The many challenges of implementing compliant processes and policies barely hide an important competitive opportunity: companies with cleared databases will be in a position to resume lawful marketing operations sooner than competitors that fail to comply with LGPD. This is not something to be overlooked as Brazil slowly marches out of its longest economic crisis and nears solid economic growth.

ABOUT THE AUTHORS:

Claudio Barbosa: Partner. Co-Head of the Data Protection Commission (at ABPI). L.L.M. in International Law (USP). L.L.M. in Intellectual Property Law (GWU Law School). SJD in Commercial Law (USP).

E-mail: claudio.barbosa@kasznarleonardos.com  Phone: +55 11 2122 6604

Pedro Vilhena: Senior associate and Head of Digital Law. Member of the Data Protection Committee (INTA). L.L.M. in International and European Intellectual Property Law (Strasbourg University).

E-mail: pedro.vilhena@kasznarleonardos.com  Phone: +55 11 2122 6600