Back in August, Brazil approved its General Data Protection Law (or the LGPD, standing for the Lei Geral de Proteção de Dados Pessoais in Portugese). It will come into effect in early 2020, echoing the approximate timeframe of the GDPR’s implementation period.
In short, the LGPD is very similar to the GDPR. Not because of a copycat mentality, but because the GDPR is highly reflective of society’s mindset and expectations, meaning most later legislation inevitably has similarities. There are however some interesting differences – some practical, others philosophical.
Over the last couple of months, we have been examining the differences and nuances of the new legislation as we have already started advising our clients on its future ramifications. In the process, we have seen how and where the law has its most material impact. Those areas that have sparked the most conversation are listed below and will hopefully guide you in your own alignment with the law.
Non-discrimination as a new principle
In a slight departure from the GDPR, the LGPD adds the seemingly new principle of “non-discrimination”. Its addition is important. Other universal principles largely cover personal data’s structure, manner of storage or protection. The fact that it should not be used to discriminate for or against certain classes of individual has rarely been codified before.
This said, the practical reality is that when we look at the types of discrimination that the LGPD prohibits, we see some familiar terms. Discrimination on the basis of sexuality, race, religion are all outlawed, but of course these are all types of data covered in the GDPR as “Special Categories” that require heightened protection. This means that while the GDPR may only mention the word “discrimination” twice, and not in the context of core principles, it is nonetheless addressed in the way it is built and enforced. That said, elevating non-discrimination to a core principle of privacy is appropriate, sensible and probably overdue.
Data Protection Officers
A noticeable difference between the two is in the area of Data Protection Officers (DPO). Many commentators have excitedly claimed that Brazil is now insisting that every company based in Brazil that handles personal data must have one. This is not strictly true. The term DPO is never used, and they are referred to instead as “persons in charge of privacy” – a rather oblique term.
But aside from picky semantics, there are some important differences with GDPR. Brazil requires the “DPO” (terminology used for the sake of ease) to be a natural person (i.e. a living human), whereas the GDPR allows the role to be assigned to a “legal person”, which may include a corporate or government entity.
There are also differences in the precise responsibilities of the DPO. As would be expected, the LGPD requires a DPO to monitor the organisation’s compliance and manage dialogue with data subjects and the statutory authority. But it does not include a general requirement to inform and advise the business of its obligations. This arguably devalues the role to a technical one, rather than a strategic consultant, perhaps leaving Brazilian businesses exposed to not fully considering the rights and sensitivities of their data subjects in their senior decision-making.
Many have noted that the LGPD DPO also is not required to advise the business on or manage DPIAs. This is potentially because there isn’t a Data Protection Authority in Brazil yet, so this responsibility may yet come as data privacy matures in the country and the Authority launches (presumably in good time for 2020).
As a final point in DPOs, there is no requirement for a business based outside Brazil but that handles personal data on Brazilian citizens to appoint a DPO. In contrast, the GDPR does require such an appointment for non-EU companies handling EU personal data.
The LGPD is not as punitive as the GDPR, both in sentiment and finance. The maximum fine under the LGPD is 2% of the company’s Brazilian revenue up to R$50 million (just over E11 million) per infraction. This is compared to 4% of global revenue or up to E20 million under GDPR.