In September 2020, Brazil enacted its sweeping new data protection law, the LGPD (Lei Geral de Protecao de Dados). This comprehensive law unites and updates more than 40 individual data laws, clarifying compliance requirements for companies doing business in Brazil.
Companies that do business in the European Union see similarities between the LGPD and the EU's GDPR (General Data Protection Regulation). Despite these commonalities, important differences exist. Companies operating in both regions must not assume their EU data protection practices guarantee LGPD compliance. By understanding the subtle differences between the LGPD and GDPR, companies ensure compliance in Brazil—and avoid significant fines and punishments.
Read on to discover eight key differences and similarities between the LGPD and GDPR legislations.
1. Definition of Personal Data
While the GDPR provides a precise definition of personal data, the LGPD's definition is more expansive. The LGPD defines personal data as "information regarding an identified or identifiable natural person." This broad definition includes but is not limited to:
- Health, genetic, and biometric data
- Web data, including IP and email addresses
- Political opinions
- Sexual orientation
Because of the LGPD's broad definition of personal information, companies operating in Brazil cannot rely on the same criteria they use to meet GDPR standards. Instead, their legal teams must carefully review the LGPD's definition of personal data to ensure they are in compliance.
Companies that lack the legal resources to interpret LGPD technicalities should rely on a third-party global compliance specialist. By turning to an expert, these companies gain peace of mind they are adhering to Brazil's new laws—without diverting team members from their core responsibilities.
2. User Consent Record-Keeping
Under both the LGPD and GDPR, the term "user" refers to any person from whom a company collects data. Both laws require companies to provide proof that each user consents to share their personal information. That means companies must keep thorough records of every situation in which they collect data, including but not limited to:
- Newsletter or mailing list signups
- Account registration forms
- Contact form submissions
- Cookie acceptance opt-ins
Furthermore, the LGPD requires that companies make these consent forms "free, informed, and unambiguous." In other words, the opt-in language must clearly state that the user is choosing to share their information with the company.
To store a comprehensive catalog of digital user opt-in forms, and ensure the language on those forms is clear and easy-to-understand, companies must rely on both their IT and legal teams. As with interpreting personal data definitions, companies that do not have the ability to set up and maintain this record-keeping system can hire third-party international compliance experts.
3. LGPD vs. GDPR Scope
The LGPD, like the GDPR, protects every user in Brazil—even if the user is of another nationality and was subject to data collection only while temporarily in Brazil. Additionally, if a company collects data on any Brazil-based user, regardless of where the company is based, it is subject to LGPD regulation.
These LGPD requirements closely follow the precedent of the GDPR, which protects EU users' information from any company, whether that company is based in the EU or not.
4. Data Transfers
Both the GDPR and LGPD allow companies to transfer data to third-party countries—as long as the receiving country has a data protection system that provides an "adequate level of protection."
Under the GDPR, the European Commission is responsible for determining whether a country's data protection is "adequate." Similarly, Brazil created the ANPD (Autoridade Nacional de Protecao de Dados) to decide whether a country provides an "adequate" data protection level.
Though ANPD approval is not always required—such as during data transfers between general intelligence or law enforcement entities—businesses must nearly always obtain consent. Therefore, companies transferring data collected in Brazil to another country must take time to ensure the new country meets the ANPD's protection standards.
5. Data Breaches
When third-party attacks compromise user data, the results are disastrous—for both the users and the company storing their information. That's why both the GDPR and LGPD require companies to disclose data breaches quickly.
While the GDPR requires companies to report breaches within a 72-hour window, the LGPD requires companies to communicate breaches "in a reasonable time period, as defined by the national authority." Because "a reasonable time period" is vague, companies wishing to err on the side of caution should communicate as quickly as possible with Brazil's ANPD.
6. Data Protection Impact Assessments
The LGPD and GPDR both require that companies comply with a DPIA (Data Protection Impact Assessment). A DPIA is a tool that authorities use to ensure companies correctly identify risks and protect user information. The primary difference between Data Protection Impact Assessments under the GPDR and LGDP involves how authorities issue them.
The GDPR sets specific circumstances for issuing a DPIA. Most of these circumstances surround data processing that is exceptionally large-scale or potentially invasive to users. The LGPD, on the other hand, gives broad power to the ANPD to issue DPIAs at their discretion.
Companies facing DPIA requests from the ANPD must provide, at a minimum, the following pieces of information:
- A summary of the data collected
- How the company gathered the data
- What security measures the company used to protect the data and user privacy
As with user-consent record keeping, companies must align their legal and IT teams to meet the demands of Data Protection Impact Assessments.
7. Data Protection Officers
Both the GDPR and LGPD require companies to appoint a DPO (Data Protection Officer). Under both laws, DPO responsibilities include:
- Acting as a liaison to users by receiving complaints, fielding questions, and adopting relevant measures
- Overseeing a company's representatives—from full-time employees to independent contractors—to ensure they compliantly handle user data
- Maintaining contact with the ANPD and implementing safety measures recommended by the ANPD
Despite the similarities, companies operating in Brazil must meet more stringent DPO requirements than companies operating in the EU. The GDPR requires a DPO for every company whose primary focus is "processing operations which require regular and systematic monitoring on a large scale, or processing on a large scale of special categories of data."
In simpler terms, the GDPR requires companies to hire a DPO only when data processing is a core function. Under the LGPD, however, every company must appoint a DPO—with zero exceptions.
The good news? The LGPD allows companies to hire DPOs based outside of Brazil. As a result, resourceful companies turn to international markets to hire third-party data specialists that provide the right value and expertise for their needs.
8. Consequences of Noncompliance
Companies interested in doing business in Brazil that fall out of compliance with either the LGPD or GDPR face steep punishments. The specific consequences of noncompliance, however, differ under each regulation.
The GDPR caps punishments at 4% of global annual revenue or 20M euros—whichever is higher. The LGPD, on the other hand, maxes out fines at 2% of an entity's revenues in Brazil for a financial year. LGPD penalties will not exceed 50 million BRL, or approximately $9.4M.
Though the LGPD went into effect in September, the ANPD will not levy noncompliance penalties until August 2021. This lag in enforcement time gives companies operating in Brazil an extended grace period to ensure they meet compliance standards.
Maintain LGPD Compliance With A Global Expert
Despite differences in noncompliance punishments, one truth exists: companies that do not adhere to LGPD requirements face serious consequences. That's why businesses must familiarize themselves with the nuances of Brazil's extensive new data protection law. For those unable to invest the legal and IT resources necessary to maintain compliance, turning to global consulting experts is a streamlined alternative.
Velocity Global's experts know the technicalities of employment rules and regulations in Brazil, and we help companies like you maintain compliance in the country. Reach out today to find out how our experts can ensure you compliantly do business overseas—from Brazil and beyond.