The General Law for the Protection of Personal Data (LGPD) in Brazil

Introduction

In terms of cybercrime and invasion of privacy, Brazil would be one of the most affected countries, not only as a target, but also of origin. According to a study published by the computer security company McAfee and the CSIS (Center For Strategic & International Studies) at the beginning of 2018, Brazil would be the second country in the world from which the most crimes originate and the third in as a target.

In fact, while Europe and France have long been concerned with the protection of personal data and privacy, in Brazil these subjects still arouse relatively little interest.

Since 1978 France has had an independent administrative authority, the Commission Nationale Informatique et Liberté – CNIL, responsible for monitoring compliance with the laws on the protection of personal data, and for sanctioning infringements if necessary, whereas in Brazil no organization of this type still exists in 2018.

The entry into force of the General Data Protection Regulation – GDPR by the European Union and its application from May 25, 2018 prompted the Brazilian authorities to accelerate the adoption of measures allowing it to integrate to the European model.

Indeed, according to the new standards put in place by the European Union, it is no longer possible for Europeans to transfer data outside Europe to countries that do not offer protection guarantees identical to those put in place. by GDPR. Brazil must therefore adapt.

Brazil chooses to follow Europe

The General Law for the Protection of Personal Data (LGPD – the country’s GDPR) in Brazil entered into force on 15.08.2018, but data subjects will have to comply with its standards from 2020. So what are the provisions of the LGPD in Brazil?

The Law deals with the collection and processing of personal data , i.e. “any information relating to an identified or identifiable natural person” (art.5º,I).

Personal data are also, within the meaning of the law, “those used for the formation of the behavior profile of a specific natural person, if identified. » (Art. 12, §2º)

Processing is “any operation carried out with personal data, such as those relating to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, process, ‘archiving, storage, disposal, evaluation or control of information, modification, communication, transfer, dissemination or extraction’ (Art.5X).

• The definitions are therefore identical to those of the European regulations.
• It should be noted that the data in question, processed by law, may or may not be digital. That is, the Act applies to handwritten and physical as well as digital data and records.
• The law provides specific provisions for sensitive data relating to children.
• It is aimed at private and public persons.

The provisions relating to the rights of data holders and the duties of data controllers are also identical to those of the GDPR.

The penalties provided for in the law are very high, in the same movement made by the European GDPR. It is thus fixed penalties, administrative sanctions applied by the national authority, of a maximum of 2% of the turnover of the last financial year, limited to R$ 50,000,000.00 per offense or; daily fine within the same total limit of R$ 50,000,000.00.

The National Data Protection Authority (ANPD)

The General Personal Data Protection Law in Brazil provided for the creation of an independent national authority, responsible for control, regulation and the application of administrative sanctions.

However, the President of the Republic has vetoed these provisions, on the grounds that since it is an administrative authority, its creation must come from a government bill (Law 13.709 is of parliamentary origin ).