Brazil - Data Protection Overview
The Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') was passed in 2018 and entered into effect on 18 September 2020. The LGPD is a comprehensive data protection law which covers the activities of data controllers and processors and creates novel requirements on the processing of information of data subjects. It includes provisions on a variety of issues such as data protection officer ('DPO') appointments, Data Protection Impact Assessments ('DPIA'), data transfers, data breaches and the establishment of the Brazilian data protection authority ('ANPD'). x
1. GOVERNING TEXTS
In relation to the enforcement, the President of Brazil, Jair Bolsonaro, promulgated, on 10 June 2020, Law No. 14.010 of 10 June 2020 (only available in Portuguese here), which postponed the administrative sanctions of the LGPD to 1 August 2021.
1.3. Case law
On May 2021, a decision issued by the Brazilian Federal Supreme Court ('STF') suspended the effect of the Provisional Measure No. 954/2018 (only available in Portuguese here) which obligated telecom companies to share mobile number and addresses of its customers with the Brazilian Institute of Geography and Statistics ('IBGE') for use in official statistics. The grounds for the court’s decision recognized the right to data protection as an autonomous and fundamental right, being an important milestone in the Brazilian legal privacy landscape.
2. SCOPE OF APPLICATION
The LGPD provides for the processing of personal data, including by digital means, by a natural person or a legal entity of either public or private law, with the purpose of protecting the fundamental rights of freedom and privacy as well as the free development of the personality of the natural person (Article 1 of LGPD).
The LGPD has extraterritorial application, being applicable to any individual or legal entity governed by public or private law irrespective of the means, the country in which its headquarters is located, or the country in which the data is located, provided (Article 4 (IV) of the LGPD):
- the processing operation is carried out in the national territory;
- the processing activity is aimed at the offering or provision of goods or services, or at the processing of data of individuals located on the national territory; or
- the personal data being processed was collected in the national territory.
According to Article 3(§1) of the LGPD states data collected in the national territory is considered to be that whose data subject is in the national territory at the time of collection.
The LGPD applies to the processing of personal data, including by digital means, carried out by a natural person or by a public or private legal entity (Article 1 of the LGPD).
The following data processing activities are exempted from the application of the LGPD (Article 4 of the LGPD):
- processing carried out by a natural person, exclusively for private and non-economic purposes;
- processing for journalistic and artistic purposes;
- processing for academic purposes (but observing the rules foreseen in Articles 7 and 11 of the LGPD);
- processing carried out with the exclusive purpose of public safety, national defence, state security, or investigation activities and prosecution of criminal offences; or
- processing activities of personal data originated outside of Brazil, from countries that provide an adequate level of data protection (compared with the LGPD) are not subject to the LGPD, since this personal data is not shared or communicated with Brazilian processing agents.
3.1. Main regulator for data protection
The ANPD is the main regulator. The ANPD is a body of federal public administration, member of the Presidency of the Republic, and is composed of (Article 55(C) of the LGPD):
- board of directors, as the highest body of direction;
- National Board of Personal Data Protection and Privacy;
- internal affairs office;
- legal advisory body; and
- other administrative and specialised units required for the enforcement of the LGPD.
The board of directors of the ANPD is composed of five directors, including the President Director, all of them nominated by the President of the Republic, and which must be Brazilians with an unblemished reputation, a high level of education, and a great reputation in the field of specialisation of the position for which they will be nominated for. In particular, Bolsonaro appointed Waldemar Gonçalves Ortunho Junior for the position of President Director of the ANPD for a six-year term and Joacil Basilio Rael, Nairane Farias Rabelo Leitão, Miriam Wimmer, and Arthur Pereira Sabbat for the position of directors for two to five-year terms respectively.
The members of National Board of Personal Data Protection and Privacy were nominated in August of 2021 for a two year mandate (only available in Portuguese here).
3.2. Main powers, duties and responsibilities
The ANPD is responsible for the enforcement of the LGPD and has the following powers available to ensure the protection of individuals' data (Article 55(J) of LGPD):
- supervise the protection of personal data, including through the conduction of inspections, or the determination to their occurrence;
- supervise commercial and industrial secrets, observing the protection of personal data and the secrecy of information when protected by law or when the breach of secrecy violates the fundamentals of the LGPD;
- receive and process data subject claims against the controllers (after being submitted to the controller and not solved according to the LGPD);
- decide how data processing agents could be transparent regarding the personal data processing activities;
- request, from public authorities that carry out personal data processing activities, information regarding the scope and nature of the data and other details of the processing, with the possibility to issue technical opinions to ensure compliance with the LGPD;
- amend privacy and personal data protection regulations and procedures, including regarding DPIAs;
- listen to data processing agents and the society in matters of relevant interest;
- collect and apply its revenue and publish a detailed report regarding its revenue expenses;
- conclude agreements with data processing agents in order to eliminate irregularities, legal uncertainties, or litigious situations in administrative proceedings;
- enact rules, guidelines, and simplified procedures, including regarding deadlines, for small and micro companies, start-ups, and innovative businesses in order to help them achieve compliance with the LGPD;
- ensure that processing activities of personal data from elderly people is carried out in a simple, clear, accessible, and adequate manner to their understanding;
- decide, at an administrative level, on the LGPD's interpretation, its competences, and cases in which it is silent;
- implement simplified mechanisms, including by electronic means, for the registration of complaints about personal data processing that is non-compliant with the LGPD;
- inspect and sanction cases of data processing that are non-compliant with the LGPD through administrative proceedings that ensure the right to adversary proceedings, full defence, and the right to appeal;
- report to the appropriate authorities the criminal offences that come to their knowledge;
- report to the internal affairs bodies any non-compliance with the LGPD by bodies and entities of federal public administration;
- disseminate throughout society knowledge about legal norms and policy on personal data protection and its security measures;
- encourage the adoption of standards for services and products that facilitate the control and the protection of personal data by their subjects, considering the specificities of the activities and the size of controllers;
- prepare studies about national and international practices on personal data protection and privacy;
- promote actions of cooperation with personal data protection authorities from other countries, of international or transnational nature; and
- draft managing reports on its annual activities.
4. KEY DEFINITIONS
Sensitive data: Personal data on racial or ethnic origin, religious belief, political opinion, trade union or religious affiliation, or philosophical or political organisation membership, as well as data relating to health or sex life, or genetic or biometric data, when related to a natural person (Article 5(II) of LGPD).
Pseudonymisation: The processing by means of which a data loses the possibility of direct or indirect association to an individual, unless for the use of additional information separately kept by the controller in a controlled and safe environment (Article 13(§ 4º) of LGPD).
Data protection officer: person appointed by the controller and processor to act as a communication channel between the controller, data subjects, and the National Data Protection Authority (ANPD) (Article 5(VIII) of LGPD).
Anonymisation: use of reasonable technical means available at the time of processing, by means of which the data loses the possibility of direct or indirect association to an individual ticle 5(XI) of LGPD).
5. LEGAL BASES
The consent must be free, informed, and unequivocal expression by which the data subjects agree to the processing of their personal data for a specific purpose and can be applied to 'regular' personal data and sensitive personal data (Articles 7, 11, and 14 of the LGPD).
Applicable to data processing activities necessary for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject. (Articles 7, 11, and 19 of the LGPD).
Personal data and sensitive data can be processed for compliance with a legal or regulatory obligation by the controller (Article 7(II) of the LGPD).
There are no specific legal bases to process personal data in order to pursue interests of the data subject. However, the legitimate interest of the data controller can be applied in situations to protect the regular exercise of his/her rights or provision of services that benefits them.
For more details, please see the section 5.6 below.
There are no specific legal bases to process personal data in order to pursue public interests. However, public administration can process personal data when necessary for the execution of public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments (Article 7(III) of the LGPD).
The legitimate interest of the data controller or data subject cannot be applied to process sensitive data and, when supporting a processing activity on this legal base the data controller need to (Article 7(IX) of the LGPD):
- guarantee that the personal data being processed is strictly necessary for the intended purpose; and
- adopt measures to ensure transparency of data processing based on its legitimate interests.
Other legal bases to process personal data are (Article 7 of the LGPD):
- for carrying out studies by research bodies;
- regular exercise of rights in judicial or administrative lawsuits or arbitration proceedings;
- protection of the life or of the physical safety of the data subject;
- credit protection, which cannot be applied to sensitive data;
- fraud prevention and to guarantee security to the data subject (specific for sensitive data); and
- protection of health, only applying however to procedures carried out by health professionals, health services, or sanitary authorities.
Article 6 of the LGPD foresees that any activities of processing of personal data should be performed observing the following principles (Article 6 of the LGPD):
- good faith;
- purpose: processing for legitimate, specific, and explicit purposes informed to the data subject, without any possibility of further processing inconsistent with these purposes;
- adequacy: compatibility of the processing with the purposes informed to the data subject, in accordance with the context of the processing;
- necessity: limitation of the processing to the minimum necessary to achieve its purposes, covering data that is relevant, proportionate, and non-excessive in relation to the purposes of the data processing;
- free access: guarantee to the data subjects of facilitated and free of charge consultation about the form and duration of the processing, as well as about the integrity of their personal data;
- data quality: guarantee to the data subjects of the accuracy, clarity, relevancy, and updating of the data, in accordance with the need and for achieving the purpose of the processing;
- transparency: guarantee to the data subjects of clear, precise, and easily accessible information about the carrying out of the processing and the respective processing agents, subject to commercial and industrial secrecy;
- security: use of technical and administrative measures able to protect personal data from unauthorised access and accidental or unlawful situations of destruction, loss, alteration, communication, or dissemination;
- prevention: adoption of measures to prevent the occurrence of damage in view of the processing of personal data;
- non-discrimination: impossibility of processing data for discriminatory, unlawful, or abusive purposes; and
- accountability: proof, by the controller or processor, of adoption of effective measures able to prove observance of and compliance with the personal data protection rules, as well as of the effectiveness of these measures.
7. CONTROLLER AND PROCESSOR OBLIGATIONS
There is no obligation to notify data processing activities.
The international transfer of personal data is permitted solely in the following cases (Article 33 of the LGPD):
- to countries or international organisations that provide an appropriate level of protection of personal data provided for by the LGPD;
- when the controller provides and demonstrates guarantees of compliance with the principles and rights of the data subject and data protection regime established in the LGPD, in the form of:
- specific contractual sections for a given transfer;
- Standard Contractual Clauses;
- Binding Corporate Rules; and
- seals, certificates, and codes of conduct regularly issued;
- when the transfer is required for international legal cooperation between government intelligence, investigations, and police bodies, in accordance with international law instruments;
- when the transfer is required for the protection of life or physical integrity of the data subject or any third party;
- when the ANPD authorises such transfer;
- when the transfer results in a commitment undertaken under an international cooperation agreement;
- when the transfer is required for the enforcement of a public policy or legal attribution of the public utility, upon disclosure of the provisions of item I of the main provision of Article 23 of the LGPD;
- when the data subject has provided specific and highlighted consent for such transfer, with prior information on the international nature of the operation, clearly distinguishing it from any other purposes;
- when necessary to comply with a legal or regulatory obligation by the controller;
- when necessary for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject; or
- to allow the regular exercise of rights in judicial, administrative or arbitration procedures.
There are no specific requirements on outsourcing. It is not prohibited under the LGPD; however, if it involves cross-border transfers of personal data, the rules under the LGPD must be observed.
The controller and the processor should maintain a record of the personal data processing operations they carry out, especially where they are based on a legitimate interest (Article 37 of the LGPD).
There are no requirements on which kind of information should be registered in these records.
The national authority may require the controller to prepare a DPIA relating to its data processing operations, as provided for by the regulations, with due regard for commercial and industrial secrecy (Article 10(§ 3º) of the LGPD)
This DPIA should contain at least a description of the types of data collected, the methodology used for collection and as guarantee for security of the information, and an analysis of the controller in relation to the measures, safeguards, and risk mitigation mechanisms adopted. (Article 38 of the LGPD)
It is worth mentioning that the ANPD has not regulated this matter yet.
A DPO must be appointed by controllers. The ANPD could exempt controllers from appointing a DPO according to the nature and the size of the entity or the volume of data processing operations (Article 41 and 41(§ 3º) of LGPD).
The identity and contact details of the DPO must be publicly, clearly, and objectively disclosed, preferably on the controllers' website. The activities of the DPO consist of the following (Article 41(§ 1º) of the LGPD):
- to accept complaints and communications from data subjects, provide clarifications, and take measures;
- to receive communications from the supervisory authority and take measures;
- to instruct the employees and contractors of the entity on the practices to be adopted in relation to personal data protection; and
- to carry out any other duties established by the controller or in supplementary rules.
The ANPD may establish supplementary rules on the definition and duties of the DPO (Article 41(§ 3º) of LGPD).
The controller must notify the ANPD and data subjects of the occurrence of any security incident that may result in any relevant risk or damage to the data subjects (Article 48 of LGPD).
The content of the notice, must at a minimum, contain the following information (Article 48(§ 1º) of LGPD):
- a description of the nature of the affected personal data;
- information on the data subjects involved;
- indication of the technical and security measures used for data protection, with due regard for trade and industrial secrets;
- the risks relating to the incident;
- the reasons for the delay, in case the notice is not immediate; and
- the measures that were or shall be adopted to reverse or mitigate the effects of the loss.
As well as the ANPD released an orientation and security incident reporting form (only available in Portuguese here).
Each sector has it owns rules related to data retention. The LGPD only sets forth that data shall be stored for the shortest period of time possible and cannot be processed after the purpose for its processing has been accomplished. Moreover, the ANPD may regulate the period of time in which controllers and processors must keep their records of processing activities. (Article 40 of LGPD).
The processing of personal data of children and adolescents to be carried out for their best interest, pursuant to the provisions of this Article and of the applicable law (Article 14 of LGPD)
Also, to process personal data of children, LGPD requires the collection of specific and explicit consent provided by at least one of the parents or legal guardians. An exception could be applied when the collection is necessary to contact the parents or the legal guardian, used a single time and without storage, or for their protection, and where they cannot be transferred to third parties under any circumstance, without the aforementioned consent (Article 14(§ 1º) of the LGPD)
According to the Brazilian Child and Adolescent Statute (only available in Portuguese here) children describe individuals of less than 12 years old, and adolescents as individuals that are older than 12 years old but younger than 18 years old/
Controllers are also required to have an appropriate legal ground set out in the LGPD in order to be allowed to process sensitive personal data, as summarised below (Article 11 of the LGPD):
- compliance with a legal or regulatory obligation;
- for carrying out studies by research bodies;
- execution of a contract or preliminary procedures related to a contract (data subjects need to be a party of this contract);
- regular exercise of rights in lawsuits or administrative or arbitration proceedings;
- protection of the life or of the physical safety;
- protection of health (only applied to procedures carried out by health professionals, health services, or sanitary authorities); and
- fraud prevention and to guarantee security to the data subject.
There are no specific rules on controller and processor agreements under the LGPD, the only requirement that a data processor should follow is all the instructions provided by the data controller to verify compliance with its instructions and the regulations related to data protection.
8. DATA SUBJECT RIGHTS
The LGPD establishes the following rights for data subjects (Article 18 of the LGPD):
- confirmation of the existence of processing;
- access to data;
- correction of incomplete, inaccurate, or outdated data;
- anonymisation, blocking, or elimination of unnecessary or excessive data or of data processed in non-compliance with the provisions of the LGPD;
- portability of the data to other service providers or suppliers of products, by the means of an express request, pursuant to the regulations of the ANPD, and subject to commercial and industrial secrecy;
- elimination of the personal data processed with the consent of the data subjects, except in the cases set forth in Article 16 of the LGPD;
- information on the public and private entities with which the controller has shared data;
- information on the possibility of not providing consent and on the consequences of such denial;
- revocation of the consent, pursuant to the provisions of Article 8(5) of the LGPD; and
- review of decisions based on processing of personal data carried out exclusively by automated means.
The rights of confirmation of the existence of processing and access to data must be addressed by the controller immediately when in a simplified format or up to 15 days when in a clear and complete declaration (Article 19(II) of LGPD).
For the other data subject rights, the ANPD shall regulate the appropriate timeframe that should be observed by data controllers (Article 19 (§ 4º) of the LGPD).
The LGDP specifies that data subjects have the right of access to information concerning the data processing of their personal data (Article 9 of the LGPD). The LGPD does not explicitly refer to a difference in requirements for the right to be informed when personal data is obtained directly from the data subject or third party.
The LGPD provides that data subjects have the right to obtain, at any time and by means of request, information regarding the data subject's personal data that is being processed (Article 18 of the LGPD).
The LGPD provides that data subjects have the right to the correction of incomplete, inaccurate, or out-of-date data, at any time and by means of request (Article 18(III) of the LGPD).
This right is to be exercised upon the request and consent of the data subject (Article 18(VI) of the LGPD).
The LGPD outlines that a data subject can request the blocking of unnecessary or excessive data or data processed in non-compliance with the provisions of the LGPD (Article 18(IV) of the LGPD).
Under the LGPD, the right to restriction is referred to as 'blocking' which the LGPD is defined as the temporary suspension of any processing operation, by means of retention of the personal data or the database (Article 5(XIII) of the LGPD).
Also, data subjects have the right to request the removal of its personal data which is processed under the legal base of consent, with an exception applied to data stored for:
- compliance with legal or regulatory obligation by the controller;
- studies by a research body ensured, whenever possible, the anonymization of personal data; and
- transfer to third parties, provided that in compliance with the data processing requirements set forth LGPD.
A data subject has the right to the portability of their data, by the means of an express request, pursuant with the regulations of the national authority, and subject to commercial and industrial secrets (Article 18(V) of the LGPD).
The data subject has the right to request for the review of decisions made solely based on automated processing of personal data affecting their interests, including decisions intended to define her/his personal, professional, consumer, and credit profile, or aspects of her/his personality (Article 20 of the LGPD).
Under the LGPD, the following sanctions may be imposed (Article 51 of the LGPD):
- warnings, with indication of a term for adoption of corrective measures;
- simple fines of up to 2% of the sales revenue of the legal entity of private law, group or conglomerate in Brazil in its last fiscal year, excluding taxes, limited, in the aggregate, to BRL $50 million (approx. €8.1 million) per infraction;
- daily fines, with due regard for the total limit referred to in item two;
- disclosure of the infraction after it has been duly investigated and its occurrence has been confirmed;
- blockage of the personal data to which the infraction relates, until its regularisation;
- elimination of the personal data to which the infraction relates;
- partial suspension of the functioning of the databases which are the subject of the non-compliant action for up to six months, extendable for a further six months; and
- partial or total prohibition to execute activities related to data processing.
There are no enforcement decisions yet.