Brazil - Data Protection Overview
The Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') was passed in 2018 and entered into effect on 18 September 2020. The LGPD is a comprehensive data protection law which covers the activities of data controllers and processors and creates novel requirements on the processing of information of data subjects. It includes provisions on a variety of issues such as data protection officer ('DPO') appointments, Data Protection Impact Assessments ('DPIA'), data transfers, and data breaches.
1. GOVERNING TEXTS
In relation to the enforcement, the President of Brazil, Jair Bolsonaro, promulgated, on 10 June 2020, Law No. 14.010 of 10 June 2020 (only available in Portuguese here), which postpones the enforcement of the LGPD until August 2021.
1.3. Case law
2. SCOPE OF APPLICATION
The LGPD provides for the processing of personal data, including by digital means, by a natural person or a legal entity of either public or private law, with the purpose of protecting the fundamental rights of freedom and privacy as well as the free development of the personality of the natural person.
The LGPD has extraterritorial application, being applicable to any individual or legal entity governed by public or private law irrespective of the means, the country in which its headquarters is located, or the country in which the data is located, provided:
- the processing operation is carried out in the national territory;
- the processing activity is aimed at the offering or provision of goods or services, or at the processing of data of individuals located on the national territory; or
- the personal data being processed was collected in the national territory.
According to Article 3§1 states data collected in the national territory is considered to be that whose data subject is in the national territory at the time of collection
The LGPD applies to the processing of personal data, including by digital means, carried out by a natural person or by a public or private legal entity.
The following data processing activities are exempted from the application of the LGPD:
- processing carried out by a natural person, exclusively for private and non-economic purposes;
- processing for journalistic and artistic purposes;
- processing for academic purposes (but observing the rules foreseen in Articles 7 and 11 of the LGPD);
- processing carried out with the exclusive purpose of public safety, national defence, state security, or investigation activities and prosecution of criminal offences; or
- processing activities of personal data originated outside of Brazil, from countries that provide an adequate level of data protection (compared with the LGPD) are not subject to the LGPD, since this personal data is not shared or communicated with Brazilian processing agents.
3.1. Main regulator for data protection
The Brazilian data protection authority ('ANPD') is the main regulator. The ANPD is a body of federal public administration, member of the Presidency of the Republic, and is composed of:
- board of directors, as the highest body of direction;
- National Board of Personal Data Protection and Privacy;
- internal affairs office;
- legal advisory body; and
- other administrative and specialised units required for the enforcement of the LGPD.
The board of directors of the ANPD is composed of five directors, including the President Director, all of them nominated by the President of the Republic, and which must be Brazilians with an unblemished reputation, a high level of education, and a great reputation in the field of specialisation of the position for which they will be nominated for. In particular, Bolsonaro appointed Waldemar Gonçalves Ortunho Junior for the position of President Director of the ANPD for a six-year term and Joacil Basilio Rael, Nairane Farias Rabelo Leitão, Miriam Wimmer, and Arthur Pereira Sabbat for the position of directors for two to five-year terms.
3.2. Main powers, duties and responsibilities
The ANPD is responsible for the enforcement of the LGPD and has the following powers available to ensure the protection of individuals' data:
- supervise the protection of personal data, including through the conduction of inspections, or the determination to their occurrence;
- supervise commercial and industrial secrets, observing the protection of personal data and the secrecy of information when protected by law or when the breach of secrecy violates the fundamentals of the LGPD;
- receive and process data subject claims against the controllers (after being submitted to the controller and not solved according to the LGPD);
- decide how data processing agents could be transparent regarding the personal data processing activities;
- request, from public authorities that carry out personal data processing activities, information regarding the scope and nature of the data and other details of the processing, with the possibility to issue technical opinions to ensure compliance with the LGPD;
- amend privacy and personal data protection regulations and procedures, including regarding DPIAs;
- listen to data processing agents and the society in matters of relevant interest;
- collect and apply its revenue and publish a detailed report regarding its revenue expenses;
- conclude agreements with data processing agents in order to eliminate irregularities, legal uncertainties, or litigious situations in administrative proceedings;
- enact rules, guidelines, and simplified procedures, including regarding deadlines, for small and micro companies, start-ups, and innovative businesses in order to help them achieve compliance with the LGPD;
- ensure that processing activities of personal data from elderly people is carried out in a simple, clear, accessible, and adequate manner to their understanding;
- decide, at an administrative level, on the LGPD's interpretation, its competences, and cases in which it is silent;
- implement simplified mechanisms, including by electronic means, for the registration of complaints about personal data processing that is non-compliant with the LGPD;
- inspect and sanction cases of data processing that are non-compliant with the LGPD through administrative proceedings that ensure the right to adversary proceedings, full defence, and the right to appeal;
- report to the appropriate authorities the criminal offences that come to their knowledge;
- report to the internal affairs bodies any non-compliance with the LGPD by bodies and entities of federal public administration;
- disseminate throughout society knowledge about legal norms and policy on personal data protection and its security measures;
- encourage the adoption of standards for services and products that facilitate the control and the protection of personal data by their subjects, considering the specificities of the activities and the size of controllers;
- prepare studies about national and international practices on personal data protection and privacy;
- promote actions of cooperation with personal data protection authorities from other countries, of international or transnational nature; and
- draft managing reports on its annual activities.
4. KEY DEFINITIONS
Sensitive data: Personal data on racial or ethnic origin, religious belief, political opinion, trade union or religious affiliation, or philosophical or political organisation membership, as well as data relating to health or sex life, or genetic or biometric data, when related to a natural person.
Pseudonymisation: The processing by means of which a data loses the possibility of direct or indirect association to an individual, unless for the use of additional information separately kept by the controller in a controlled and safe environment.
5. LEGAL BASES
Provided at Articles 7, 11, and 14 of the LGPD, consent is the free, informed, and unequivocal expression by which the data subjects agree to the processing of their personal data for a specific purpose and can be applied to 'regular' personal data and sensitive personal data.
In order to process data of children (individuals below 12 years old), it is necessary to collect the specific and explicit consent of at least one of the parents or legal guardians.
Applicable to data processing activities necessary for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject.
Personal data and sensitive data can be processed for compliance with a legal or regulatory obligation by the controller.
There are no specific legal bases to process personal data in order to pursue interests of the data subject; however, the legitimate interest of the data controller can be applied in situations to protect the regular exercise of his/her rights or provision of services that benefits them (more details in section 5.6 below).
There are no specific legal bases to process personal data in order to pursue public interests; however, public administration can process personal data when necessary for the execution of public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments.
The legitimate interest of the data controller or data subject cannot be applied to process sensitive data and the data controller should:
- guarantee that the personal data being processed is strictly necessary for the intended purpose; and
- adopt measures to ensure transparency of data processing based on its legitimate interests.
The ANPD may request from the data controller a DPIA when processing is based on her/his legitimate interest, subject to trade and commercial secrecy.
Other legal bases to process personal data are:
- for carrying out studies by research bodies;
- regular exercise of rights in lawsuits or administrative or arbitration proceedings;
- protection of the life or of the physical safety;
- credit protection, which cannot be applied to sensitive data;
- fraud prevention and to guarantee security to the data subject, only for sensitive data; and
- protection of health, only applying however to procedures carried out by health professionals, health services, or sanitary authorities.
Article 6 of the LGPD foresees that any activities of processing of personal data should be performed observing the following principles:
- good faith;
- purpose: processing for legitimate, specific, and explicit purposes informed to the data subject, without any possibility of further processing inconsistent with these purposes;
- adequacy: compatibility of the processing with the purposes informed to the data subject, in accordance with the context of the processing;
- necessity: limitation of the processing to the minimum necessary to achieve its purposes, covering data that is relevant, proportionate, and non-excessive in relation to the purposes of the data processing;
- free access: guarantee to the data subjects of facilitated and free of charge consultation about the form and duration of the processing, as well as about the integrity of their personal data;
- data quality: guarantee to the data subjects of the accuracy, clarity, relevancy, and updating of the data, in accordance with the need and for achieving the purpose of the processing;
- transparency: guarantee to the data subjects of clear, precise, and easily accessible information about the carrying out of the processing and the respective processing agents, subject to commercial and industrial secrecy;
- security: use of technical and administrative measures able to protect personal data from unauthorised access and accidental or unlawful situations of destruction, loss, alteration, communication, or dissemination;
- prevention: adoption of measures to prevent the occurrence of damage in view of the processing of personal data;
- non-discrimination: impossibility of processing data for discriminatory, unlawful, or abusive purposes; and
- accountability: proof, by the controller or processor, of adoption of effective measures able to prove observance of and compliance with the personal data protection rules, as well as of the effectiveness of these measures.
7. CONTROLLER AND PROCESSOR OBLIGATIONS
There is no obligation to notify data processing activities.
International data transfers rules under the LGPD are quite similar to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'):
The international transfer of personal data is permitted solely in the following cases:
- to countries or international organisations that provide an appropriate level of protection of personal data provided for by the LGPD;
- when the controller provides and demonstrates guarantees of compliance with the principles and rights of the data subject and data protection regime established in the LGPD, in the form of:
- specific contractual sections for a given transfer;
- Standard Contractual Clauses ('SCCs');
- Binding Corporate Rules;
- seals, certificates, and codes of conduct regularly issued;
- when the transfer is required for international legal cooperation between government intelligence, investigations, and police bodies, in accordance with international law instruments;
- when the transfer is required for the protection of life or physical integrity of the data subject or any third party;
- when the ANPD authorises such transfer;
- when the transfer results in a commitment undertaken under an international cooperation agreement;
- when the transfer is required for the enforcement of a public policy or legal attribution of the public utility, upon disclosure of the provisions of item I of the main provision of Article 23 of the LGPD;
- when the data subject has provided specific and highlighted consent for such transfer, with prior information on the international nature of the operation, clearly distinguishing it from any other purposes; or
- when required to meet the hypotheses established in items II, V, and VI of Article 7 of the LGPD.
There are no specific requirements on outsourcing. It is not prohibited under the LGPD; however, if it involves cross-border transfers of personal data, the rules under the LGPD must be observed.
The controller and the processor should maintain a record of the personal data processing operations they carry out, especially where they are based on a legitimate interest. There are no requirements on which kind of information should be registered in these records.
The national authority may require the controller to prepare a DPIA relating to its data processing operations, as provided for by the regulations, with due regard for commercial and industrial secrecy.
This DPIA should contain at least a description of the types of data collected, the methodology used for collection and as guarantee for security of the information, and an analysis of the controller in relation to the measures, safeguards, and risk mitigation mechanisms adopted.
It is worth mentioning that the ANPD has not regulated this matter yet.
A DPO must be appointed by controllers. The ANPD could exempt controllers from appointing a DPO according to the nature and the size of the entity or the volume of data processing operations.
The identity and contact details of the DPO must be publicly, clearly, and objectively disclosed, preferably on the controllers' website. The activities of the DPO consist of the following:
- to accept complaints and communications from data subjects, provide clarifications, and take measures;
- to receive communications from the supervisory authority and take measures;
- to instruct the employees and contractors of the entity on the practices to be adopted in relation to personal data protection; and
- to carry out any other duties established by the controller or in supplementary rules.
The ANPD may establish supplementary rules on the definition and duties of the DPO.
The controller must notify the ANPD and data subjects of the occurrence of any security incident that may result in any relevant risk or damage to the data subjects.
The content of the notice, must at a minimum, contain the following information:
- a description of the nature of the affected personal data;
- information on the data subjects involved;
- indication of the technical and security measures used for data protection, with due regard for trade and industrial secrets;
- the risks relating to the incident;
- the reasons for the delay, in case the notice is not immediate; and
- the measures that were or shall be adopted to reverse or mitigate the effects of the loss.
The Internet Act, Federal Law No. 12.965 of 23 April 2014 (only available in Portuguese here) applies to internet companies (internet service providers ('ISP') and application providers) and establishes:
- data retention rules (logs);
- protection of electronic messages; and
- specific conditions for the processing of personal data (which partially conflicts with the LGPD, and so therefore ANPD and court decisions are needed in order to clarify this matter).
Decree No. 8.771/2016 (only available in Portuguese here) for internet companies (ISP and application providers) establishes information security standards, where as Resolution No. 4.658/2018 of the Central Bank (only available in Portuguese here) for financial entities establishes specific requirements for cloud computing agreements.
Each sector has it owns rules related to data retention. The LGPD only sets forth that data shall be stored for the shortest period of time possible and cannot be processed after the purpose for its processing has been accomplished. Moreover, the ANPD may regulate the period of time in which controllers and processors must keep their records of processing activities.
Article 14 of the LGPD requires that the processing of personal data of children and adolescents to be carried out for their best interest, pursuant to the provisions of this Article and of the applicable law.
Also, to process personal data of children, it is mandatory to collect specific and explicit consent provided by at least one of the parents or legal guardians. An exception could be applied when the collection is necessary to contact the parents or the legal guardian, used a single time and without storage, or for their protection, and where they cannot be transferred to third parties under any circumstance, without the aforementioned consent.
According to Brazilian law, children describes individuals of less than 12 years old, and adolescents as individuals that are older than 12 years old but younger than 18 years old.
Controllers are also required to have an appropriate legal ground set out in the LGPD in order to be allowed to process sensitive personal data, as summarised below:
- compliance with a legal or regulatory obligation;
- for carrying out studies by research bodies;
- execution of a contract or preliminary procedures related to a contract (data subjects need to be a party of this contract);
- regular exercise of rights in lawsuits or administrative or arbitration proceedings;
- protection of the life or of the physical safety;
- protection of health (only applied to procedures carried out by health professionals, health services, or sanitary authorities); and
- fraud prevention and to guarantee security to the data subject.
There are no specific rules on controller and processor agreements under the LGPD, the only requirement that a data processor should follow is all the instructions provided by the data controller to verify compliance with its instructions and the regulations related to data protection.
8. DATA SUBJECT RIGHTS
The LGPD establishes the following rights for data subjects:
- confirmation of the existence of processing;
- access to data;
- correction of incomplete, inaccurate, or outdated data;
- anonymisation, blocking, or elimination of unnecessary or excessive data or of data processed in non-compliance with the provisions of the LGPD;
- portability of the data to other service providers or suppliers of products, by the means of an express request, pursuant to the regulations of the ANPD, and subject to commercial and industrial secrecy;
- elimination of the personal data processed with the consent of the data subjects, except in the cases set forth in Article 16 of the LGPD;
- information on the public and private entities with which the controller has shared data;
- information on the possibility of not providing consent and on the consequences of such denial;
- revocation of the consent, pursuant to the provisions of Article 8(5) of the LGPD; and
- review of decisions based on processing of personal data carried out exclusively by automated means.
The rights of confirmation of the existence of processing and access to data must be addressed by the controller immediately when in a simplified format or up to 15 days when in a clear and complete declaration.
For the other data subject rights, the ANPD shall regulate the appropriate timeframe that should be observed by data controllers
The LGDP specifies that data subjects have the right of access to information concerning the data processing of their personal data (Article 9 of the LGPD). The LGPD does not explicitly refer to a difference in requirements for the right to be informed when personal data is obtained directly from the data subject or third party.
The LGPD provides that data subjects have the right to obtain, at any time and by means of request, information regarding the data subject's personal data that is being processed (Article 18 of the LGPD).
The LGPD provides that data subjects have the right to the correction of incomplete, inaccurate, or out-of-date data, at any time and by means of request (Article 18(III) of the LGPD).
This right is to be exercised upon the request and consent of the data subject (Article 18(VI) of the LGPD).
The LGPD outlines that a data subject can request the blocking of unnecessary or excessive data or data processed in non-compliance with the provisions of the LGPD (Article 18(IV) of the LGPD).
Under the LGPD, the right to restriction is referred to as 'blocking' which the LGPD is defined as the temporary suspension of any processing operation, by means of retention of the personal data or the database (Article 5(XIII) of the LGPD).
A data subject has the right to the portability of their data, by the means of an express request, pursuant with the regulations of the national authority, and subject to commercial and industrial secrets (Article 18(V) of the LGPD).
The data subject has the right to request for the review of decisions made solely based on automated processing of personal data affecting her/his interests, including decisions intended to define her/his personal, professional, consumer, and credit profile, or aspects of her/his personality (Article 20 of the LGPD).
Under the LGPD, the following sanctions may be imposed:
- warnings, with indication of a term for adoption of corrective measures;
- simple fines of up to 2% of the sales revenue of the legal entity of private law, group or conglomerate in Brazil in its last fiscal year, excluding taxes, limited, in the aggregate, to BRL $50 million (approx. €8.1 million) per infraction;
- daily fines, with due regard for the total limit referred to in item two;
- disclosure of the infraction after it has been duly investigated and its occurrence has been confirmed;
- blockage of the personal data to which the infraction relates, until its regularisation;
- elimination of the personal data to which the infraction relates;
- partial suspension of the functioning of the databases which are the subject of the non-compliant action for up to six months, extendable for a further six months; and
- partial or total prohibition to execute activities related to data processing.
There is no enforcement decisions yet, given that the sanctions provided in the LGPD will enter into force only on 1 August 2021.