Comparing Privacy Laws: GDPR v. LGPD
Lei Geral de Proteção de Dados Pessoais (LGPD) entered into force in Brazil on September 18, 2020, and represented the first comprehensive data protection framework in the country. The LGPD aims to increase the protection of personal data and regulate the way businesses collect, use, and process personal data. Brazil’s LGPD was heavily influenced by the EU General Data Protection Regulation (GDPR)and this is apparent throughout its text.
In order to understand the similarities and differences between the LGPD and the GDPR, OneTrust DataGuidance and Baptista Luz Advogados produced this comparison report to assist organizations in their understanding of the latest developments and changes in the Brazilian legislation. The report was updated in September 2020 to take into account the latest developments and the entry into force of the LGPD’s enforcement provisions.
Watch now: LGPD is Here: What You Need To Know
Comparing the GDPR with the LGPD
Many of the LGPD’s provisions mirror those found under the GDPR, such as data protection officer (DPO) appointment for Data Controllers, data subject rights, and scope of applicability.
However, differences between the GDPR and the LGPD make compliance with the two laws a complex undertaking for some companies. Such differences include the lawful bases for processing sensitive personal data and Data Protection Impact Assessments (DPIAs) requirements.
Scope
The scope of both laws are closely aligned in terms of the types of personal data covered by the law and the extraterritorial reach.
Both the GDPR and the LGPD apply to organizations that:
- Have a presence in the respective region
- Are not physically located, but offer goods and services in the respective regions or process personal data in these regions
Both the GDPR and LGPD apply to businesses that do not have any presence in either region but take part in the processing of personal data of individuals in the respective region. More specifically, the GDPR applies to the monitoring of the behavior of individuals in the EU, whereas the LGPD applies to the processing of people who are in Brazil, regardless of where the data is processed.
The GDPR and the LGPD both apply to the processing of personal data of identifiable natural persons carried out by data controllers and data processors regardless of the nationality or residency status of the data subject.
Legal Bases
The legal bases for processing personal data under the GDPR and the LGPD are similar in many instances. However, there are some legal bases that can only be found under the LGPD.
Legal bases for personal data processing that can be found under both laws include:
- Consent
- Performance of a contract
- Compliance with a legal obligation
- Protection of the vital interests of the data subject
- Activities performed in the public interest by the public administration or by an official authority
- Legitimate interest
However, only the LGPD provides the following legal bases for processing personal data:
- Studies conducted by a research body that guarantee the anonymization of personal data where possible
- Regular exercise of rights in judicial, administrative, or arbitral proceedings
- Protection of health, in a procedure conducted by health professionals or by health entities
- When necessary for credit protection or credit analysis
Data Subject Rights
Article 18 of the LGPD defines several data subject rights for individuals to exercise in order to have greater control over their personal data. Many of these take inspiration from the rights accessible to the data subject in the European Union. Organizations that fall under the scope of the LGPD are required to inform data subjects of their rights and make the method for making data subject requests easily accessible to the data subject.
Data subject rights under the LGPD include:
- Right to be informed
- Right to confirm processing
- Right of access
- Right to correction
- Right to restrict processing of excessive data or data processed in non-compliance with the provisions of the LGPD
- Right to data portability
- Right to erasure
- Right to withdraw consent
Enforcement
As with the GDPR, the LGPD provided for the establishment of an independent national data protection authority. In Brazil, the Autoridade Nacional de Proteção de Dados (ANPD) has been established and has many responsibilities that resemble those placed upon supervisory authorities in Europe. These includes:
- Investigative powers
- Corrective powers
- Handling complaints lodged by data subjects
- Promoting public awareness of the law
However, there are some differences in the set-up of the ANPD that distinguishes it from European supervisory authorities. The ANPD is a federal public administrative agency that may be transformed into a federal independent agency and does not have financial autonomy. The ANPD is also composed of a Board of Directors, Council for Data Protection and Privacy, Internal Affairs Office, and legal departments.
Download the report for a closer look at the similarities and differences between data controller and data processor obligations, requirements for the transfer of personal data, and the principles for processing personal data. OneTrust DataGuidance has also produced the Operationalizing the LGPD report, which is comprised of four expertly-authored articles that help with the understanding of LGPD compliance and the core concepts outlined by the Brazilian General Data Protection Law.