Brazil LGPD Compliance and Cybersecurity
The General Data Protection Law (LGPD) is a federal law in Brazil that establishes a comprehensive privacy
and personal data protection regime. It provides individuals with enforceable privacy rights and
imposes data protection and breach notification rules on local and foreign entities.
What is the LGPD and what does it mean for your business?
The General Data Protection Law (Federal Law no. 13,709/2018) is the English translation of the name of the legislation in native Portuguese: “Lei Geral de Proteção de Dados Pessoais” - hence the acronym "LGPD". It significantly modernized the privacy and personal data protection regime in Brazil, which had previously been composed of multiple sectoral regulations, similarly to HIPAA or GLBA in the United States.
ImmuniWeb can help you comply with LGPD cybersecurity and data protection requirements. How We Help
In force since August 16, 2020 and comprising 65 articles, the LGPD introduced a set of privacy rights for individuals comparable to the European GDPR. For instance, under Article 18 of LGPD, individuals now have the right to know how and if their data is processed, or with whom it was shared. Individuals may also request access to their personal data and ask for eventual correction of erroneous or outdated information and, under certain conditions, may request its deletion.
The LGPD also stipulates that any processing of personal data requires a lawful basis, absent of which personal data cannot be processed (Article 7). Furthermore, all entities that collect and process personal data must provide a transparent privacy notice, explaining how they handle the data. The LGPD requires privacy by design and default, setting a high standard of privacy across the country. Article 33 limits transfer of personal data to foreign jurisdictions which meet certain conditions and provide a comparable standard of data protection - or where transfer is necessary to fulfill a legal duty .
Under the LGPD, personal data is broadly defined in Article 5, as “information related to an identified or identifiable natural person”. It offers additional protection for sensitive personal data on: “racial or ethnic origin, religious conviction, political opinion, union affiliation or religious, philosophical or political organization, health or sexual life data, genetic or biometric data, when linked to a natural person;”.
From a cybersecurity perspective, the LGPD (i) enacts strict data protection requirements and (ii) prescribes data breach notifications to the national regulator and individuals whose personal data was compromised, lost or stolen.
Who is covered by the LGPD?
With a similar structure and underlying philosophy to the GDPR, the LGPD also has a broad and inclusive coverage, in contrast to the CCPA in California. Article 3 makes it clear that the law applies both to the private and public sector, where the covered entity (i) processes personal data in Brazil, (ii) processes personal data of Brazilian residents, or (iii) where processing relates to offering goods or services in Brazil, or (iv) when processed personal data was collected in Brazil. There are some narrow exceptions, e.g. processing of personal data for the purpose of national security and defense.
The LGPD differentiates between data controllers and processors: the former have additional duties, such as appointing a Data Protection Officer (DPO) or performing a Data Protection Impact Assessment (DPIA). Both, however, are required to maintain records of their data processing operations and to design a sound cybersecurity and data protection strategy to safeguard personal data at their disposal. Controllers and processors may be jointly or severally liable for violations of the LGPD under Article 42.
Therefore, virtually all companies and organizations that do business in Brazil or process personal data of Brazilian residents, regardless of their industry, size or revenue derived from the Brazilian market, are covered by the LGPD and must abide by it.
Who enforces LGPD compliance?
Article 55 of the LGPD establishes the National Data Protection Authority - translated from the native Portuguese “Autoridade Nacional de Proteção de Dados” with the acronym “ANPD”. The ANPD is empowered to oversee personal data protection and compliance with the LGPD, issue supplementary rules and procedures for personal data protection, bring enforcement actions and impose penalties for LGPD infringements.
In January 2021, the ANPD published its first regulatory strategy for the next three years. The strategy highlights three strategic goals: to promote and strengthen a culture of personal data protection; to establish an effective regulatory environment for data protection; and to facilitate and improve the ability of ANPD to operate under the LGPD.
What are the penalties for LGPD violations?
Article 52 of the LGPD sets out monetary penalties rising to 2% of the infringer’s revenue in Brazil for the past financial year, with a cap of 50,000,000 BRL per infraction (approximately 10 million EUR), putting it on a par with the lower maximum of GDPR fines.
Additionally, when appropriate, the ANPD is permitted to disclose and publicize confirmed data breaches, restrict unlawful processing of personal data, or order deletion of illegitimately collected or retained personal data. Finally, the ANPD may impose partial or total prohibition of activities related to personal data processing.
On top of ANPD sanctions, aggrieved individuals, whose personal data was lost, compromised or stolen in violation of LGPD, may file an individual lawsuit or join a class action to claim damages pursuant to the Article 42. Both data controllers and processors may be jointly or severally liable for insufficient data protection or poor cybersecurity practices.
On 27 February 2023, the ANPD approved a Regulation on the “Setting and Application of Administrative Penalties” which determines the methodology for calculating fines and applying other sanctions under the LGPD. The Regulation provides criteria for determining the severity of an infringement (mild, moderate or severe) including: the scale of damage caused; the intent of negligence of the data controller; and the volume and nature of data. The Regulation also establishes mitigating or aggravating factors (e.g. co-operation with the ANPD).
The first fines under the LGPD were issued in July 2023. Telekall Infoservice, a small telecommunications firm, was investigated by the ANPD for allegedly offering bulk messaging services through WhatsApp to politicians. It was also accused of failing to appoint a data protection officer, failing to provide a legitimate legal basis for processing personal data, and not cooperating during investigations. It received two fines of 7,200 BRL and a warning from the ANPD.
What are the cybersecurity requirements under the LGPD?
The LGPD grants specific rule making authority to the ANPD for developing detailed technical and security standards, for data processors and data controllers to secure personal data at rest and in transit.
Personal data protection is deeply rooted in the LGPD’s foundational data protection principles, as illustrated in the Article 6 of the legislation, which includes the following sub-sections:
- VII - Security: “use of technical and administrative measures capable of protecting personal data from unauthorized access and accidental or unlawful destruction, loss, alteration, communication or dissemination”; and
- VIII - Prevention: “adoption of measures to prevent the occurrence of damage due to the processing of personal data”.
Article 44 further states that the “processing of personal data will be irregular when it fails to comply with the law or when it does not provide the security that the holder can expect.”
A comprehensive approach to data protection under the LGPD is then detailed in Article 46 which imposes security, technical and administrative measures able to protect personal data from unauthorized accesses. Article 50 encourages wide adoption of security best practice by controllers and processors, and requires the creation and maintenance of a corporate governance program for privacy. The program, among other things, should establish adequate policies and safeguards based on a process of systematic evaluation of privacy risks, create an incident response plan and ensure continuous improvement of the existing information security policies and procedures.
In a nutshell, the LGPD requires a risk based approach to information security which enables the data controller or processor to: identify relevant cyber risks and threats; implement adequate security controls; and perform continuous cybersecurity monitoring to ensure that security mechanisms stay ahead of the rapidly evolving cybersecurity threat landscape.
What are the data breach notification requirements under the LGPD?
Article 48 of the LGPD imposes a mandatory data breach notification duty upon data controllers. Under the law, data controllers must notify the ANPD and affected individuals about all security incidents that may create risk or relevant damage to the data subjects. The notice must be made in a “reasonable time period” that will likely mean without delay once the incident is discovered.
Similar to data breach provisions of other privacy laws and regulations, the notice under the LGPD must describe the nature of the incident, compromised personal data, reasonably foreseeable risks and suggested steps necessary to mitigate the damage to victims.
The ANPD will then assess the gravity of the reported incident and, depending on the identifiable risks and threats, may order the affected entity to broadly disclose the incident in communications to media, and undertake measures to reverse or mitigate the effects of the incident.
In contrast to the GDPR, where data processors must rapidly notify data controllers about any data breaches and security incidents, the LGPD is silent about data breach notification obligations for data processors.