Brazil LGPD Compliance and Cybersecurity
General Data Protection Law (LGPD) is a federal law in Brazil that establishes a comprehensive privacy and
personal data protection regime by providing individuals with enforceable privacy rights and
imposing data protection and breach notification rules on local and foreign entities.
What is LGPD and what does it mean for your business?
The General Data Protection Law (Federal Law no. 13,709/2018), in Portuguese “Lei Geral de Proteção de Dados Pessoais” or "LGPD", significantly modernized privacy and personal data protection legislation in Brazil that was previously composed of sectoral regulations, similarly to HIPAA or GLBA in the United States.
ImmuniWeb can help you comply with LGPD cybersecurity and data protection requirements. Learn more
In force since August 16, 2020 and composed of 65 articles, LGPD introduced a set of privacy rights for individuals comparable to the European GDPR. For instance, under the Article 18 of LGPD, individuals now have the right to know how and if their data is processed, or with whom it was shared. Individuals may also request access to their personal data and ask for eventual correction of erroneous or outdated information, and under certain conditions may request deletion of their personal data.
LGPD also stipulates that processing of personal data requires a lawful basis, absent of which personal data cannot be processed (Article 7). Furthermore, all entities that collect and process personal data must provide a transparent privacy notice, elaborating how they handle the data. LGPD implies privacy-by-design and privacy-by-default, setting a high standard of privacy across the country. Finally, Article 33 restricts transfer of personal data to foreign countries unless one or several specific conditions, that provide a comparable protection to the data abroad or when transfer is necessary to fulfill a legal duty, are properly met.
Under LGPD, personal data is broadly defined in the Article 5, as any information regarding an identified or identifiable natural person. LGPD also offers supplementary protection for sensitive personal data that includes racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data when related to a natural person.
From a cybersecurity viewpoint, LGPD enacts strict data protection requirements and prescribes data breach notifications to the national regulator and individuals whose personal data was compromised, lost or stolen.
Who is covered by LGPD?
Having similar to GDPR structure and underlying philosophy, LGPD likewise has a similarly broad and inclusive coverage, contrasted to CCPA in California. The Article 3 makes it clear that the law applies both to private and public sector whereas the covered entity processes personal data in Brazil, or processes personal data of Brazilian residents, or processing relates to offering goods or services in Brazil, or when processed personal data was collected in Brazil. There are some narrow exceptions, for example, covering processing of personal data for the purpose of national security and defense.
LGPD differentiates between data controllers and processors: the formers have additional duties, such as appointing a Data Protection Officer (DPO) or performing Data Protection Impact Assessment (DPIA). Both, however, are required to maintain records of their data processing operations and to design a sound cybersecurity and data protection strategy to safeguard personal data at their disposal. Controllers and processors may be jointly or severally liable for violations of LGPD under the Article 42.
Therefore, virtually all companies and organizations that do business in Brazil or process personal data of Brazilian residents, regardless of their industry, size or revenue derived from the Brazilian market, are covered by LGPD and must abide by it.
Who does enforce LGPD compliance?
Article 55 of LGPD establishes the National Data Protection Authority, in Portuguese “Agência Nacional de Proteção de Dados” or “ANPD”. The ANPD is empowered to oversee personal data protection and compliance with LGPD, issue supplementing rules and procedures for personal data protection, bring enforcement actions and impose penalties for LGPD infringements.
In January 2021, the ANPD published its first regulatory strategy for the next three years. The strategy highlights three strategic goals: to promote the culture of personal data protection, to establish effective regulatory environment for personal data protection, and to facilitate and improve ANPD ability to operate under the law.
What are the penalties for LGPD violations?
Starting from August 1, 2021, ANPD commences imposing sanctions provided under the statutory provisions of LGPD. Violations of LGPD may be pretty costly, however, differently from PDPO in Hong Kong or PDPA in Singapore, do not provide criminal penalties yet.
The Article 52of LGPD provides monetary penalties going up to 2% of the infringer’s revenue in Brazil for the past financial year, with a cap of 50,000,000 BRL per infraction, making non-compliance almost as costly as GDPR’s financial penalties.
Additionally, when appropriate, the ANPD is permitted to disclose and publicize infraction once it has been duly ascertained and its occurrence has been confirmed, restrict unlawful processing of personal data, or order deletion of illegitimately collected or retained personal data. Finally, the ANPD may impose partial or total prohibition of activities related to personal data processing.
On top of ANPD sanctions, aggrieved individuals, whose personal data was lost, compromised or stolen in violation of LGPD, may file an individual lawsuit or class action to claim damages pursuant to the Article 42. Both data controllers and processors may be jointly or severally liable for insufficient data protection or poor cybersecurity practices.
What are the cybersecurity requirements under LGPD?
LGPD grants more specific rule-making authority to ANPD for developing detailed technical and security standards both for data processors and data controllers to secure personal data at rest and in transit.
Personal data protection is deeply rooted into the LGPD’s foundational data protection principles, illustrated in the Article 6 of the legislation, applicable both for data controllers and data processors:
- Security: use of technical and administrative measures which are able to protect personal data from unauthorized accesses, accidental or unlawful situations of destruction, loss, alteration, communication or dissemination.
- Prevention: adoption of measures to prevent the occurrence of damages due to the processing of personal data.
The Article 44 further states that “processing of personal data shall be deemed irregular when it does not provide the security that its data subject can expect.”
A comprehensive approach to data protection under LGPD is then detailed in the Article 46 that imposes security, technical and administrative measures able to protect personal data from unauthorized accesses. The Article 50 encourages wide adoption of security best-practices by controllers and processors and imposes creation and maintenance of corporate governance program for privacy. The program, among other things, shall establish adequate policies and safeguards based on a process of systematic evaluation of privacy risks, create an incident response plan and ensure continuous improvement of the existing information security policies and procedures.
In a nutshell, LGPD requires a risk-based approach to information security that would permit identifying relevant cyber risks and threats, implement adequate security controls, and perform continuous cybersecurity monitoring to ensure that the existing security mechanisms are sufficient in view of rapidly evolving cybersecurity threat landscape.
What are the data breach notification requirements under LGPD?
The Article 48 of LGPD imposes mandatory data breach notification duty upon data controllers. Under the law, data controllers must notify the ANPD and affected individuals about all security incidents that may create risk or relevant damage to the data subjects. The notice must be made in a “reasonable time period” that will likely mean without delay once the incident is discovered.
Similarly to data breach provisions of other privacy laws and regulations, the notice under LGPD must describe the nature of the incident, compromised personal data, reasonably foreseeable risks and suggested steps necessary to mitigate the damage to victims.
The ANPD will then assess the gravity of the reported incident, and depending on the identifiable risks and threats, may order the breached company to broadly disclose the incident in communications to media, and undertake measures to reverse or mitigate the effects of the incident.
Differently from GDPR, where data processors must rapidly notify data controllers about any data breaches and security incidents, LGPD is silent about breach notification obligations for data processors. This gap will likely be filled-in soon by upcoming regulations from ANPD.