Articles - 11/10/18
The New Data Protection Law in Brazil and the European Union´s General Data Protection Regulation

The new Brazilian Personal Data Protection Law (Law No. 13.709, of August 14th, 2018 “LGPD”, for the acronym in Portuguese) sets forth the use, treatment, and storage of personal information, aiming especially to ensure to individuals the control of their personal data.
The LGPD arises as complement to the Internet Civil Regulatory Act (Law No. 12.965, of April 23rd, 2014), and was finds main inspiration on the rules of the General Data Protection Regulation (“GDPR”), an European Union framework on data protection in force since since May 25th, 2018.
The LGPD has sought to set up a modern normative framework based on the GDPR model, with the purpose of including Brazil in the list of countries and international entities that can provide a level of protection to personal data that is in accordance with international standards.
By establishing February 15th, 2020, as the date in which the law becomes effective, the legislator granted, as from publication, an 18-month period for Brazilian companies to adapt themselves to the new rules. Given the familiarity to the GDPR, companies that operate in the international market that had already started adapting themselves to the European regulation are believed to have a smoother transition to the LGPD.
The new Brazilian law sets forth clear and preventive rules on the data collection, storage, treatment, and sharing, which will encourage the adoption of safer and more transparent practices for the use of personal data.
Amongst its provisions, the LGPD establishes that data treatment in Brazil will comply with the principles of purpose and necessity – ergo, one must conduct the data collection for specific purposes, that will be previously informed to the subject, besides the need to maintain a proportionality in relation to the purposes to be achieved.
Just like the GDPR, the LGPD ensures to data subjects rights such as the easy access to and correction of incomplete or wrong data, cost-free and facilitated elimination of personal data and portability of their information to another product supplier or service provider.
Personal data are defined as any information about an identified or identifiable individual. In addition, the LGPD, just like the GDPR, establishes the definition of and sets forth specific standards for the treatment of sensitive data (in connection to racial and ethnical origin, political opinions, sex life and others), which treatment may only be conducted upon the subject’s consent, on a specific and emphasized way, for specific purposes, for specific purposes, as well as provides for specific rules for data treatment related to children and teenagers, whose processing must be approved by parents or guardians.
However, in some circumstances, consent by the subject may be exempted, such as: use of data to fulfill legal obligations, enforcement of public policies, protection of life of the subject or third parties, among others.
Companies will have to be more attentive to how data will be collected for treatment, and they must assure and effectively demonstrate that they have the consent from the individual that provides it.
Thus, data treatment agents will have the obligation to adopt measures to hamper the non-authorized access to gathered data, as well as report accidental or unlawful destruction, loss, or non-authorized disclosure of the collected data. The LGPD provides the obligation to report to the competent Brazilian authority and to the subject of any security breach incidents within “a reasonable term”, whereas the GDPR sets forth the term of within no later than 72 hours after awareness of the fact.
Failure to comply with obligations therein will result in a warning notice or payment of a single or daily penalty, in the amount of up to 2% of the company’s revenue (in the cap value of 50 million Reais per violation), a lighter penalty when compared to the penalty of up to 4% of the worldwide revenue of the economic group in the year or 20 million Euros (whichever is highest), as set forth by the GDPR.
There used to be, within the text of the LGPD Bill approved by the Brazilian Senate, a provision establishing penalties of partial or full interruption of the data treatment by companies in violation of the rules – which was, however, vetoed by the President during final sanction. The same fate came upon the creation of the National Authority of Data Protection, under the argument that the prerogative of incorporate entities that generate expenses to the government budget belongs to the Executive Branch.
In short, the new Brazilian data protection law has proposed striking changes, which are being adopted in a large part of the world. Companies from all sectors will have to adapt themselves to the transitions and a new culture on the proper use of data will have to be developed.