Brazil Introduced a National Data Privacy Law

Countries around the world continue to enact and enforce stricter data privacy laws. In order to fix consumer data collection issues, several countries have revamped their old laws and passed new data privacy laws. The risk of compromise is higher for consumer information right now than it has ever been before. Brazil is the latest country to enforce a General Data Protection law known as the Lei Geral de Proteção de Dados Pessoais, or LGPD. The LGPD is definitely a more consumer-focused national data privacy law that aims to protect more sensitive or personal information from being collected, while also establishing consumer rights.

Will the LGPD affect my company?
The LGPD must be adhered to by all companies which collect or process the data of persons residing within Brazil or who offer goods and services in Brazil. The new data protection legislation in Brazil has an external legal effect, meaning, the legislation extends to businesses that do not have a physical presence in the country. Employers recruiting candidates in Brazil or employing third-party service providers in the country are expected to be LGPD compliant.

How does the LGPD actually work?
The LGPD is meant to monitor the collection of consumers’ personal and sensitive data. The responsibility of transparency is placed upon the employers as they are now required to assess how each type of data is collected, used, stored, and retained within their organization. Companies also now need to get an individual’s unambiguous consent before requesting that their personal data be processed for a specific purpose. While the LGPD does not directly define personal data, it does directly define consumers’ sensitive data.

Sensitive personal data is defined as information relating to an individual’s race or ethnicity, religion, health, sexual orientation, genetic and biometric information, labor and union membership, and political views. The collection of this confidential data can only occur with the explicit consent of the consumer. The LGPD directly defined nine concrete rights for consumers when it comes to their data, according to Forbes:

  1. The right to confirmation of the existence of the processing;
  2. The right to access the data;
  3. The right to correct incomplete, inaccurate or out-of-date data;
  4. The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD;
  5. The right to the portability of data to another service or product provider, using an express request;
  6. The right to delete personal data processed with the consent of the data subject;
  7. The right to information about public and private entities with which the controller has shared data;
  8. The right to information about the possibility of denying consent and the consequences of such denial; and
  9. The right to revoke consent.

The Current Issues Facing the LGPD
Brazil is expected to establish a regulatory body referred to as the Autoridade Nacional de Proteção de Dados (“ANDP”), to impose fines and create legislation to assist in the application of the law. This organization, though, has not yet been established, leaving compliance and deciphering the actual intentions behind the text of the law up in the air. So, right now, it is up to companies to know whether or not this law applies to them. Companies must now become much more transparent than before and be proactive about becoming LGPD compliant.