Brazil's LGPD vs. the GDPR

The EU's General Data Protection Regulation (GDPR) and Brazil's General Data Protection Law (LGPD) set out how companies can lawfully process someone's personal data.

Businesses have until August 1, 2021, to comply with the LGDP, but the GDPR is already in force. The good news is that if you're GDPR compliant, there's very little you should do to comply with the LGPD. That's because the Acts, for the most part, are extremely similar.

There are just a few key differences you should know about so you're legally compliant with both. Let's take a look.

Application and Scope

Essentially, the LGPD and the GDPR have the same legal application and scope.

• They both apply to personal data processing in the public and private sector.
• Neither Act applies to data collection for purely personal or domestic purposes e.g. an address book.
• Each Act recognizes there's some leeway for personal data processing connected to e.g. journalistic or scientific purposes. These exceptions fall under legal grounds for processing, which we'll see below.

Finally, the GDPR applies to any business handling data belonging to an EU resident. It doesn't matter where the business is located. Similarly, non-Brazilian companies handling Brazilian data must comply with the LGPD.

Definition of Personal Data

According to both Acts, personal data is any information you can use to specifically identify a natural, living person e.g. a name or email address.

The main difference is that the GDPR sets out some examples of personal data in Article 4 which include:

"a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that neutral person;"

So, there's a chance the LGPD covers a wider range of information, which means it's possibly stricter.

Special Categories of Personal Data

Some personal data is especially sensitive. Examples include:

• Ethnicity
• Sexual orientation
• Religious affiliations

There's a crucial difference in when it's okay to process this data.

The GDPR is more generous. According to Article 9, you can process this data if you get express consent, if there's a legitimate business interest to do so, or under other somewhat-extreme circumstances (such as to protect the public from risk).

The LGPD is much stricter. In most cases, you can't process sensitive data unless you get express consent or it's "indispensable" to fulfilling a legal obligation:

Pseudonymised Data

Pseudonymising data basically means processing it in such a way that you can't identify the subject anymore. This is useful e.g. for scientific and research purposes, and it's permissible under both Acts.

Children's Data

The LGPD and GDPR specifically protect children's data, but there's one key difference. The age of consent for data collection under the GDPR is 16. It's 13 under the LGPD.

You should also take reasonable steps to verify parental consent, where applicable.

Data Controllers and Processors

Both Acts include parameters for data controllers and processors.

• In both cases, controllers essentially decide what happens to personal data and why it's collected.
• Similarly, processors handle the data on the controller's behalf. There's no such thing as a "joint" controller under the LGPD, though. That's unique to the GDPR.

There's one major difference. The GDPR requires a contract to regulate the legal relationship between the parties, while the LGPD does not.

Principles for Data Processing

While the LGPD sets out 10 specific principles for ethical data processing, the GDPR only has seven.

The LGPD Principles are:

• Purpose
• Adequacy
• Necessity
• Free Access
• Quality
• Transparency
• Security
• Prevention
• Nondiscrimination
• Accountability

The GDPR Principles are:

• Lawfulness and transparency
• Purpose limitation
• Minimisation
• Accuracy
• Storage limitation
• Confidentiality
• Accountability

The key difference is that there is no specific right to discrimination under the GDPR. In essence, though, the GDPR is actually stricter. So if you comply with the GDPR, you're almost certainly complying with the LGPD.

The Legal Bases

Both Acts set out specific legal grounds for handling personal data.

The GDPR sets out six legal bases for processing:

• Consent
• Necessary to perform a contract
• Essentially to comply with a legal obligation
• Vital interest of the data subject
• Public interest
• Legitimate business interests

The LGPD has 10 legal bases:

• Consent
• Regulatory compliance
• Contractual performance
• Public contracts
• Research
• Exercising judicial rights
• Preservation of life
• Public interest
• Legitimate interests
• Protection of credit

Since the LGPD has more grounds for processing, it's "easier" to find a legal basis for processing under the Act. The GDPR is stricter.

Data Subject Rights

Every data subject has specific legal rights over who they share their data with, and what happens to it. Again, there are many similarities between the Acts. It's really just the wording that's different.

So, according to both Acts, subjects have the right to:

• Access data
• Amend errors
• Request a company deletes their data
• Receive copies of data

Here are the main differences:

• There's no automatic right to restrict data processing under the LGPD.
• The LGDP doesn't give people the right to object to data processing, but rather only the right to withdraw their consent.
• Under the GDPR, you can object to wholly automated decision making with legal consequences e.g. credit scoring.

Consent

There's a huge difference in what constitutes consent under these Acts, and it all comes down to one thing: affirmative action.

As we've seen, consent is one of the legal grounds for data processing under the GDPR. But implied consent is not enough.

According to GDPR consent requirements, the person must do something affirmative to prove they're actually giving consent.

An example would be clicking a checkbox to confirm they agree to cookie or other data tracking. Here's an example of such a checkbox in use to get consent to the website Terms and Conditions and Privacy Policy:

There's no such requirement under the LGPD. That said, you do need clear and unambiguous consent, which means it's a good idea to use checkboxes anyway.

Privacy Policies

To be clear, there's no specific mention of a Privacy Policy in either Act. However, you do need to:

• Tell people that you collect data
• Explain why you need the data, and who you share it with
• Provide you contact details and set out how people can complain about your data processes
• Give people information on how they can opt out
• Explain how long you hold the data

You should also confirm if you use automated processing of any kind.

The simplest way to present all this information to someone is through a Privacy Policy.

Here's an example from Tim Hortons of a Privacy Policy introduction, letting people know what to expect from the document:

The GDPR is slightly stricter than the LGPD. As we've seen, you need a lawful basis for processing, and you need to set out what specific categories of personal data you collect. There's no need to provide all this detail for processing under the LGPD.

The gist of this is simple. If you comply with the GDPR's Privacy Policy requirements, you're essentially complying with the LGPD's.

Personal Data Security

Data security is central to both Acts, but there are still some notable differences as to how strict the rules are. Let's start with the similarities, though:

• You need appropriate safeguards in place to protect personal data. What's appropriate varies depending on the data you handle, and the size and complexity of your organization.
• Companies must perform a Data Protection Impact Assessment (DPIA) if they plan on processing sensitive or risky personal data.
• Both data controllers and processors need to adopt these security measures.
• You should use technical and organizational/administrative measures to protect data.

There's one key difference between the Acts, and it comes down to the guidance offered on what security safeguards are sufficient for protecting personal data.

GDPR Security

The GDPR sets out some specific security measures that companies should adopt to protect data in Article 32.

What you implement depends upon your business and the sensitivity of the data you process, but appropriate measures include encryption, data backups, and security testing.

Security Under the LGPD

Unlike the GDPR, the LGPD doesn't provide any specific guidance on what measures to implement. Essentially, it's on the national authorities to set minimum security measures for companies to follow.

So, both Acts expect you to consider the nature of the data you're processing when choosing the appropriate safeguards, but the GDPR is a little more specific.

The Data Protection Officer (DPO)

Both Acts require you to appoint what's known as a Data Protection Officer (DPO) for monitoring data protection compliance. However, there are some key differences.

• GDPR: You only need a DPO if you're a public body or you process certain types of data e.g. large-scale data monitoring. This applies whether you're a controller or a processor. Finally, the DPO must be allowed to perform their duties independently without company interference.
• LGPD: Every company processing personal data aside from small companies need a DPO. However, only controllers need to appoint one. There's no set rule that DPOs should carry out their responsibilities independently.

Breach Notification Procedures

Both Acts set out procedures to follow if there's a data breach. However, while the GDPR imposes strict time limits for notifying affected parties about a data breach, the LGPD is more flexible.

GDPR Data Breach Notification

You can find the GDPR breach notification rules in Articles 33 and 34.

Article 33 states that you should tell the supervisory authority about the breach within 72 hours unless there's a very good reason for the delay. You'll do this with a data breach notification letter.

The one exception? If there's no real chance that the breach causes any harm to the affected individual.

If you must tell the authorities, you should explain what happened, the likely consequences, and what you'll do to ensure it doesn't happen again. You should also provide the name and contact details for your DPO.

Finally, you should record all data breaches even if they're not significant enough to report.

Article 34 has much the same provisions except it's for when you should tell the affected person rather than the authority. You should use plain and simple language, and you should report it as soon as possible.

The key takeaway? If it's significant enough to report to the authority, you should tell the affected person, and vice versa.

Reasonable Period Under the LGPD

Article 48 states that companies need to inform the data holder (i.e. the subject) and the relevant authority if there's a data breach within a reasonable timeframe. It's unclear what this timeframe is, but we can assume that the sooner you report the breach, the better.

You should also tell the relevant parties what happened, what data has been affected, and how you'll prevent such a breach from happening again:

In summary, there's no automatic obligation to tell data subjects about a data breach under the GDPR. It's only if certain thresholds are met. You are, however, expected to notify them under the LGPD.

So while the GDPR sets out a firm deadline, the LGPD is arguably more comprehensive.

Penalties for Non-Compliance

If you don't comply with your obligations under the LGPD or the GDPR, you could face financial penalties.

Under the LGPD, companies can be fined up to 2% of the previous year's gross revenue or R$50 million (around $9 million USD), whichever is higher. This is known as a simple fine.

However, repeat offenders could face a daily fine instead. These companies are fined a set amount for every day they're in breach of the Act, up to a total maximum of R$50 million.

There's no such thing as a daily fine under the GDPR. Instead, there's a distinction between serious and less serious offences.

So, for less severe offences, you could face fines up to 2% of your global annual turnover for the previous financial year, or 10 million euros (nearly $12 million USD), whichever is more.

But for serious breaches, you're looking at fines up to 20 million euros (over $23 million USD) or 4% turnover.

In short, violating the GDPR is usually more expensive. However, you'll still face serious financial penalties if you breach the LGPD.

Finally, individuals have the right to raise their own action against you for data breaches under both Acts. This is alongside any fines imposed on you at a national or supervisory level.

Conclusion

As we can see, the LGPD and the GDPR are quite similar. They both aim to protect the rights of their data subjects, while at the same time allowing businesses to collect the data they need to serve customers and perform crucial analytics.

However, let's just summarize the key differences:

• You should always tell individuals about a data breach under the LGPD, unlike the GDPR where it might not be necessary.
• Under the LGPD, data controllers need a DPO, with exemptions for small businesses.
• The GDPR sets out specific security safeguards to protect data.
• You need to get affirmative consent under the GDPR. This isn't the case if the LGPD applies, but it's a good idea to get it, anyway.
• There's limited scope for processing personal data under the LGPD.
• Processors and controllers must sign a contract if the GDPR applies.
• There's no right to object to data processing under the LGPD.
• The GDPR sets out a timeframe for reporting breaches.
• It's more expensive to commit a GDPR violation.