You’ve heard of the GDPR, the CCPA, and the PIPL, but what about the LGPD?
Our guest today is Renata Ciampi, a partner at Motta Fernandes in Brazil and an expert on the LGPD, Brazil’s comprehensive privacy law. Renata is a certified information privacy manager and a certified data protection officer in Brazil. Among other things, her practice includes helping global companies navigate the growing number of privacy laws.
Watch A Little Privacy, Please!® on LGPD: Brazil’s data protection law.
Can you give us an overview of Brazil’s LGPD privacy law?
The Brazilian data protection law was enacted in 2018 and came into force in 2020, with penalties fully effective as of August 2021. It was a response to increased awareness about the importance of personal data protection and the abusive collection of personal data due to the lack of regulation.
The main purpose of the LGPD is to protect the fundamental rights of liberty and privacy and the free development of the natural person’s personality. Among others, protecting personal data is grounded on privacy respect, freedom of expression and opinion, and inviolability of intimacy, honor, and image.
How does Brazil’s LGPD differ from the EU’s GDPR?
LGPD is inspired by and consistent with GDPR; they follow the same principles. However, there are some differences—for example, the specific legal basis for processing data, such as for credit protection, health protection, or the regular exercise of rights in judicial or administrative proceedings. It’s important to mention that international data transfer cannot be based on the legitimate interests of the controllers. Unlike the GDPR, LGPD does not provide a list of security measures that processing agents may implement.
It is expected that the Brazilian national authority shall regulate the minimal technical standards in 2024. According to the LGPD, the controllers shall notify the national authority and data owners of the occurrence of a security breach within a reasonable time. However, the national authority recently published a recommendation that notifications should be done within two business days after the controller becomes aware of it.
How are clients responding to LGPD compliance?
There is a growing concern as the national authority prepares to impose penalties. However, since the LGPD is pretty new, and the discussion was mainly between digital businesses, many companies are not yet compliant. That’s because many physical and small businesses are unaware of this new law or think they don’t have to adapt at all. Brazilian law only came into full force less than two years ago, and before that, very few had heard about personal data protection. Therefore, the national authority chose to act in an educational and not punitive way so far.
What should global companies that have a presence in Brazil be doing to comply with the LGPD?
It sounds like efficiencies could be found in complying with the GDPR and Brazil’s privacy law. How do you see Brazil’s privacy law fitting into the global picture?