Five Things You Should Know About Brazil's New Privacy Law

• Published date: 16 October 2020
• Subject Matter: Consumer Protection, Privacy, Data Protection, Privacy Protection, Dodd-Frank, Consumer Protection Act
• Law Firm: Morrison & Foerster LLP
• Author: Mr Alex Van Der Wolk

Now that the Brazilian law on the use of personal information (Lei Geral de Proteç'o de Dados or LGPD) has entered into force on 18 September 2020, companies operating in Brazil are facing significantly new and comprehensive privacy obligations. And while the administrative sanction provisions under the law do not go into effect until 1 August 2021, individuals can now already claim losses and damages for LGPD violations, making timely compliance with the new law all the more critical. To help your organization stay ahead, we answer the most frequently asked questions regarding the LGPD and highlight key elements for your global privacy program.

1. When does the LGPD apply?

The LGPD can apply in the following three cases: (i) when the actual data processing operation is carried out in Brazilian territory, (ii) if the processing operation has the goal of offering or providing goods or services to or of processing data of individuals located in Brazilian territory, or (iii) if the processing involves personal information collected in Brazilian territory. Unlike GDPR, the LGPD does not refer to a company's establishment in order to apply. However, it seems that the location of the actual processing of personal information (prong 1) approximates the "establishment" criterion in that it likely includes companies located within Brazil. Prong 2 (offering goods and services) and prong 3 (data collected in Brazil), in turn, are expected to create extraterritorial application of the LGPD. However, in the absence of further guidance on how each of the LGPD prongs should apply, it remains unclear how far the scope of applicability of the LGPD will reach.

2. Are individuals' rights under LGPD the same as under GDPR?

Individuals' rights under LGPD are largely similar to those available under GDPR (i.e., access, correction, deletion, blocking and portability), with a few differences.

For example, the LGPD provides for an explicit right to anonymization, which entails that individuals can request that organizations anonymize data about them where the data are unnecessary, excessive, or processed in violation of the law. GDPR does not have an explicit right to anonymization, although the circumstances under which the LGPD's right can be invoked, as well as its effects, are very similar to GDPR's "right to be forgotten."

Another unique feature of the LGPD concerns access requests Where many legal regimes generally provide that companies are required to respond to...