Twenty reasons why GDPR compliance does not exempt companies from adjusting to the LGPD
Helio Ferreira Moraes
Pinhão e Koiffman, São Paulo
Mauro Roberto Martins Junior
Pinhão e Koiffman, São Paulo
Whoever has worked on projects involving Brazil’s data protection law (LGPD - Lei Geral de Proteção de Dados) compliance has certainly heard that this law is very similar in form to the European Unions’s General Data Protection Regulation (GDPR), which is partly true as we wish to demonstrate in this article.
Nevertheless, there are also some significant differences that have caused various foreign companies to make errors, especially those believing that, as they are already in full compliance with GDPR, they do not need to conduct a data security practices evaluation relating to LGPD.
While LGPD drew inspiration from GDPR, law makers in Brazil made various adjustments where necessary. As such, mere compliance with the EU model does not automatically entail full compliance with its Brazilian counterpart.
In the sections below, we present the primary topics related to these two regulations and lay out their similarities and differences.
Scope of application
Possibly the main difference between these two regulations relates to their scope of application, as GDPR is much more limited in scope than LGPD (Article 2). The EU regulation only covers data that is processed automatically and file sharing systems. LGPD, on the other hand, has a much broader scope and applies to the processing of all personal data, both electronically and in paper form (Article 3). It is, therefore, possible that some types of data processing not covered under the EU’s GDPR regulations are subject to Brazil’s LGPD ruling.
Articles covering the definitions of terms used in the two regulations are, for the most part, very similar. At the time, however, Brazil’s law makers opted not to expand further on certain concepts, leaving it to the ANPD (Brazilian National Data Protection Authority) or the courts to determine their extent, as we will see below.
In GDPR, the definition of personal data includes numbers that can identify an individual, for example, those related to social or cultural aspect, as well as information technology elements such as IP addresses, locations and electronic or device identifiers (Article 4). GDPR rules also have special categories of personal data under different handling. This includes data related to race, political affiliation, life views, religion, union affiliation, health, sexual orientation, biometry and genetics (Article 9).
In quite a similar model, personal data according to LGPD constitute information related to the data subject – an identified or identifiable natural person (Article 5). However, LGPD does not provide explicit examples as can be found in GDPR, which is why the overarching interpretation defines personal data as including an individual’s name, physical address, email address, age, marital status and financial situation, obtained by any means (paper form, electronically, computer-based, via sound, image, etc).
Sensitive personal data under LGPD constitute data related to race, political affiliation, life views, religion, union membership, health, sexual orientation, biometry and genetics, which are subject to special handling (Article 11).
In terms of definitions, we may also note that GDPR is more detailed than LGPD in explicitly defining the concepts of an identifiable individual, genetic data, biometric data and health data, while LGPD does not offer details about these concepts but rather leaves their interpretation and scope to the ANPD and possible court processes.
According to GDPR, consent must be previously acquired, and it is defined as a voluntary action that is informed, explicit, specific and based on the unequivocal acceptance by data subject (Article 4).
LGPD stipulates that consent is to be given in a voluntary, informed and unequivocal manner for a specific purpose. It may not be generic but may be granted through any channel that proves the voluntary action of the data subject, as specified in a separate Article (Article 5).
Apart from their similarities, the idea of consent defined by GDPR and LGPD do present differences in some circumstances. The first difference relates to the requirement found in LGPD of connecting consent to specific purposes. While this obligation arises from a natural interpretation of legal principles in GDPR, it is expressly envisaged by LGPD.
Another relevant difference exists in relation to the possibility of processing data related to children. In the EU, consent can be obtained from individuals aged 16 and above, which is not permitted in Brazil (Article 8).
Pursuant to Brazilian law, the processing the data of individuals under 18 may only be carried out once consent has been obtained from their parents or legal guardians (Article 14).
Cases of lawful processing
In relation to this point, we also encounter a relevant difference between the two regulations, with GDPR (Article 6.1) of providing for only six cases of lawful processing and LGPD (Article 7) providing for ten.
In this context, similarities exist between LGPD and GDPR in relation to cases of lawful processing on the basis of data subject consent, performance of a contract or pre-contract, compliance with legal obligations, protection of the vital interests of the data subject or third parties, public interest, or legitimate interest of the responsible party.
The cases envisaged by LGPD and not found in GDPR are, for example, LGPD permission of lawful processing for the execution of studies by research entities, regular applications of the law, health supervision by a professional in the area, and credit protection. The latter situation, for example, was included for the purpose of supporting the national credit bureaux, linking LGPD to other Brazilian laws, such as the positive credit register and those related to accessing credit information.
In reference to sensitive data, cases of lawful processing provided by LGPD (Article 11) are compatible with those of GDPR (Article 9.2), even though the language may vary in certain points. At the same time, for cases of the lawful processing of sensitive data, there are some specific situations in which the approaches taken by the two regulations differ greatly. GDPR, for example, provides for a case of the lawful processing of data with a special categorisation in relation to personal data made public by the data subject and data related to current or former members of not-for-profit foundations, associations or organisations processed for legitimate purposes and with the appropriate security provisions.
LGPD, on the other hand, does not provide for these specific cases outlined above but specifies two other processing situations not found in GDPR: sharing of data by a public office, as well as fraud prevention and security of data subject in electronic systems.
These differences are important for any EU company already in compliance with GDPR, as a good portion of the processing data measures adopted by a company may need to be revised and updated to operate in Brazil.
Rights of data subject
One of the points demanding the most attention from companies relates to rights of the data subject, especially considering that the failure to provide such rights has been the largest source of objectives made by the regulatory agency, after data breaches.
Most of the rights guaranteed to the data subject by GDPR and LGPD are very similar, primarily encompassing so-called ARCO rights (access, rectification, correction and opposition). However, some important differences between the two regulations should be highlighted.
The first difference relates to the right to request the anonymisation or blockage of personal data that is provided for by LGPD (Article 18, IV), but not by GDPR. The right for data to be deleted (Article 17) would be the most similar provision included in GDPR, although it is not the same.
Another right provided for by LGPD (Article 18, VI) that does not have an equivalent in GDPR, is the possibility to request information about the public and private entities through which the data controller acted to share data. Here, GDPR is more concerned with international data transfers (Article 15.1 c).
Another right that only exists in LGPD is the right to be informed of an option to refuse consent and the consequences of this refusal (Article 18, VIII).
GDPR and LGPD adopt different approaches in relation to the right to oppose data processing. While GDPR grants data subjects the right to oppose having their data included in direct marketing databases (Article 21); LGPD, for its part, grants data subjects the right to oppose data processing conducted on the basis of lawful processing hypothesis other than consent in the case of non-compliance with the law (Article 18(2)), which is not included in GDPR.
LGPD establishes the right to solicit the revision of decisions solely taken on the basis of automated personal data processing (Article 20), while GDPR grants data subjects the right to oppose and not remain subject to any automated decisions, except for cases envisaged by the law (Article 22).
Finally, LGPD also establishes the right of a data subject to obtain a confirmation of the processing of their personal data (Article 18, I), which GDPR similarly does not specifically provide for.
As data portability is a right guaranteed to data subject, we have opted to address part of this item due to the special attention the topic deserves. This was an innovative solution set out in GDPR, according to which data subjects may request that their personal data be transferred to other entities in an accessible data-sharing format (Article 20).
Drawing from this model, LGPD establishes that personal data may be transferred to another supplier based on a request, and provided that trade and industrial secrets remain protected (Article 18, paragraph 2). This final stipulation introduced by LGPD establishes that the right of data subject may not take precedence over any innovations developed by a company that are legally ensured, excluding such data from the requirement of being shared during the transfer of personal data.
International data transfers
GDPR allows free international transfer of data within Europe to other countries that demonstrate a similar level of protection as provided by the EU (Articles 44 and 50).
Data may be transferred to countries outside the EU that have been authorised by the European Commission in terms of sufficient compliance or adequate data safeguards, or if exceptions exist related to a given transfer.
The difference here is that GDPR adopts a description that is far more detailed in reference to the criteria for international transfers than LGPD. Although Brazil has adopted a similar model, both in terms of the level of compliance on the part of the destination country as well as its options for offering the same safeguards, LGPD does not provide details as to any of these procedures, leaving this to be defined by the ANPD.
It is important to highlight the fact that international (extraterritorial) applications constitute another point in which GDPR and LGPD are similar yet different in certain regards.
EU law determines the application of rules under GDPR regarding the collection, storage and use of personal data located within the EU, for both citizens and non-citizens alike (Article 3). The regulation applies to all individuals located in the EU, regardless of their nationality, if the individual is residing in the respective country or merely spending a few days there.
Any company that offers products and/or services to countries within the EU or handles an individual’s personal financial information located within the European Community is subject to GDPR.
LGPD regulates the handling of personal data by individuals or entities in the public or private sector, including in digital media, belonging to consumers and employees, regardless of the country in which they are based or in which the data are found, provided that data is processed in Brazil or data is related to offering goods or services to the Brazilian market (Article 3).
When comparing the two rulings, we may note that LGPD utilises the concepts introduced by GDPR when applied to handling data within its respective territory, regardless of the nationality of the data subject or their place of residence, and whenever there exists an offer of goods or services to the Brazilian market.
However, they differ in that GDPR is applied to controlling the actions of individuals residing in the EU, a concept that is not used by LGPD. With a few exceptions, personal data passing through Brazil is not covered by LGPD, meaning that a possible conflict between positive norms is highly probable. In other words, for situations in which both GDPR and LGPD apply, the outcome is likely to be extremely complex, especially in regards to the application of penalties by the relevant authorities.
Obligation to securely store information
GDPR is much more detailed regarding the topic of data security. A higher degree of clarity exists in the EU as to the requirements for measures such as encryption and the creation of pseudonyms, as well as requirements for re-establishing access to personal data in the case of malfunctions and for monitoring measures.
Apart from this, GDPR sets out rules for system accessibility and resilience along with procedures for conducting tests, evaluations and intermittent verifications of the effectiveness of the existing measures (Article 32).
LGPD takes a more principles-oriented approach. Brazil’s law has opted to determine more generally that data processing must be safe, considering the mode of execution, the results, involved risks, available technical practices, how to secure data against unauthorised access by third parties, the destruction, loss, alteration and communication of data, and any other form of inappropriate or illicit data processing (Article 46). The minimum technical standards for data security will be defined by the ANPD.
Retention and deletion of data
This is an important matter, and one that LGPD treats with greater restrictions than GDPR, which apart from determining certain types of personal data processing are to be limited to the purpose for which the said data was collected, does not set out a maximum period of time for its storage.
In Brazil, LGPD also stipulates that the processing of data is to be limited to the purpose for which such data was collected, adding, however, that the data shall be deleted after it has been processed (Article 16). This has been one of the concerns of IT technicians, as they are not familiar with the data elimination process, as well as companies that used to store data even following its processing.
In the event of security incidents, companies in compliance with GDPR are required to develop and implement new procedures to operate in conformity with LGPD.
In the scope of GDPR, companies that have experienced a data breach are simply required to inform the relevant authorities within 72 hours for any data breach involving risks for the rights of data subjects (Article 33). The need to inform the data subjects of the occurrence depends on the severity of the incident and on the decisions made by the authorities responsible for supervising data protection in the EU.
In Brazil, this procedure is somewhat different as both ANPD, as well as the data subject must be informed of serious incidents (Article 48). The period allowed for communicating this information will be subsequently determined by the ANPD, which also generates a degree of uncertainty for companies accustomed to GDPR processes.
Apart from this, if the incident was deemed to be particularly serious, LGPD envisages that the ANPD may require a company to make a broad public announcement about the security incident, thereby threatening one of the company’s primary assets, its reputation.
In the event of a data breach, both rulings foresee the imposition of penalties for the companies responsible. The fees established by GDPR in the EU are around €10-20m, or two to four per cent of the company’s annual global revenue, whichever value is greater (Articles 83, 84 and 85). This aspect demonstrates significant differences between the two rulings. GDPR defines two different thresholds according to the severity of the breach and likewise establishes two different percentages, allowing for variance in the penalties and a significant range of possible values.
In the case of LGPD, the penalty only uses the percentage model in relation to a company’s revenue, and this value is capped (Article 52). Effectively, LGPD adopts a single penalty threshold of up to two per cent of the economic group’s revenue, limited to BRL50m (approximately US$9,700) per breach. Considering the level of this fixed penalty, in some cases large companies remain in a comfortable position, as this limit is unlikely to be significant to them.
On the other hand, LGPD contains other administrative penalties not contained in GDPR, namely, warnings, public announcements, and the blocking and deletion of databases. As such, although a penalty of BRL50m may not be significant for large corporations, the potential penalty of having to eliminate an entire database could represent a much greater loss, apart from any damage that may occur to a company’s reputation, which could even lead to its collapse.
Moreover, the application of a percentage-based penalty value has raised concern in some cases, this may pose an enormous risk for smaller companies belonging to large economic groups, as the basis for calculating this penalty is the revenue of the entire economic group, not merely the individual group company.
Responsibilities of the controller and processor
Liability is to be determined in the event of damage incurred by the data subject. Regarding the responsibilities between data controller and data processor, GDPR contains a robust solidarity model while LGPD grants the possibility of a certain degree of separation in accordance with their roles in data processing.
Even so, no obligation exists within LGPD to formalise contracts between data controllers and data processors, differing from the provisions set out in GDPR, which stipulate that contracts are mandatory in order to delineate the precise scope of data processing that data processor may conduct. GDPR also determines the items that such contract shall contain (Article 28, 3).
LGPD, for its part, only requires data processor to follow the instructions of data controller, without specifying how such instructions are to be provided (Article 42).
GDPR establishes the possibility of an exemption of liability on the part of data controllers if they are not involved in data processing, did not violate GDPR or were not responsible for the event leading to the subsequent damages (Article 82).
In a similar manner, LGPD establishes situations of liability exemption on the part of data controllers if they did not process personal data attributed to them or break legislation pertaining to data security, or if the damages were exclusively the fault of data subject or a third party.
Data Protection Officer (DPO)
Here is yet another situation in which Brazil’s legislation adopts a different approach from its EU counterpart, despite being inspired by the latter. GDPR stipulates that a DPO is to be nominated whenever the company’s business activities constitute processes and operations that demand the regular and systematic monitoring of data subjects or special categories of data on a large scale (Article 37). A DPO must also be nominated for data processing conducted by public bodies or authorities.
Apart from this, the nomination process is rigorous and it takes into account the practical experience and knowledge held by the DPO, who may not be accepted by some Member States if these requirements are not satisfied. The DPO has a great degree of power and responsibility, acting with complete autonomy within the company.
Pursuant to LGPD, the powers of the DPO (called the Encarregado in Portuguese or the ‘responsible party’) are much more limited. This position serves more as a liaison between the company and the data subjects as well as between the company and the ANPD (Article 41).
There is, however, one very important difference between GDPR and LGPD in respect to the obligation of nominating this responsible individual, while GDPR only requires a DPO in special cases, LGPD imposes this obligation on all companies that process personal data.
This means that every company in Brazil must have an Encarregado for all and every type of company that processes the personal data of its employees. LGPD envisages that the ANPD may define the responsibilities and cases of waivers for these Encarregados, pursuant to the nature and the size of the entity or the volume of personal data processed. However, the ANPD has not yet established any provisions on this matter.
Appointment of a local representative
Another position that has been created by GDPR is that of the local representative. In the EU, the data controller or data processor is tasked with appointing a local representative in each Member State if the business deals with the provision of goods or services to data subjects in the EU (even if no payment is rendered for such goods or services) or in cases of monitoring the behaviour of EU individuals (Article 27).
As this rule is closely related to the fact that the EU is a block comprised of various Member States, Brazilian lawmakers did not include a similar concept in LGPD. However, one should bear in mind that Civil Rights Framework for the Internet is in force in Brazil. This law regulates the internet nationally and pursuant to which any company within a Brazilian economic group may be liable for infractions to LGPD. Moreover, LGPD itself states that foreign companies may be summoned to their local office in Brazil, thereby extending the reach of the Brazilian authorities.
Creating a Data Protection Impact Assessment (DPIA)
In the EU, a DPIA must be created in cases of potentially elevated risks of damage to data subjects, with some national data protection authorities in EU countries having created a list of cases in which it is necessary to draft a DPIA (Article 35, 1).
In Brazil, on the other hand, a DPIA (known by its Portuguese abbreviation, RIPD) must only be created on request of the ANPD, meaning that companies are not required to create one on their own account except for lawful application of legitimate interest (Articles 38 and 10, paragraph 3).
As the context in which the DPIA requirement applies in the EU is subjective, if elevated risks related to the processing of databases exist, companies must first conduct a consultation with the data protection authorities concerning the need for a DPIA (Article 36).
In Brazil, as this criterion is objective, LGPD does not impose an obligation for prior consultation with the ANPD.
While GDPR not only establishes an obligation to keep updated records of data operations and processing but also specifies details of what it is to contain, LGPD only envisages an obligation that applies to data controllers as well as data processors (Article 37).
However, GDPR limits this requirement to large companies, of more than 250 employees, while LGPD does not establish a limit here, meaning that all and every type of company, even small ones, shall maintain these updated records.
Data protection policies
In terms of data protection policies, in the EU, this is a mandatory measure that applies to data controllers, and it includes adequate technical and organisational measures for ensuring and proving conformity with GDPR (Articles 24 and 25).
In Brazil, LGPD simply establishes this as an optional measure attributed to data controllers and data processors, included in rules related to best practices and governance (Article 50).
Another very important difference between the two rulings is that LGPD provides a detailed description of a required corporate governance programme, which is not part of GDPR; as such, this difference may bring European companies seeking to comply with LGPD to adapt their practices in this programme.
Application of Consumer Law
Finally, LGPD requires compliance with the Code of Consumer Protection whenever data processing is in some way related to consumer activities (Article 45). This may present a complex challenge to companies that are already in compliance with GDPR as Brazil’s consumer protection regulations are extremely protective.