Brazil’s General Data Protection Law

Brazil’s General Data Protection Law ( Lei Geral de Proteção de Dados – LGPD) became effective on September 2020. Its objective is to protect the rights of people who provide their data for processing and use in everyday commercial transactions. The law is designed to enable transparency and give people more control over how their data is used.  The law resulted from international developments in data protection legislation that began in Europe, before spreading across the globe. Vitória Bastos Bernardi, Legal Director, Russell Bedford, Brazil explains

National Data Protection Authority

Brazil has waited for any real data protection for a long time. Some provisions already did exist in the Brazilian Code, the Marco da Internet (Law nº 12.965/14), and in the Consumer Defence Code. However, no formal policing existed and, even where an offence occurred, there were no recognisable sanctions. 

To change this, the LGPD created a new National Data Protection Authority (ANPD) – an independent body responsible for implementing, overseeing, and supervising compliance with LGPD across Brazil. The ANPD has been one of the most significant developments during the first year of LGPD, playing a key role in educating people and businesses on:

•    the principals of privacy and data protection
•    how businesses need to behave
•    how individuals can ensure their privacy and rights.

Vitória Bastos Bernardi, Legal Director, Russell Bedford, Brazil

The delaying impact of Covid-19

The pandemic that spread throughout Brazil was a key cause of the delayed introduction of the LGPD requirements, not least the postponement of sanctions until August 2021. This, on top of the prevailing economic upheaval, acted as a disincentive for businesses to prepare for LGPD while they waited for more clarity and a more settled business environment. It may take until 2022 for this to happen.

The pandemic also hindered the development of awareness and technical knowledge among businesses that made a delayed implementation inevitable.

Legislation alone is not enough

Data privacy and protection, as legislated by LGPD, is fundamentally multidisciplinary; to be a success it must change the culture and mindset of all participants whether controllers, operators, or holders of personal data. 

However, legislation alone is not enough; mobilising all appropriate technological and information security techniques and processes to optimise data processing is essential. This requires a raising of awareness and understanding by training all those involved in the handling processes. Only in this way can businesses minimise data processing mistakes, whether through negligence or malpractice. 

Sanctions – the cost of getting it wrong

Underestimating the impact of LGPD on a business, and a failure to implement the requirements can lead to costly sanctions – both financially and reputationally. While there is a financial penalty of up to 2% of business turnover, the more damaging sanction may be the reputational harm caused by LGPD item IV of article 52 that allows for the infringement to be published after the event. Put another way, naming and shaming. With consumers becoming more aware than ever before, reputational damage and a breakdown in consumer confidence and trust is possibly the worst sanction a business can suffer.

Time for businesses to act

While it is perhaps understandable that businesses have concerns over the responsibilities and burden that LGPD places on them, that burden is nothing when compared to what the justice system will demand of them. Incidentally, there are already 584 cases awaiting LGPD decisions (source: LGPD Panel of Courts), so this is a clear and present danger for businesses; ignoring it is not an option regardless of the additional administrative burden.

Businesses need to begin implementing LGPD changes urgently to ensure immediate minimum compliance while nurturing an environment of continual improvement.