How does Brazil’s LGPD regulation compare to EU’s GDPR?

Last updated: 21 May 2019

On May 25th 2018, the EU General Data Protection Regulation came into force, requiring companies based and operating in the European Union to comply with updated regulation about how they handle third party data.

Other countries have taken similar approach to data protection, with Brazil adopting a law governing how organizations collect, use and share customer data. The LGPD (Lei Geral de Proteção de Dados) will go into effect in August 2020, leaving companies with a little bit more than a year from now to make sure they are compliant with the strict requirements related to processing and managing personal data.

The LGPD applies to any individual or organization, whether public or private, that is involved with personal data activities which are:

  • Carried out in Brazil
  • For the purpose of offering and/or suppling goods and services in Brazil
  • Involve personal data collected in Brazil

The Brazilian data protection regulation has extraterritorial scope and will apply to global businesses that meet these criteria, regardless of where the company is headquartered.

Under LGPD, personal data can be collected and used in two ways:

  • For the same purpose the data was originally collected or posted, which will not require a double subject’s consent (public interest information)
  • For a different purpose, but only if the controller of the data has identified a valid legal basis for use (Life Protection or legal requirement)

How does LGPD compare to GDPR?

Like GDPR, Brazil’s new data protection regulation defines personal data to include all information related to an identifiable person and includes special restrictions related to the processing of sensitive personal data, which includes gender, ethnicity, religion, and biometrics, to name just a few. However, the LGPD includes some distinctions from the EU data protection regulation:

  • Unlike GDPR, in LGPD some sensitive data can be considered ‘personal data’ under unusual circumstances when used for profiling. Generally, this type of data is exempt from the regulation’s requirements; however, Article 12 states that it can be deemed “personal data” when it’s used to enhance, build upon or otherwise create behavioral profiles about individuals.
  • Likewise, LGPD does not provide broad incentives for data controllers to pseudonym’s data, which is the process of separating data from direct identifiers to make the process of re-identifying individuals more difficult.

For GDPR, while companies that are headquartered or operate in the EU had two years to prepare, companies in Brazil only have 15 months from now to make sure they’re compliant before LGPD comes into force. But most importantly, the Brazilian law is less prescriptive and has no recitals as guidelines to interpret the legal text, which could make the regulation more challenging to implement.

Organizations that fail to comply with the LGPD could also face fines of nearly $12 million, or up to two per cent of the company’s gross revenue in Brazil for the previous year, whichever is greater per violation. In comparison, if companies fail to comply with GDPR they could face fines of up to 4% of annual global turnover or €20 million – whichever is greater!

How global companies can push for a worldwide adoption of data protection regulations

Data breaches have become common in the news agenda, with high-profile companies including Marriott, British Airways and Amazon being victims of cyber-attacks, resulting in the personal information of thousands or even millions of customers being exposed. The role of regulations in the aftermath of such cases is crucial. Historically, companies have waited months, even years, to disclose a data breach to their customers. But with the EU GDPR, companies need to inform their customers within 72 hours. Otherwise, they could face potential fines up to four per cent of their global revenue.

With companies such as the aforementioned having presence worldwide, it’s important they keep in check the responsibilities towards the customer data they store and share. Their global presence can be a great asset as this could enable them to push the need for worldwide adoption of data protection regulations.

Do you have any questions on Brazil’s new data protection regulation? Let us know in the comments below or by tweeting us @Gemalto.

Leave a Reply

Your email address will not be published. Required fields are marked *