Documente Academic
Documente Profesional
Documente Cultură
lgth Year
15 August 20'lB
P.97-132
Editorial Board: Prof. Dr. Thomas Dreier, M.C.J. Dr. Jens-l. Gaster .
cr-international.com
RA Thomas Heymann Prof. Dr. Michaet Lehmann, Dipl.-Kfm. . Prof. Raymond T. Nimmert
Attorney at Law Holly K. Towle, J.D. ' Attorney at Law Thomas Vinje
Articles > lan Pohle- Data Privacy Legislation in the European Union Member
States - A Pratica[ 0verview
Case Law > USA: Warrantless Discovery Search of Cett-Site Location lnformation
By Law Enforcement with remarks by Mathias Lejeune 124
Updates > Paulo M.R. Broncher / Alon C.E. Thomaz- Brazilian Data Protection
Law - A New Scenario for Business in Brazil Compared to EU-GDPR 130
ottoschm¡dt
130 Updates CRi¿¡zole
Brancher/Thomaz- Btazilian Data'Protect¡on Law - A New Scenario for Business in Brazil Compared to EU-GDPR
Updates
Brazilian Data Protection Law - A New Scenario for b) Definition "Personal Data"
Business in BrazilCompared to EU-GDPR
The defìnition of personal data of the LGPD is inspired by (not
Without being exhaustive, this article intends to present some to say "copied from") the defìnition of the GDPR, establishing
key elements of the recently approved Brazilian Data Protec- that personal data is any "information reløted to an identified
tion Law (hereinafter referred as "Lei Geral de Proteção de Da- or identifiable naturøl person" (the natural person, hereinafter
dos" or "LGPD"), and explore a few similarities and differences referred as the "data subject"). Such concept may include any
between the LGPD and the General Data Protection Regulation information that, immediately or jointly with other set(s) of in-
("GpPR"). formation, may be linked to an individual, such as his/her
name, passport number, home address, personal preferences,
purchase history, geolocation, among others.
The Brazilian new data protection law is applicablel to any pro- the LGDP, which also have certain similarities with the GDPR,
cessing activity of personal data carried out by a natural person
including:
or legal entity, regardless of the means of processing (i.e., digital
or nor) and where the processor is headquartered, provided
that:
The LGPD is not applicable to processing activities (i) performed by nat-
ural persons, exclusively for private and non-economic purposes; (ii) for
(a) the processing operation is carried out in Brazil; journalistic, artistic and academic purposes; (iii) public and state security,
and national defense purposes; (iv) for investigation and prosecution of
(b) the processing relates to data of individuals located in Bra- criminal offenses; and (v) data from outside the territory and destined for
other countries, which only transit through the national territory, without
zil; any treâtment operation being carried out.
2 The principles of the LGPD are as follows: (a) free access (free and easy
(c) tne purpose of the processing activity is the offer or supply consultation of data processing activities and its duration); (b) transpar-
of goods or services in Brazil; and ency (clear, accurate and easily accessible information); (c) purpose (pro-
cessing must be carried out for legitimate, specific, explicit and informed
purposes, and no further processing shall take place when incompatible
(d) the personal data subject to the processing operatioh has with such purposes); (d) adequacy (processing shall be compatible with
been collected in Brazil. the informed purpose); (e) data quality (guarantee that accurate, clear, re-
levant and updated data shall be processed); (Ð data minimization or ne-
cessity (processing shall be limited to the minimum information neces-
Therefore, when compared to the GPDR, the LGPD is applic- sary to achieve its purpose, using relevant, proportional and not excessive
able tó data processing activities carried out in the country, but data); (g) security (use of technical and administrative measures capable
has also with a significant exterritorial effect, reaching foreign ofprotecting personal data from unauthorized access and from accidental
or unlawful events of destruction, loss, alteration, communication or dis-
organization that collect personal data of individuals located in semination); (h) prevention (adoption ofmeasures to prevent the occur-
Braz/^. rence of damages due to the processing of personal data); (i) non-discri-
mination (do not perform processing activities for unlawful or abusive
Note that the concept of citizenship is not important to deter- discriminatory purposes); (j) accountability (demonstration by the agent
of effective and capable measures of veriffing compliance with the rules
mine whether the LGDP will be applicable or not. If the indivi- for the protection of personal datâ, including the effectiveness of such
dual is located in Brazil, the LGPD will apply. measures);
CRi¿lzore Updates 131
Brancher/Thomqz- Bràzilian Data Protection Law - A New Scenario for Business in Brazit Compared to EU-GDPR
(a) the regular exercise of rights in judicial, administrative or (d) right to receive information to whom the data has been
arbitral proceedings; shared;
(b) the protection of life or physical safety of the data subject (e) right to data portability to another supplier of goods and
or third party; services; and
(c) the protection of health, in proceedings carried out by (f) right to obtain the review of automated decisions.
health professionals or by health entities;
(d) by research bodies, to carry out studies, guaranteed, when- Because most of them are new in the Brazilian data protection
ever possible, the anonymization of personal data; system, organizations will have to adapt their products and ser-
vices, platforms and operations to become able to process the
(e) by the public administration, for the execution of public. data subject's requests based in such rights granted to data sub-
policies set forth in law or regulation, or supported by con- jects.
rgy
tracts and similar instruments; and
b) Technical and 0rganizational lrleasures limits the total to an amount of R$ 50,000,000.00 (fìfty million
Brazilian Reais) per violation).
Both the GPDR and LGPD require data processing agents
(both controllers and operators/processors) to adopt technical
11. Next Steps
and organizational measures to protect personal data in order
to avoid data incidents events; such measures shall be adopted The LGPD will enter into force 18 (eighteen) months after its
since the creation ofany new technology or product, which re- publication, which is expected to occur in mid-February 2020..
quire organizations to implement a privøcy by design approach. Due to the extraterritorial reach of both the GDPR and the
The technical and organizations measures referred in the LGPD, it is expected that a significant number of multinational
GPDR and the LGPD may include, for instance, the adoption organizations will be subject to both rules at the same time.
of updated and industry-standards IT resources in the creation While there are various similarities that may facilitate the im-
and implementations of products and services, and the adop- plementation of a uniform data protection compliance pro-
tion of internal privacy policies to address how personal data gram to comply with both, organizations still have to pay atten-
may be handled within the organization. In addition to the in- tion to the particulars of each legislation so as not to inadver-
ternal policies, Privacy Notices (or other consumer/user facing tently violate such differing data protection regimes.
documents) may also have to be reviewed in order to comply
Paulo M.R. Brancher / Alan C.E. Thomaz
with the new standard imposed by the LGPD, particularly
when relying on consent to process personal data.
Poulo M. R. Brancher
8. lnternational Data Transfer
Attorney and Partner at Mattos Filho Advogados,
Another aspect to pay attention in the LGPD is the introduc- São Pauto, and Fult-professor at P0ntifíc¡a Uni-
tion of stricter requirements for international data transfers, versidade Católica de São Pauto
which are also applicable to both controllers and operators.The
TMT, Privacy and Data Protection Law
LGPD establishes that international transfer of data shall only
be permitted in specific circumstances, which include, among pbrancher@mattosf itho.com.br
others6, the transfer to countries with an adequate level ofpro-
www.mattosf ilho.com.br
tection (to be determined by the national data protection
authority), through the use.of standard contractual clauses, glo-
bal corporate rules, seals, certificates and codes of conduct ap-
proved by national data protection authority; and with the spe- Alan Campos Elias Thomaz
cifìc and prominent consent of the data subject, case which
prior information on the international character of the opera- Attorney and Associate at Mattos Fitho Advoga-
tion must be provided, clearly distinguishing it from other pur- dos, São Paulo
poses.
lP and lT Law, Privacy and Data Protection Law
Alan.thomaz@mattosf ilho.com,br
9. Data lncidents
www.mattosf ilho.com.br
Under the LGPD, data incidents that may result in relevant
risk or harm to individuals must be reported to national data
protection authorityT within a reasonable time and, where re-
quired by such authority, to the affected data subjects. Note
that the Brazilían statute does not define a specific time to re-
port data incidents (the GPDR requires a 72 hows notifica-
tion), but in any case such notification cannot be unreasonably Data incident may be considereð, as "unauthorized access ønd from acci-
delayed. dental or unlawful destructions, loss, change, communications, fiansmis-
sion, or any other occurrence resulting from inadequate or illegal treat-
ment".
6 Other legal basis for 1awfir1 international transfer under the LGPD in-
10. Sanctions
clude: (A) when it is necessary for the performance of a contract; (b) for
the protection of life and physical safety of the data subject or third party;
Sanctions for non-compliance with the LGPD are also similar (c) for the regular exercise ofrights in judicial, âdministrative or arbitral
to the GDPR, with a distinction on the maximum amount of proceedings; (d) when necessary for international legal cooperation be-
tlveen intelligence, investigation and prosecution public bodies, in accor-
fìnes that can be imposed. The penalties under the LGPD may
dance with the instruments of international law; (e) based in a commit-
include warning, mandatory disclosure of the data incident, de- ment made in an international cooperation agreement; (f) when author-
Ietion of personal data, blocking, suspension and/or partial or ized by the national data protection authority; and (g) when necessary for
the execution ofpublic policy or compliance with the legal attribution of
total prohibition from the exercise of activities related to the the public seruice.
processing of personal data, and fines. While the fìnes under z Specifìc information needs to be provided, including, at least: (a) a de-
the GDPR may be limited to 4%o of the company's gross reven- scription of the data and individuals affected; (b) the risks related to the
ues in the preceding fiscal year, the LGPD limits the fìne to up Data Incident; (c) the reasons why the notifìcation to the ANPD has been
delayed, where applicable, and (d) the technical and security measures ta-
to 2o/o (two percent) of the company's economic group gross ken to protected the data, and the measures that v¡ere or will be taken to
revenues in Brazil for the same period (but excludes taxes and revert or mitigâte the effects ofthe Data Incident.