4 I 2018

lgth Year
15 August 20'lB
P.97-132

Computer Law Revtew

lnternat¡ona I A Journa[ of lnformation Law and Technology

Editorial Board: Prof. Dr. Thomas Dreier, M.C.J. Dr. Jens-l. Gaster .
cr-international.com
RA Thomas Heymann Prof. Dr. Michaet Lehmann, Dipl.-Kfm. . Prof. Raymond T. Nimmert
Attorney at Law Holly K. Towle, J.D. ' Attorney at Law Thomas Vinje

Articles > lan Pohle- Data Privacy Legislation in the European Union Member
States - A Pratica[ 0verview

Lothar Determann - New California Law Against Data Sharing 117

Case Law > USA: Warrantless Discovery Search of Cett-Site Location lnformation
By Law Enforcement with remarks by Mathias Lejeune 124

Updates > Paulo M.R. Broncher / Alon C.E. Thomaz- Brazilian Data Protection
Law - A New Scenario for Business in Brazil Compared to EU-GDPR 130

ottoschm¡dt
130 Updates
Brancher/Thomaz- Btazilian Data'Protect¡on Law - A New Scenario for Business in Brazil Compared to EU-GDPR
Updates
Brazilian Data Protection Law - A New Scenario for
Business in BrazilCompared to EU-GDPR
Without being exhaustive, this article intends to present
key elements of the recently approved Brazilian Data Protec-
tion Law (hereinafter referred as "Lei Geral de Proteção de Da-
dos" or "LGPD"), and explore a few similarities and differences
between the LGPD and the General Data Protection Regulation
("GpPR").
1. Major Shift of the Data Protection Regime
Similar to the GDPR, the LGPD has established detailed rules
for the collection, use, processing and storage of personal data
in Brazil, being applicable to private and public entities in all
economic sectors, both in the digital and physical environment.
However, while the GDPR is a review and a modernization of
the former rules on data protection of the European Union (i.
e., the Data Protection Directive 95l46lEC), thus intending to
further harmonize the data protection system across the EU
Member States, the LGPD introduces completely new defìni-
tions, obligations and requirements in the Brazilian data pro-
tection system, significantly changing how organizations will
handle personal data in the country.
2. Scope
a) Applicability
The Brazilian new data protection law is applicablel to any pro-
cessing activity of personal data carried out by a natural person
or legal entity, regardless of the means of processing (i.e., digital
or nor) and where the processor is headquartered, provided
that:
(a) the processing operation is carried out in Brazil;
(b) the processing relates to data of individuals located in Bra-
zil;
(c) tne purpose of the processing activity is the offer or supply
of goods or services in Brazil; and
(d) the personal data subject to the processing operatioh has
been collected in Brazil.
Therefore, when compared to the GPDR, the LGPD is applic-
able tó data processing activities carried out in the country, but
has also with a significant exterritorial effect, reaching foreign
organization that collect personal data of individuals located in
Braz/^.
Note that the concept of citizenship is not important to deter-
mine whether the LGDP will be applicable or not. If the indivi-
dual is located in Brazil, the LGPD will apply.
CRi¿¡zole
b) Definition "Personal Data"
The defìnition of personal data of the LGPD is inspired by (not
some to say "copied from") the defìnition of the GDPR, establishing
that personal data is any "information reløted to an identified
or identifiable naturøl person" (the natural person, hereinafter
referred as the "data subject"). Such concept may include any
information that, immediately or jointly with other set(s) of in-
formation, may be linked to an individual, such as his/her
name, passport number, home address, personal preferences,
purchase history, geolocation, among others.
3. Legality of Processing Data
Any processing activity subject to the LGPD must be carried
out in accordance with its principles2 and based on one or
more of the 10 (ten) legal grounds set forth in such statute.
Although certain differences may be noted, the legal grounds
for processing ofpersonal data under the LGPD are consider-
ably similar to the GDPR. For instance, both pieces of legisla-
tion provide that personal data may be processed:
(i) with the consent ofthe data subject;
(ii) to comply with a legal or regulatory obligation;
(iii)when necessary for the performance of a contract or preli-
minary procedures related to contract of which the data
subject is a parfy, and
(iv) when necessary to meet the legitimate interest of the data
controller or third parties.
In addition, other legal bases for processing are established in
the LGDP, which also have certain similarities with the GDPR,
including:
The LGPD is not applicable to processing activities (i) performed by nat-
ural persons, exclusively for private and non-economic purposes; (ii) for
journalistic, artistic and academic purposes; (iii) public and state security,
and national defense purposes; (iv) for investigation and prosecution of
criminal offenses; and (v) data from outside the territory and destined for
other countries, which only transit through the national territory, without
any treâtment operation being carried out.
2 The principles of the LGPD are as follows: (a) free access (free and easy
consultation of data processing activities and its duration); (b) transpar-
ency (clear, accurate and easily accessible information); (c) purpose (pro-
cessing must be carried out for legitimate, specific, explicit and informed
purposes, and no further processing shall take place when incompatible
with such purposes); (d) adequacy (processing shall be compatible with
the informed purpose); (e) data quality (guarantee that accurate, clear, re-
levant and updated data shall be processed); (Ð data minimization or ne-
cessity (processing shall be limited to the minimum information neces-
sary to achieve its purpose, using relevant, proportional and not excessive
data); (g) security (use of technical and administrative measures capable
ofprotecting personal data from unauthorized access and from accidental
or unlawful events of destruction, loss, alteration, communication or dis-
semination); (h) prevention (adoption ofmeasures to prevent the occur-
rence of damages due to the processing of personal data); (i) non-discri-
mination (do not perform processing activities for unlawful or abusive
discriminatory purposes); (j) accountability (demonstration by the agent
of effective and capable measures of veriffing compliance with the rules
for the protection of personal datâ, including the effectiveness of such
measures);
CRi¿lzore
Brancher/Thomqz- Bràzilian Data Protection Law
(a) the regular exercise of rights in judicial, administrative or
arbitral proceedings;
(b) the protection of life or physical safety of the data subject
or third party;
(c) the protection of health, in proceedings carried out by
health professionals or by health entities;
(d) by research bodies, to carry out studies, guaranteed, when-
ever possible, the anonymization of personal data;
(e) by the public administration, for the execution of public.
policies set forth in law or regulation, or supported by con-
tracts and similar instruments; and
(f) the protection ofcredit, as set forth in the applicable legisla-
tion.
4. Legality of Processing Sensitive Data
To provide a greater level of protection to a specific set of in-
formation defined as sensitive data, differences are established
on the requirements for processing personal data and sensitive
data.3 Sensitive data includes personal data on racial or ethnic
origin, religious belief, political opinion, membership in trade
unions or religious, philosophical or political organization,
health, sexual life, genetics or biometrics. Therefore, the LGDP
defines the same set of information as "sensitive data" as the
GDPR. Unlike the legal grounds for processing personal data,
the LGPD does not allow the prpcessing ofsensitive data based
on the legitimate interest or for the protection of credit. On the
other hand, sensitive data may be processed when necessary to
guarantee the prevention of fraud and safety of the data subject,
in the process of identification and authentication in registries
of electronic systems.
5. Consent Requirements
Independently ofthe legal basis for processing personal data (i.
e., whether based on consent or not), easily accessible, clear
and adequate information shall be provided to the data subject
about how his/her information will be processed. When relying
on consent for processing both personal data and sensitive
data, the LGPD imposes specific consent requirements, which
require mandatorily a previous, free, informed and unequivocal
manifestation of the data subject's consent for a specific pur-
pose (if for sensitive data, the consent must also be specific and
separate), and which may be revoked at any time. In practical
terms, the requirements for obtaining the consent under the
GDPR and the LGPD may not significantly differ.
. \
6. Rights of the Data Subject
Certain new rights are granted to data subjects under the
LGPD, all of which are present in the GDPR to a certain extent.
Among others, such rights include:
(a) ttre right to obtain information regarding the processing of
data;
(b) right to access, to rectif and erase data;
(c) right to withdraw the consent at any time;
Updates 131
- A New Scenario for Business in Brazit Compared to EU-GDPR
(d) right to receive information to whom the data has been
shared;
(e) right to data portability to another supplier of goods and
services; and
(f) right to obtain the review of automated decisions.
Because most of them are new in the Brazilian data protection
system, organizations will have to adapt their products and ser-
vices, platforms and operations to become able to process the
data subject's requests based in such rights granted to data sub-
jects.
rgy
DM
7. Processing Agents
One important distinction made by the new law is that organi-
zations are now divided into two different categories, the con-
trollers and operators (jointly referred as "Processing Agents").
97
Inspired in the definition of controllers and processors under
the GPDRa, the LGPD defines controllers as "natural person or
117
legal entity, public or private, which is responsible for the deci-
sions concerning the processing ofpersonal data", and opera-
fors as "natural person or legal entity, public or private, which
performs the processing of personal data on behalf of the con-
124
troller". Because the controller is responsible for defìning how
personal data will be processed, it is subject to a more compre-
hensive list of requirements to comply with.
130
a) Controller's Responsibilities
Therefore, in addition to being responsible for compliance with
the data subject's rights or requests, controllers ma¡ for exam-
ple, have to (a) define and document the legal grounds for pro-
cessing personal data; (b) perform privacy impact assessments,
where required by the national data protection authority, and
(c) appoint a data protection commissioner (who will be in
charge of handling personal data within the organization and
to interact with third parties, including the data protection
authority).
3 The legai grounds fo¡ processing sensitive data include: (i) the consent of
the data subjecti (ii) compliance with a legal or regulatory obligation;
(iii) regular exercise of rights, including in contract and in judiciai, ad-
ministrative and arbitral proceedings; (iv) the protection of life or physi-
cal safety of the data subject or third partp (v) the protection ofhealth, in
proceedings carried out by health professionals or by health entities;
(vi) when necessary to guarantee the prevention of fraud and safety of
the data subject, in the process ofidentifìcation and authentication in re-
gistries of electronic systems; (vii) by the public administration, for
shared processing of data necessary for the execution of public policies
set forth in law or regulation; and (viii) by research bodies, to carry out
studies, guaranteed, wherever possible, the anonymization of sensitive
data.
4 In the GDPR, 'controller' means the natural or iegal person, public
authority, agency or other body which, alone or jointiy with others, deter-
mines the purposes and means of the processing of personal data; where
the purposes and means of such processing are determined by Union or
Member State law, the controller or the specific criteria for its nomina-
tion may be provided for by Union or Member State law; and'processor'
means a natural or legal person, public authority, agency or other body ¡
which processes personal data on behalf of the controller;
132 Updates
Brancher/Thomaz- Brazilian Data Piotection Law - A New Scenario for Business in Brazit Compared to EU-GDPR
b) Technical and 0rganizational lrleasures
Both the GPDR and LGPD require data processing agents
(both controllers and operators/processors) to adopt technical
and organizational measures to protect personal data in order
to avoid data incidents events; such measures shall be adopted
since the creation ofany new technology or product, which re-
quire organizations to implement a privøcy by design approach.
The technical and organizations measures referred in the
GPDR and the LGPD may include, for instance, the adoption
of updated and industry-standards IT resources in the creation
and implementations of products and services, and the adop-
tion of internal privacy policies to address how personal data
may be handled within the organization. In addition to the in-
ternal policies, Privacy Notices (or other consumer/user facing
documents) may also have to be reviewed in order to comply
with the new standard imposed by the LGPD, particularly
when relying on consent to process personal data.
8. lnternational Data Transfer
Another aspect to pay attention in the LGPD is the introduc-
tion of stricter requirements for international data transfers,
which are also applicable to both controllers and operators.The
LGPD establishes that international transfer of data shall only
be permitted in specific circumstances, which include, among
others6, the transfer to countries with an adequate level ofpro-
tection (to be determined by the national data protection
authority), through the use.of standard contractual clauses, glo-
bal corporate rules, seals, certificates and codes of conduct ap-
proved by national data protection authority; and with the spe-
cifìc and prominent consent of the data subject, case which
prior information on the international character of the opera-
tion must be provided, clearly distinguishing it from other pur-
poses.
9. Data lncidents
Under the LGPD, data incidents that may result in relevant
risk or harm to individuals must be reported to national data
protection authorityT within a reasonable time and, where re-
quired by such authority, to the affected data subjects. Note
that the Brazilían statute does not define a specific time to re-
port data incidents (the GPDR requires a 72 hows notifica-
tion), but in any case such notification cannot be unreasonably
delayed.
10. Sanctions
Sanctions for non-compliance with the LGPD are also similar
to the GDPR, with a distinction on the maximum amount of
fìnes that can be imposed. The penalties under the LGPD may
include warning, mandatory disclosure of the data incident, de-
Ietion of personal data, blocking, suspension and/or partial or
total prohibition from the exercise of activities related to the
processing of personal data, and fines. While the fìnes under z
the GDPR may be limited to 4%o of the company's gross reven-
ues in the preceding fiscal year, the LGPD limits the fìne to up
to 2o/o (two percent) of the company's economic group gross
revenues in Brazil for the same period (but excludes taxes and
CRi q¡zola
limits the total to an amount of R$ 50,000,000.00 (fìfty million
Brazilian Reais) per violation).
11. Next Steps
The LGPD will enter into force 18 (eighteen) months after its
publication, which is expected to occur in mid-February 2020..
Due to the extraterritorial reach of both the GDPR and the
LGPD, it is expected that a significant number of multinational
organizations will be subject to both rules at the same time.
While there are various similarities that may facilitate the im-
plementation of a uniform data protection compliance pro-
gram to comply with both, organizations still have to pay atten-
tion to the particulars of each legislation so as not to inadver-
tently violate such differing data protection regimes.
Paulo M.R. Brancher / Alan C.E. Thomaz
Poulo M. R. Brancher
Attorney and Partner at Mattos Filho Advogados,
São Pauto, and Fult-professor at P0ntifíc¡a Uni-
versidade Católica de São Pauto
TMT, Privacy and Data Protection Law
pbrancher@mattosf itho.com.br
www.mattosf ilho.com.br
Alan Campos Elias Thomaz
Attorney and Associate at Mattos Fitho Advoga-
dos, São Paulo
lP and lT Law, Privacy and Data Protection Law
Alan.thomaz@mattosf ilho.com,br
www.mattosf ilho.com.br
Data incident may be considereð, as "unauthorized access ønd from acci-
dental or unlawful destructions, loss, change, communications, fiansmis-
sion, or any other occurrence resulting from inadequate or illegal treat-
ment".
6 Other legal basis for 1awfir1 international transfer under the LGPD in-
clude: (A) when it is necessary for the performance of a contract; (b) for
the protection of life and physical safety of the data subject or third party;
(c) for the regular exercise ofrights in judicial, âdministrative or arbitral
proceedings; (d) when necessary for international legal cooperation be-
tlveen intelligence, investigation and prosecution public bodies, in accor-
dance with the instruments of international law; (e) based in a commit-
ment made in an international cooperation agreement; (f) when author-
ized by the national data protection authority; and (g) when necessary for
the execution ofpublic policy or compliance with the legal attribution of
the public seruice.
Specifìc information needs to be provided, including, at least: (a) a de-
scription of the data and individuals affected; (b) the risks related to the
Data Incident; (c) the reasons why the notifìcation to the ANPD has been
delayed, where applicable, and (d) the technical and security measures ta-
ken to protected the data, and the measures that v¡ere or will be taken to
revert or mitigâte the effects ofthe Data Incident.