What is Brazil’s Lei Geral de Proteção de Dados Pessoais?

Lei Geral de Proteção de Dados Pessoais is Brazil’s answer to General Data Protection Regulation (GDPR). First introduced in 2018, it was phased into business operations over a three year period. It is now relied upon as the best practice for information collection and treatment in order to protect the personal data of Brazilian citizens. 

Brazilian Personal Data History

In Brazil, each different industry and sector has its own legal frameworks and regulatory requirements. Not only is this difficult to navigate for those trying to comply, but even the regulators can get confused since most rules expand past the boundaries of their industry. It’s hard to prevent cybercrimes, since there is too much crossover.  

In Brazil, the first step of this legislation, Lei Geral de Proteção de Dados Pessoais, has served to provide a single overarching definition for personal data: 

“any data that (either individually, or when combined with other information) can identify a person or subject them to a particular treatment”. 

Similarly, the regulation has been introduced in order to emulate a single blanket framework across all businesses and serve the people, rather than the corporations.

Features of Lei Geral de Proteção de Dados Pessoais?

The purpose of this data protection law is to enforce nine key rights of Brazilian citizens pertaining to data collection and treatment. Its aims are similar to the recently introduced Colorado Privacy Act. Therefore, the legislation focuses on business operations and obligations, as well as the power of the authorities to punish and rectify infringements. 

Business obligations

Initially, businesses are obligated to inform, correct, anonymise and delete data at the request of the data subject. They must delete personal data when the client or customer relationship has ended, or after the required holding period has expired. 

Moreover, businesses must appoint a Chief of Data Treatment or Data Protection Officer to strengthen cybersecurity. This individual is responsible for handling complaints, as well as spreading updates and communications throughout the company. They must also stay up-to-date with recent changes to enable the business to adopt best practices.  

Finally, in the case of a data breach, your business is required to inform both the subjects and the authorities. 

Authorities

The primary enforcer of Lei Geral de Proteção de Dados Pessoais is Brazil’s National Data Protection Authority (ANPD). Their role is two-fold; to oversee the privacy regulations and deal with regulatory issues and violations.

Where this regulation was only introduced in 2018 and its final phase of enforcement began in August 2021, there is hardly any legal precedent. Therefore, the ANPD is authorised to interpret case law when required and create suitable sanctions for those who do not comply. 

Finally, the ANPD must promote data protection in society and work towards international cooperation in order to bring Brazil up to speed with the rest of the world. 

Who must comply?

Lei Geral de Proteção de Dados Pessoais applies to private individuals and public companies in the way that they collect and process data. It’s important to note that the legislation does not only apply to Brazilian companies or only protect Brazilian citizens- any business that operates with a nexus in Brazil must comply. 

There are several exceptions- including for journalism or academic data collection. The other exemption to this legislation is for criminal investigation purposes, including where national security or public safety is at stake. 

In order to comply with Lei Geral de Proteção de Dados Pessoais, firms must first conserve privacy in their data collection methods, as well as provide security around data records. To help mitigate risks around technology, access to all regulatory data in a centralised platform with CUBE.