Doing Business in Brazil? Get to Know the General Personal Data Protection Law (LGPD)

Written by VGS.

Did you know that Brazil is bigger than the 48 contiguous United States? The US is only bigger than Brazil if you add Alaska! São Paulo, with over 21 million residents, is more populous than New York. And Brazil’s 210 million citizens enjoy a thriving economy: Brazil’s Gross Domestic Product (GDP) ranks #12 globally.

All of these factors mean your company may be thinking about entering the Brazilian market. If so, there are a few things you should know. You may already know that Brazilians speak Portuguese – not Spanish. And you may also know that Brazil’s love of football is well-earned: its national team has won the World Cup 5 times, which is more than any other nation.

If you are a FinTech firm, one of the most important things to be aware of is Brazil’s new General Personal Data Protection Law (LGPD), which is similar in nature to the European General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

Before we skip to the basics, you should note that the trajectory of data privacy worldwide is only getting more stringent. Just last month, in February 2022, the Brazilian Congress added an Amendment to the Brazilian Constitution that makes personal data protection, including in digital media, a “fundamental” citizen right.

LGPD Overview

On August 14, 2020, it became illegal for individuals, businesses, and public institutions in Brazil to possess or process any Brazilian citizen’s sensitive personal information online or offline without their consent. There are a few exceptions, such as for national defense. But for commercial businesses, LGPD applies, no matter where the data storage or processing takes place.

Thanks to this data protection regulation, Brazilians now have significant rights over their personal data, from acquisition to storage, and change to deletion. “Data subjects” have the right to obtain confirmation of data access and processing, as well as the correction of inaccurate data. And firms may process personal data only if they have a documented basis for doing so, such as consent from the data subject, legitimate business concerns, or the execution of a contract.

According to LGPD, there are heightened obligations to protect “sensitive” personal data, such as race, ethnicity, religious belief, political opinion, organizational memberships, sexual orientation, and biometrics. Children’s data, commonly used by educational and gaming sites, have additional protections.

In sum, Brazil’s new privacy law represents progress for personal data protection. In fact, for certain types of metadata that could be associated with a person, LGPD also offers more data protection than GDPR.

LGPD Obligations

LGPD sets a high bar for data controllers (any business that collects personal data) and data processors (any business that provides a service on behalf of a controller). It requires both of them to take “all possible” administrative, technical, and security steps to protect personal data, not only from data theft and data breach but also from any unauthorized use.

Brazilian authorities can bring claims against violators, and data controllers must self-report security incidents within a “reasonable” period of time, both to data subjects and the Brazilian National Data Protection Authority (ANPD).

The penalties for failure to protect personal data are steep. For each infraction, an organization may have to pay a fine of up to 2% of its revenues in Brazil for the prior fiscal year, or up to 50 million Brazilian Reals. That is almost $10 million US Dollars.

Data Privacy: Going Global

If you are doing business in Brazil, you have no choice but to follow LGPD guidelines. However, you should also know that, by enacting a new data privacy law, Brazil is far from a unique case.

Countries around the world are adopting similar measures or amending existing legislation to keep up with the times, from Saudi Arabia’s new Personal Data Protection Law to Japan’s Act on the Protection of Personal Information, Nigeria’s Data Protection Regulation, Australia’s Privacy Act, and many more.

As a final point, you should remember that it doesn’t matter where you are located. Whether you or your business are physically present inside these countries – or whether you merely possess and/or process their citizens’ data in another country – your business must comply with these laws.