Joining the global trend started in Europe with the GDPR, Brazil recently enacted its own omnibus law (going into effect August 2020 after a recent extension) governing the use of personal data, the Lei Geral de Proteção de Dados (General Law for the Protection of Privacy or LGPD). Similar to the EU's GDPR and California's CCPA, LGPD is intended to regulate the processing of personal data. The stated purpose of the law is to protect the fundamental rights of freedom and privacy and the free development of the personality of the natural person.
This article addresses the most commonly asked questions about the applicability of LGPD, its exemptions and enforcement. The analysis is woven with comparison and contrast to the EU's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA).
TO WHOM DOES LGPD APPLY?
The LGPD applies to any natural person or legal entity, including the government, that processes the personal data of the people of Brazil, even if the entity processing the data is based outside of Brazil. There are some exceptions, however, such as 1) when the processing is done by a natural person exclusively for private and non-economic purposes, 2) when done exclusively for journalistic, artistic, or academic purposes, or 3) when done for purposes of public safety, national defense, state security, or activities or investigation and prosecution of criminal offenses.
WHAT IS PERSONAL DATA AND HOW CAN IT BE PROCESSED?
Personal data in this statute is defined broadly as information regarding an identified or identifiable natural person. There are also special restrictions for the processing of sensitive personal data, which is data that relates to racial or ethnic origin, religious beliefs, political opinion, affiliation to unions or political, philosophical or religious organizations, health, sex life or genetic and biometric data. To that end, and similarly to GDPR and CCPA, sensitive personal data may only be processed when the data subject specifically and distinctly consents to the specified purposes.
Personal data may be processed without consent for certain specific and limited purposes, including 1) to comply with a legal obligation, 2) when it is necessary by the public administration for the execution of public policies, 3) when it is a study carried out by a research entity, or 4) to protect the life or physical safety of the data subject or a third party.
Companies can collect and use...