Privacy Laws in Brazil

The primary privacy legislation in Brazil is the Brazilian General Data Protection Law, Federal Law no. 13,709/2018 — Lei Geral de Proteção de Dados Pessoais (LGPD) — which came into force in the region on September 18, 2020.

The law is broadly based on the EU’s GDPR and applies to individuals and organizations processing personal data — information that can be used to identify a living person — where:

  • the processing operation is carried out in Brazil
  • the purpose of the processing activity is to offer or provide goods or services, or the processing of data of individuals located in Brazil, or
  • the personal data was collected in Brazil.

Like the GDPR, the LGPD applies wherever the company or data is located as long as one of the criteria above is met.

As of February 2022, data protection is now included in the Federal Constitution as a fundamental right. Brazil also encodes privacy rights into its Civil Code.

Penalties and compliance violations

According to the IBM Cost of a Data Breach 2022 report, Brazil had the highest growth rate in breach costs across all countries surveyed. The cost of a data breach in Brazil saw a 27.8% increase from US $1.08m to US $1.38m.

It’s against this backdrop that the Brazilian National Data Protection Authority (ANPD) approved the Regulation on the Setting and Application of Administrative Penalties under the LGPD in February this year.

The regulation defines the methodology for determining fines and penalties for noncompliance and LGPD violations. In a similar model to the GDPR, these can be up to 2% of turnover or up to BRL 50 million (US$10 million). Other penalties could include mandatory public disclosure of an incident and could extend to the forced suspension of data processing.

Comparing LGPD and the GDPR

Brazil’s LGPD borrows heavily from the European GDPR, but the laws are not identical.

The LGPD is simpler than its European counterpart. The monetary penalties of the LGPD are lower than the GDPR, but it imposes shorter timescales for responding to subject access requests (15 days vs 1 month). It also includes an additional legal basis (permitted use) for the processing of personal data for credit protection purposes.

The LDPG specifically addresses anonymized data where individuals can still be identified from it. Further, the data transfer provisions of the LDPG are more restrictive than those of the GDPR since there are no allowable exceptions.

Complying with LGPD

For organizations looking to comply with Brazil’s LGPD, understanding their data is the best place to start. Businesses that are subject to the European GDPR may have an advantage, as the regulation forms the basis of the LDPG, but they will need to review the Brazilian law and update the processes to comply with any variances.

Among the most important steps for businesses to take is a periodic inventory of all personal information across the organization, specifically identifying information that relates to Brazilian citizens and residents.

Ground Labs’ Enterprise Recon simplifies this process by automating the discovery process and focusing on specific targets based on over 300 pre-packaged data types from over 50 countries including Canada and the US.

To find out more about LGPD, download your free copy of our white paper, The Six Foundations of Data Privacy Regulation

Want to keep up with all our blog posts? Subscribe to our newsletter!