Brazil passed the General Data Protection Act (LGPD) in August 2018. The Brazilian law was inspired by the General Data Protection Regulation (GDPR), which replaced the legal standards in place in the European Union.
Now it’s Brazil’s turn to move at full speed towards the LGPD’s application.
Although they have common goals, there are significant differences between the two laws. In fact, meeting the GDPR’s requirements does not guarantee compliance with the LGPD.
Let’s look at some of their main differences.
Both the GDPR and the LGPD protect any information related to an identified or identifiable natural person. However, the LGPD does not specify what sort of information it refers to, making its scope rather broad.
Anonymized data falls outside the scope of both laws if measures are taken to ensure that it cannot be re-identified.
The LGPD makes an exception: Data is considered personal when used to profile the behavior of a particular natural person if that person is identified.
Both laws have an extraterritorial reach. They apply to all companies that offer goods or services to data subjects in the EU or Brazil, regardless of their location.
Still, there is a noticeable difference between the two laws. The GDPR explicitly includes organizations that are not established in the EU but monitor the behavior of individuals located there. On the other hand, the LGPD does not include such a provision.
Data Protection Officers
According to the GDPR, organizations whose principal activities consist of processing operations that require systematic monitoring of data subjects in a large-scale, or extensive processing of special categories of data, are required to appoint a data protection officer (DPO).
In contrast, the LGPD requires only data controllers to appoint a DPO. However, it doesn’t limit the circumstances in which a DPO should be delegated. This means that all companies, regardless of their type, size, or volume of the collected data, will need a DPO.
However, the National Data Protection Authority (ANPD) is authorized to adjust this provision. Therefore, it’s presumed to issue complementary rules to limit the applicability of this requirement.
Legal databases for data processing
One of the main differences between the two laws is the legal basis for data processing.
To the GDPR’s original six, the LGPD adds four more:
- explicit consent
- contractual performance
- public task
- vital interest
- legal obligation
- legitimate interest
- studies by a research body
- exercise of rights in legal proceedings
- health protection
- credit protection.
Data subjects’ access requests
An individual’s right to access data is guaranteed both in the GDPR and the LGPD. Data subjects can request access to the data that a company collected about them. Besides, they can also request other actions: their portability, deletion, or correction.
There is a difference in the cost of requests: the LGPD makes them obligatory free, while the GDPR makes their gratuity optional.
GDPR fines allow DPAs across Europe to issue fines of:
- up to 4% of a company’s overall annual revenue or €20,000,000, whichever is higher.
According to the LGPD, organizations face similar penalties, although a little less severe:
- up to 2% of its total revenue in Brazil in the previous year or up to 50,000,000 Brazilian reais, whichever is higher.
Government agencies are outside the scope of LGPD fines. The GDPR, on the contrary, leaves the decision on this matter to the DPAs.
Mandatory data breach notifications
Although both laws have made data breach notifications mandatory, their requirements differ slightly.
The GDPR imposes 72 rigorous hours in which companies are required to notify Data Protection Authorities (DPAs) of data breaches.
Organizations that fall under LGPD’s scope should do so within an indefinite “reasonable” time.
The LGPD requires companies to also notify data subjects of data breaches, something that is not a GDPR requirement.
As we have seen, despite the similarities between the LGPD and the GDPR, there are certain differences. These include legal bases and required data breach notifications, on which the LGPD goes further than European law.
There are also many broad provisions in the Brazilian law, subject to the adjustment of the National Data Protection Authority (ANPD). Therefore, the new authority is expected to address them in the months leading up to the LGPD’s implementation.
Now you know, meeting the GDPR’s requirements does not assure compliance with the LGPD. The following step is to prepare for the entry into force of the Brazilian law in August 2020.