gdprLGPD — Brazilian GDPR!

Ratified in August 2018, right after GDPR came into power, this law is to re-define the data protection in the biggest county of South America. LGPD based on the GDPR (but lastly approved with some modifications) — these two laws have many things in common. We decided to focus on 3 differences that we found interesting, and then we will look at the potential of LGPD in Brazil!

Brazil has some interesting things that are originally only native from the country, like a fruit called “jabuticaba”! LGDP follows that trend to introduce something that, as far as we are concerned, can’t be found anywhere else: Brazil is the first country that uses the protection of credit as the legal basis for a data protection law.

Data Portability in LGPD is not only limited to data that was provided based on the subject's consent. It is actually wider, which makes LGPD not only different from GDPR but a lot cooler: now users will have control over all the data, not only to the one that they provided and gave the consent for.

One more significant difference that we found exciting is that in Brazil all companies that have to comply with LGPD must have assigned a DPO. Compared to GDPR it is a way stronger obligation (GDPR makes it obligatory under certain circumstances).

What are the perspectives of LGPD? Well, since it was designed in a way very close to GDPR, one of the goals for that is to achieve an adequacy agreement to ensure a free flow of data between Brazil and the EU. But the latest modifications before approval by the president @jairmessiasbolsonaro did not bring the adequacy decision closer. To name a few: the removal of a provision to review machine-automated decisions and the removal of technical skill requirements for DPOs. Many were calling these changes “a watering down of the LGPD that could affect Brazil’s EU adequacy decision”.

We asked several experts what they think about the adequacy decision between Brazil and the EU. Find their replies in the carousel! Many thanks to @dataprivacybrasil, @guiribabrb, @pamelabuenoconsultoria, and @gdpradvocate. Join their channels, and join the discussion in the comments below!:)

“I believe that the LGPD will play a key role in adequacy, but the way it’s enforced in Brazil will also matter a lot. The civil entities and the Public Office have shown themselves acting on this matter, but it’s also necessary the creation of the National Authority of Data Protection (ANPD), that is still inexistant and essential for the work of such an ecosystem. Thus, LGPD is important to bring to Brazil a law that regulates personal data activities, however, we still need the creation of the ANPD” — Brazilian Data Protection Researcher [https://www.instagram.com/guiribabrb/]

“LGDP certainly is legislative progress, however it can’t be the sole legal basis for data protection. Data Processors should be tuned to new regulations and measures that will complement the main goal of the LGPD: the protection of personal data.” — Brazilian Lawyer and Consultant in Data Protection [https://www.instagram.com/pamelabuenoconsultoria/]

“LGPD is a first step towards adequacy, however, it’s not enough. If you consider that until this day an independent Data Protection Authority hasn’t been established yet, and (in the future) it’s planned to have its structure tied to the Presidency. The adequacy decision considers not only the existence of a legislation, but most importantly, the measures taken by the country showing a real commitment to the agenda of Data Protection. For that, having an independent Data Protection Authority is fundamental.” — Brazilian Teaching and Research Institute with focus on Data Protection [https://instagram.com/dataprivacybrasil]

“The LGPD may be seen in the EU as the indication of Brazil’s intention to align with the requirements set forth by the GDPR. However, the issuance of the adequacy decision will be subject to the verification of actual personal data security culture and the effectiveness of data protection measures, in particular formal requirements, supervisory measures, communication with the EU supervisory authorities, requirements for appointing Data Protection Officers, making proper risk assessments, securing the data in terms of physical access, technological access (cloud services, IT), the enforcement of processing agreements etc. Several aspects will be taken into account by the EU and it may not be excluded that some additional conditions will need to be met for the LGPD before the issuance of the adequacy decision will be possible.” — EU Business lawyer [https://www.instagram.com/gdpradvocate/]