What We’re Reading: GDPR matchup: Brazil’s General Data Protection Law
Kegler Brown Global Business News October 16, 2018
In August, 2018, Brazil approved the General Data Protection Law (LGPD), which will become effective in Feb 2020. The LGPD is based on the EU’s GDPR but has substantial changes and different approaches in several areas, including legal bases.
While GDPR has 6 legal bases (see Art. 6), LGPD adds to them for a total of 10. Here are LGPD’s legal bases with their GDPR equivalencies in bold:
(i) consent; (ii) legal obligation; (iii) implementation of public policies by the public administration; (iv) research by public study entities; (v) contractual performance; (vi) exercise of rights in legal proceedings; (vii) life protection; (viii) health protection; (ix) legitimate interest; and (x) protection to credit.
This arguably makes the LGPD more flexible and less restrictive than the GDPR when it comes to processing of personal data.
The right to portability was a new concept in the GDPR (see Art. 20) and it was limited to data getting processed based on consent. In general, the right to portability means that the controller has to transfer a data subject’s personal data to another controller upon the data subject’s request. This concept has existed in Brazil since 2007 and now the LGDP is not limiting the right to only data processing based on consent. This means that not only data processed based on the legal basis of consent, but any legally processed data (based on any of the 10 legal bases above) is subject to portability requests in Brazil. This gives data subjects a lot more rights, but also creates a higher administrative burden for anyone processing data.
Brazil does not yet have a supervisory authority to whom data breaches can be reported, but there are other agencies that fill the gap until such an authority is established. In contrast to the GDPR, where the supervisory authority has to be notified of a breach within 72 hours (see Art. 33), the LGDP simply requires notification within a reasonable time.
The LGPD continues to show a global trend of countries following GDPR’s example. India’s Personal Data Protection Bill also shows many similarities to the EU’s precedent-setting rules, and we’re beginning to see more comparable laws in the U.S. as well, providing rights to data subjects. Expect more to follow.