Brazil’s New Data Protection Law Has Implications for Mobility

Everyone creates data everywhere they go. With the proliferation and free flow of data come the need for data protection, and countries around the world have begun enacting laws and regulations to ensure just that. These changes affect businesses that operate in multiple countries. They also have important implications for the need to protect the data privacy of mobile employees. One of the most recent countries to make changes to data protection law is Brazil.

Brazil’s Lei Geral de Proteção de Dados, or General Law on the Protection of Personal Data (LGPD) will go into effect in August 2020. With it comes new rules for the use and protection of personal data. Enacted in 2018, the same year California passed and the EU began enforcing similarly groundbreaking data privacy measures (the California Consumer Privacy Act and the General Data Protection Regulation, respectively), the new law in Brazil will be a significant change for data privacy and protection.

The LGPD will replace or supplement 40 existing regulations for personal data privacy and protection and serve alongside the Brazilian Civil Rights Framework for the Internet and the Consumer Defense Code. While inspired by the GPDR, Ilan Goldberg and Joao Sa, writing for Financier Worldwide point out that the LGPD is a law rather than a regulation, which differentiates it from GPDR. This difference means that the GDPR is more direct and objective, while LGPD is open to different interpretations. Additionally, the LGPD will be regulated by Brazil’s newly established data protection authority (ANDP), while the GPDR may be supervised by one or more entities for each EU member state.

A guide by the International Association of Privacy Professionals explains that the LGPD “deals with the concept of personal data and lists the legal bases that authorize its use — and consent is only one of them — highlighting the possibility of processing personal data based on the legitimate interests of the data controller in addition to data protection general principles; basic rights of the data subject— such as right to access, exclusion of data and to explanation; and the obligations and limits that should be applied to any entity that processes personal data.” It will apply to all sectors of the economy and, with a few exceptions, will apply to any practice that process personal data.  Like GDPR, LGPD’s application will extend beyond Brazil’s borders.  It also includes a broad definition of “personal data,” that, depending on interpretation of the law allows for almost any data to be interpreted as personal, and subject to the law. The law also requires additional protection of “sensitive” personal data, such as data on racial or ethnic origin, religious belief, political opinion, or genetic data that could be used for discrimination.

The impact this law will have on mobility is noteworthy. The law applies to any foreign country that has a branch in Brazil, offers services in the Brazilian market, or collects and treats personal data of subjects located in the country, regardless of their nationality. An employee relocated to Brazil, for instance, will generate data through email, social media posts, or credit card purchases, and will be subject to LGPD’s data protection. Sending and receiving HR data, such as payroll, to and from the employee directly or through a third party will also fall under the LGPD’s data protection.

To help companies comply with these changes, the LGPD calls for the establishment of a Data Protection Officer to serve as a communicator between data subjects, controllers, and the data protection authority. Additionally, it encourages creation of codes of conduct and certification bodies to assist in compliance with the LGPD. Doing so will ensure that companies don’t face penalties, which include warnings, a one-time fine of 2% of the company’s gross revenue in the last fiscal year (not to exceed BRL 50 million), a daily fine of the same amount, and the blocking of the data in question.

Companies have until February 2020 to adapt to these changes. Doing so will be a significant benefit to a company, but especially the employees. Personal data is a particularly sensitive and vulnerable area, and compliance with privacy laws is crucial to ensuring employee protection. For those in the Brazil market or relocating to the country, the LGPD’s new mechanisms for ensuring data privacy is a positive step forward in the protection of personal data.