Reed Smith Client Alerts

In August 2018, Brazil passed a comprehensive data privacy law called the General Data Protection Law (the Lei Geral de Proteção de Dados Pessoais, hereinafter the LGPD). Since the enactment of the LGPD, businesses and organizations doing business in Brazil have been ramping up and preparing for the implementation of the law. At the end of August 2020, the Brazilian government started to tie up some of the LGPD’s loose ends, which led to several important outcomes that are essential to understanding the future of the LGPD. Most notably, (i) the LGPD could become effective as soon as September 16, 2020, and (ii) the Brazilian federal government has approved the structure of the regulatory body that will oversee the LGPD’s enforcement. Thus, businesses and other organizations that are subject to the LGPD should be mindful of the law’s timeline for effectiveness and should prioritize working towards compliance.

Authors: Bart W. Huffman Sarah L. Bruno Matthew Gluschankoff Haylie D. Treas

 The LGPD: A high-level overview

According to Article 1 of the LGPD, the law is guided by the principle of protecting “the fundamental rights of freedom and privacy and the free development of the personality of the natural person.” Like the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), the LGPD has extraterritorial scope. Subject to certain listed exceptions, according to Article 3, the LGPD applies to the processing of “personal data” (as such term is defined by the LGPD) by any natural person or entity, public or private, even if such natural person or entity is based outside of Brazil, provided that (1) the processing takes place in Brazil, (2) the purpose of the processing is to offer or provide goods or services in Brazil, or (3) the personal data being processed was collected in Brazil.

The LGPD also takes a broad view of what data falls within the definition of personal data, similar to the GDPR and CCPA. In Article 5, the LGPD defines personal data as information related to an identified or identifiable natural person. Arguably, because of its broad definition, personal data may include information such as online identifiers. Article 12 of the LGPD states that data may be considered personal when used to create behavioral profiles (which may include online profiles) of a natural person and when such profiles identify that person. The LGPD also provides heightened protection for sensitive personal data, such as information concerning racial origin or genetic or biometric data.