Brazil’s General Data Protection Law (LGPD) comes into force; mirrors GDPR’s extra-territorial powers, Alexander Milner-Smith, Cory Lyons

On 26 August 2020, Brazil’s Senate rejected a proposal to delay further the coming into force of its sweeping new data protection regime the General Data Protection Law (LGPD). This law is now effective immediately albeit enforcement provisions including penalties and sanctions coming only come into effect from August 2021.

Much has been said about the similarities (the definition of personal data, the rights of data subjects) and differences (all organisations needing a DPO under LGPD, more lawful bases for processing in Brazil) between the LGPD and the EU’s GDPR. In the coming months Lewis Silkin and its Brazilian data partner will be running a seminar on this topic – so watch this space.

However for now we wanted to focus on one such commonality between the two regimes which should concern any company with any data nexus at all to Brazil, namely the LGPD’s approach to extraterritorial scope.

In short, the LGPD will apply not only to organisations that operate or carry out processing activities in Brazil, but also those which offer products and services to Brazilian customers, and those which carry out processing activities that involve personal data collected in the country, regardless of that organisation’s base jurisdiction.

This is similar to the extra-territorial grabbing provisions in Article 3 of the GDPR.

All businesses that carry out any of the above should therefore review their compliance profile with the LGPD now that its core tenants are in force (preferably well in advance of it growing its teeth in August 2021).

Steps to do this may include: mapping data flows in and around Brazil, and then as necessary reviewing privacy notices; updating agreements that deal with the transfer of Brazilian data; getting policies and procedures (including for breach notification) up-to-date; and carrying out impact assessments for high risk processing activities. GDPR-compliant organisations should by this point be well-versed in these general steps, but ensure that they are tailored to the new Brazilian regime due to the notable differences between the two.

Expect Brazil’s new national data protection authority (the ANPD) to be up and running very soon, and for regulatory guidelines to follow not long after.

{

In the coming months Lewis Silkin and its Brazilian data partner will be running a seminar on this topic – so watch this space.