As technology continues to evolve and the digital economy expands to greater reaches within society, both citizens and governments are demanding legal change regarding how personal data is stored. Specifically, Brazil’s Lei Geral de Protecao de Dados Pessoais (LGPD) and the European Union’s General Data Protection Regulation (GDPR) both exemplify the need for change within the legal environment regarding data, as many of the current privacy laws are outdated and do not properly address the large amounts of digital personal data that is currently being stored.

Brazil’s LGPD

After a year of uncertainty, Brazil’s LGPD was adopted on September 18, 2020, following the data protection regulator ANPD (Autoridade Nacional de Protecao de Dados), which was finalized on August 27, 2020. Despite more than 40 regulations at the federal level, the LGPD is currently the most detailed set of rules surrounding the use of personal data in Brazil.

LGPD is Brazil’s first country-wide law that provides a comprehensive framework regulating the use and processing of all personal data. Brazil’s LGPD defines “personal data” as “information regarding an identified or identifiable natural person”. However, because there are no specific examples provided in the definition of “personal data”, there may be more room for interpretation within this jurisdiction. Sensitive personal data under LGPD is similar to GDPR, but also includes information about religious and philosophical affiliations.

EU’s GDPR

GDPR was officially passed on May 25, 2018, replacing the Data Protection Directive that was passed in 1995. Each of the 28 countries in the European Union are required to follow the regulations with no room for error, unlike the Data Protection Directive, which allowed for more flexibility depending on the situation within each individual nation.

The reason for the Directive’s replacement was that it was not written for the current digital stage and many of its regulations do not effectively address how data is collected and stored, a very critical component within the current digital economy.

In contrast to Brazil’s definition of “personal data,” the European Union defines it as “any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly in particular reference to an identifier”. 

GDPR differs from Brazil’s LGPD because it gives examples of personal data. The GDPR further breaks down personal data into “special categories of personal data”, which includes information about political opinions, personal health, racial or ethnic background, biometric data and genetic data.

What About Controllers and Processors?

Both of these terms are included in the documentation for each privacy law. According to the GDPR, the controller is defined as “the natural or legal person, public authority, agency which determines the purpose and means of the processing of personal data” while the processor is “a natural or legal person which processes personal data on behalf of the controller”. GDPR also requires controllers to report data breaches within three days of its discovery in order to minimize the severity.

On the other hand, the LGPD defines controllers as a “natural person or legal entity or public or private law that has competence to make the decisions regarding the processing of personal data”. The processor is defined as a “natural person or legal entity of public or private law that processes personal data in the name of the controller”. While the GDPR requires the reporting of data breaches within three days, the LGPD does not have a specific timeline for reporting breaches. Instead, it only requires reporting “within a reasonable time period”.

Regardless, both of these laws define controllers and processors similarly, despite the differences in wording.

The Principles, Requirements and Rights

At a high level, LGPD and GDPR are sets of requirements, principles and rights. For example, the GDPR provides seven principles of data processing, while LGPD has ten. The first principle is lawfulness, fairness, and transparency, so each law aims to maintain transparency when handling personal data. Another principle, data minimization, is heavily emphasized in both laws as a necessity. Accuracy is also stressed through both legal documentations and is often referred to as the “quality of data”.

One difference between the two laws is that GDPR stresses storage limitation while LGPD does not have a specific section on it. GDPR places greater emphasis on how personal data is stored. However, LDGP is more flexible with who has access to the data. Their regulations contain a “free access principle” that the GDPR does not have. Moreover, both LDGP and GDPR include sections about minimizing the harm caused by data storage.

Most of the differences between GDPR and LDGP are minimal, and compliance with one law should lead to compliance with the other. This is especially important when businesses want to operate in both the EU and Brazil.

Lawful Bases and Requirements

The requirements for processing are very similar between LGPD and GDPR. Both countries require consent, but each country defines “consent” with slightly different terms. Second, both laws prioritize the protection of life or physical safety over “vital interests”. Regarding public interest, GDPR specifically states that processing can be “in the public interest” as well as in “the exercise of official authority”, whereas the LGPD only focuses on the public authorities. GDPR also contains many exceptions for research purposes, where LGPD does not.

The LGPD also contains a “health requirement” along with “vital interests” when discussing the protection of life and physical safety, along with the protection of credit. However, the differences between LGPD and GDPR are minimal, and the adherence to one law will most likely be compliant with the other.

Data Subject Rights

Both GDPR and LGPD give individuals similar rights when it comes to personal data. These laws give individuals the right to deletion, to be informed, to access, to revoke consent and correct inaccurate information. However, GDPR is much more prescriptive while LGPD allows individuals to anonymize data under certain circumstances. There are also restrictions on transferring personal data to third party countries or international organizations, with only specific situations currently allowed under global corporate rules and contracts.

How Do They Enforce This?

GDPR and LGPD have significant penalties for not following regulations, but sanctions under each law differ. For GDPR, depending on the severity of the violation, the monetary penalty may be 2% of the group’s global revenue, or 10 million Euros, whichever is higher.

These laws apply to people and businesses within every industry, and of every size. They are enforced by regulators called the Data Protection Authorities in the European Union and the National Data Protection Authority in Brazil. Each of these laws are also applicable extraterritorially, meaning that non-European Union businesses operating in the EU must be compliant with the regulations; the same applies to Brazil.

The Need for Privacy Law

The similarities between LGPD and GDPR point to the larger issue that it is necessary for the law to evolve with technology. As the impact of the internet continues to grow and flourish, personal data becomes more vulnerable to leaks and hacks. This gives the incentive for policymakers to further explore the ways to best protect consumer’s sensitive information without infringing on business practices, and LGPD and GDPR are both examples of these conversations on how to regulate the digital space for all stakeholders.

Do you have information to share with Identity Review? Email us at press@identityreview.com.