General Data Protection Law of 2018 (LGPD)
Introduction
The General Data Protection Law (Lei Geral de Proteção de Dados Pessoais, LGPD, Law 13.709/2018) is Brazil’s comprehensive data protection framework. Approved on August 14, 2018, the LGPD became fully effective in August 2020 (with administrative penalties effective from August 2021). Modeled on the European Union’s General Data Protection Regulation (GDPR), the LGPD establishes principles, rights, and obligations for the processing of personal data by public and private entities. The law created the National Data Protection Authority (ANPD) as the regulatory and enforcement body.
Constitutional Basis
The LGPD implements constitutional privacy rights (Article 5, X and XII) and the right to information self-determination. The Constitution guarantees the right to privacy, confidentiality of correspondence and communications, and access to personal information held by public entities.
Scope
Territorial Scope
The LGPD applies to: (i) data processing operations carried out in Brazil; (ii) processing of data of individuals located in Brazil, regardless of where the processing occurs; and (iii) processing of data collected in Brazil. This extraterritorial scope mirrors the GDPR.
Material Scope
The LGPD applies to any processing of personal data by natural persons or legal entities, public or private, except: (i) processing for personal or journalistic purposes; (ii) processing for artistic or academic purposes; (iii) processing for public security and national defense; and (iv) processing for criminal investigation purposes.
Key Definitions
Personal Data and Sensitive Data
- Personal data (dado pessoal): Any information relating to an identified or identifiable natural person (Article 5, I)
- Sensitive personal data (dado pessoal sensível): Data on racial/ethnic origin, political opinions, religious beliefs, health, sexual life, genetic and biometric data (Article 5, II)
Processing
Processing (tratamento) is broadly defined to include any operation carried out with personal data, including collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, evaluation, or control of information.
Principles
Article 6 establishes 10 principles for data processing: (i) purpose (finalidade); (ii) adequacy (adequação); (iii) necessity (necessidade); (iv) free access (livre acesso); (v) quality of data (qualidade dos dados); (vi) transparency (transparência); (vii) security (segurança); (viii) prevention (prevenção); (ix) non-discrimination (não discriminação); and (x) accountability (responsabilização).
Legal Bases
Article 7 establishes 10 legal bases for processing personal data, including: (i) consent; (ii) legal or regulatory obligation; (iii) public administration; (iv) research; (v) credit protection; and (vi) legitimate interests. For sensitive data (Article 11), additional bases apply.
Data Subject Rights
Article 18 grants data subjects extensive rights, including: (i) confirmation of processing; (ii) access to data; (iii) correction of incomplete, inaccurate, or outdated data; (iv) anonymization, blocking, or deletion; (v) data portability; (vi) information about data sharing; (vii) revocation of consent; and (viii) review of automated decisions.
Data Processing Agents
Controller and Processor
The controller (controlador) determines the purposes and means of processing. The processor (operador) processes data on behalf of the controller. Both must comply with the LGPD.
Data Protection Officer
The controller must appoint a data protection officer (encarregado or DPO), responsible for: (i) communication with data subjects; (ii) cooperation with the ANPD; (iii) guidance on LGPD compliance; and (iv) handling complaints.
Security and Breach Notification
Article 46 requires controllers and processors to adopt security, technical, and administrative measures to protect personal data from unauthorized access and accidental or unlawful destruction. Security incidents must be reported to the ANPD within a reasonable period.
Penalties
Administrative Sanctions
The ANPD may impose: (i) warnings; (ii) fines up to 2% of the company’s revenue in Brazil (limited to R$50 million per infraction); (iii) blocking or deletion of data; (iv) suspension of processing; and (v) prohibition of processing activities.
Civil Liability
Controllers and processors are liable for damages caused by LGPD violations. The burden of proof is favorable to the data subject.
The ANPD
The National Data Protection Authority (Autoridade Nacional de Proteção de Dados, ANPD), created by the LGPD, is the regulatory body responsible for: (i) enforcement; (ii) rulemaking; (iii) guidance; (iv) international cooperation; and (v) promotion of data protection culture.
Conclusion
The LGPD represents a significant milestone in Brazilian data protection law, establishing a comprehensive framework aligned with international standards. Its GDPR-inspired approach provides robust protections for data subjects while imposing significant compliance obligations on controllers and processors. The ANPD’s evolving enforcement and guidance will continue to shape Brazilian data protection practice.