Brazil got itself into the data privacy regulation game in September 2020 with the implementation of its Lei Geral de Proteção de Dados (“LGPD”), in spite of calls from businesses and advocates to postpone the regulation due to issues related to COVID-19. Companies operating in Brazil now face, in some cases for the first time, comprehensive privacy obligations which require them to focus their attention on how the collect, store and process data. We’re often asked if LGPD and GDPR are the same (all the acronyms can be confusing!), so we’ve made a list of similarities, and key differences, between the regulations.
1. Are individuals’ rights under LGPD the same as under GDPR?
Individuals’ rights under LGPD are largely similar to those available under GDPR (i.e., access, correction, deletion, blocking, and portability), but there are a few significant differences between the regulations. First, LGPD provides for an explicit right to anonymization, meaning that individuals can request that organizations anonymize data about them if that data are unnecessary or excessive, whereas. GDPR does not have this specific right.
Second, LGPD outlines the way in which companies must respond to data subject access requests, either in a “regular” or “simplified” fashion. To respond in a regular manner, a company should provide the individual with the requested data, including the origin of the personal information, the non-existence of records, the criteria used for, and the purpose of the processing activities; all in no more than 15 days. To respond in a simplified manner, a company can provide less detail and information for a request, however the new law does not yet outline the specific timing for such a response (we’ll update when it comes out). If, for whatever reason a complete response in either a regular or simplified manner cannot be completed within 15 days, the company needs to inform the individual about why it is prevented from responding timely.
Third, LGPD places no restrictions on how often an individual can lodge an access request, which is not the case with GDPR. In addition, organizations are required to respond to requests free of charge, potentially even repetitive requests.
2. Do LGPD and GDPR Share the Same Legal Bases for Processing?
LGPD includes those legal bases for processing personal information as GDPR, as well as a few that GDPR does not have. In addition to legal bases that are comparable to those available under GDPR, the LGPD also permits the use of personal information for:
- Exercise of rights in legal, administrative, and arbitration proceedings;
- Health protection; and
- Credit protection.
Also, the concept of legitimate interests as a legal basis appears to be broader under the LGPD, which specifically states that legitimate interests cover processing of personal information for the “support” and “promotion” of the controller’s activities.
3. Do LGPD and GDPR Require the Same Obligations for Companies?
LGPD imposes additional requirements on companies as compared to GDPR. For example, all companies that qualify as controllers must appoint a data protection officer (“DPO”), whereas under GDPR companies (both controllers and processers) are only required to appoint a DPO if they exceed a certain threshold. For processors subject to the LGPD, a DPO is optional. Also, LGPD establishes no requirements regarding DPO qualifications, whereas GDPR requires DPOs to have certain professional qualifications to assume the role.
4. Do Companies Face the Same Liability for GDPR and LGPD Violations?
Under GDPR, controllers and processors are liable for damages resulting from their own violations of GDPR. LGPD’s approach is significantly different, as both controllers and their processors can be jointly liable for damages caused by the processor. This can be challenging, as, unlike GDPR, a data processing agreement is not mandatory under the LGPD, so there are no formal requirements for companies that use service providers to process personal information on their behalf. However, given the significance of joint liability, companies would be well-served to formalize their data processing agreements and outline indemnification or liability provisions.
5. Are LGPD and GDPR Fines the Same?
LGPD can impose fines of up to two percent (2%) of a company’s annual revenues in Brazil in the preceding fiscal year, with a maximum of 50 million Brazilian reais (approx. €10 million or $13.2 million USD) per violation, whereas GDPR imposes a maximum fine of the greater of 4% of worldwide revenues or €20 million.
Like all other data privacy laws when they come online, we know the regulation but have little information regarding how the courts will interpret it. While LGPD and GDPR are quite similar, there are significant nuances that require companies of all sizes to revisit their data privacy law approach.
How Can Clym Help?
Clym believes in striking a balance between legal compliance and business needs, which is why we provide a cost-effective, scalable and flexible platform to comply with LGPD, GDPR, CCPA and other laws as they come online. Our platform provides consumers with an effective and easy-to-navigate way to opt-out of data collection while not infringing upon the website UI that businesses rely on to drive revenues. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.