By Caterina Carvalho
Two years after enacted, the European Union’s (EU’s) General Data Protection Regulation (GDPR) became enforceable as of May 25, 2018. It is the most important change in data privacy regulation in 20 years, and it has been reshaping how businesses worldwide handle customer information.
Designed to harmonize data privacy laws across Europe and the world, the GDPR has an extraterritorial feature: an entity that processes personal data of a EU resident, regardless of the entity’s location, is subject to the GDPR. Therefore, non-EU businesses processing EU citizen data have to appoint a representative in the EU so the representative can be “responsible” for data processing in Europe.
The GDPR provides penalties for busineses that breach its provisions. The most serious infringements (such as the leaking or unauthorized sharing of customer personal data) are penalized with fines that may amount to the greater between 4% of the breaching business’ annual global turnover or 20 million €.
Even though consent for personal data processing already was a necessity, the GDPR determined that requests of consent be understandable and accessible, and must inform how it intends to use the data collected, as well as provide the data subjects (i.e. the consumers) the possibility of withdrawing their consent at any time. Since the GDPR, companies can no longer use generic and extensive terms to obtain the personal data of EU citizens.
If an organization breaches the GDPR, it must report the breach to the data owner within 72 hours from its first awareness of the breach.
Finally, the GDPR created the figure of the Data Protection Officer (DPO), who shall be the business’s representative towards the supervising authority and also towards the data subjects. Appointing a DPO is necessary for entities (controllers or processors) with core activities consisting in processing operations that require regular and systematic monitoring of personal data on a large scale. The DPO may be a staff member or an independent contractor, and shall report to the entity’s highest level of management.
Inspired on GDPR, the Brazilian General Data Protection Law (LGPD) will become enforceable as of August 2020. It aims to protect personal data by preventing the unauthorized commercial use of customer information such as names, telephone numbers, addresses, ID numbers, bank accounts, etc. Its applicability is territorial, because the personal data protected by the LGPD is only the information processed within Brazil.
As the GDPR, LGPD grants to Brazilians the right to access their personal data, to correct their data record, to withdraw their consent regarding their personal data, and to request business organizations to delete their personal data from the records. Companies that do not comply with such requests may be penalized by the supervisory authority. The most serious penalty is a fine that is the greatest between 2% the entity’s annual turnover or R$ 50 million.
The LGPD also requires consent by the data owner before data can be processed by businesses. Conditions are also established for treatment of sensitive data (personal data on racial or ethnic origin, religious beliefs, political opinions, etc.), requirements for international transfer of data, as well as for handling data of minor owners (which shall depend on the minor’s parents' consent), among other situations.
Initially vetoed in its original version, the LGPD was amended by Provisional Measure 869/2018 to provide for the role of the DPO (“encarregado”, under the LGPD).
The National Data Protection Authority (NDPA) will be the authority supervising application and compliance with the LGPD. The NDPA will initially be subordinated to the President of Brazil, but it shall have autonomy in the future. The NDPA shall audit businesses to ensure compliance with the LGPD and it will assess penalties for non-compliance. The “encarregado” shall perform the communication on behalf of the business with the NDPA, as well as with the data subjects.
Generally, data subjects will have greater control over the process of their personal data, resulting in several obligations for controllers and processors. If organizations have already become compliant with GDPR, they are well on their way to compliance with the LGPD.
There are many similarities between the GDPR and LGPD. The table below points the five most important aspects of each law: