Brazil LGPD vs GDPR: What Are The Differences?
The existence of over 100 data protection laws underscores the importance of protecting personal data. Although there are lots of similarities between the Brazil LGPD vs GDPR, there are nuances that set them apart.
If you run a global or local business with a global reach, figuring out what laws apply can be confusing. We’re here to help you with that!
Today, we highlight the differences between Brazil LGPD and EU GDPR to simplify your compliance efforts.
- The Brazil LGPD bears a resemblance to the GDPR.
- Slight differences exist in processing principles, data subject rights, and justification. There are also differences in the contents of privacy notices, data security rules, data breach notices, and penalties.
- Compliance with one does not automatically translate to compliance with the other. An expert who understands the nuances involved can help identify the gaps.
What is Brazil’s LGPD?
Brazil approved the Lei Geral de Proteção de Dados Pessoais (LGPD) in August 2018 (the same year the GDPR took effect). LGPD unified over 20 provisions in the country’s laws protecting personal data. LGPD’s similarity with the GDPR earned it the nickname “the Brazilian GDPR.”
Brazil LGPD is the data protection law that regulates how businesses collect, process, store, and transfer personal data of Brazilian residents.
It doesn’t matter if the business is not operating in Brazil; the LGPD, which came into force in 2020, will apply so far as the personal data belong to a Brazilian resident or the processing happens in Brazil.
What is the GDPR?
The GDPR is the EU’s data protection law governing how personal data is collected, processed, stored, and transferred. The GDPR applies to businesses processing the personal data of EU residents or targeting EU residents.
It is enough that the processing happens in the EU, so the business need not be established in the EU. GDPR fines are one of the highest in the world, and their extraterritorial reach makes compliance a priority.
Differences in Principles
Data protection laws provide for processing principles, requirements, or lawful bases for processing and data subject rights. On these core provisions, the GDPR and the LGPD are similar. However, they differ in the nuances contained in the core provisions.
For instance, the GDPR contains seven principles on data processing principles, while the LGPD contains ten principles.
Data processing under the GDPR must adhere to these seven principles: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.
Data processing under the LGPD must adhere to these ten principles: purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, nondiscrimination, and accountability.
Differences in Data Subject Rights
Data subject rights in Brazil LGPD vs GDPR are the same with little differences. Perhaps, the GDPR’s data subject rights are broader depending on interpretation.
The right of access, right to rectification, right to erasure, right to data portability, right to object, and right related to automated processing are covered in both laws with different applications. Unlike the GDPR, the LGPD does not provide for the right to restriction of processing.
Differences in Justification
As a general rule, any processing of personal data is prohibited unless justified. For the GDPR, a business needs a lawful basis to process data. The equivalent of lawful basis in the LGPD is requirements.
On this point, the LGPD’s coverage is broader than the GDPR. All the lawful bases for processing under the GDPR are found in the LGPD, but some requirements for processing under the LGPD are not contained in the GDPR.
Both laws provide for consent, contract, legal obligation, vital interest, public task, legitimate interest and health (partly though for the GDPR) as acceptable reasons for processing personal data. In contrast, the LGPD provides for research, legal rights and credit as additional requirements.
LGPD vs GDPR Similarities & Differences
At first the LGPD seems a replica of the GDPR, but a closer analysis shows slight differences further highlighted by the choice of wording and interpretation.
Both LGPD and GDPR have extraterritorial scope, bringing businesses outside Brazil and the EU under their jurisdiction.
Businesses offering goods and services to Brazil and EU residents fall within the scope of application. Both laws differ in their extraterritorial scope because the GDPR includes businesses targeting EU residents, but the LGDP does not.
Data Processing Principles
GDPR provides for seven processing principles, while LGPD provides for ten. GDPR’s lawfulness, fairness and transparency principles are not mentioned in LGPD. However, LGPD’s principles of transparency, prevention and non-discrimination mirror similar concepts.
GDPR’s data minimisation principle is absent in the LGPD. However, LGPD’s principle of necessity mirrors a similar concept. The GDPR’s storage limitation principle is not mentioned in the LGPD. However, the LGPD’s principle of necessity can be further interpreted to cover a similar concept.
The data security principle of the LGPD mandates businesses to keep personal data secure. The integrity and confidentiality principle covers data security in the GDPR. Both laws provide for access to data by data subjects. The LGPD calls it the free access principle, while the GDPR calls it the right of access.
The LGPD’s principle of prevention prohibits the processing of personal data to cause harm. While prevention is not mentioned in the GDPR, the lawfulness, fairness and transparency principle covers similar concepts.
As a way to mitigate the impact of Weapons of Math Destruction (WMDs) and ensure non-discrimination, the GDPR mandates human intervention for automated processing and allows data subjects to opt-out. LGPD contains no similar provision.
Under the LGPD and the GDPR, businesses need a justification or legal basis before processing personal data.
The LGPD refers to legal basis as requirements, while the GDPR refers to legal basis as lawful bases. The LGPD has about ten requirements for a legal basis, while the GDPR provides for about seven lawful bases.
On the legal basis of vital interests, the LGPD refers to this basis as “protection of life or physical safety”. The LGPD expressly mentions health as a legal basis. But considering “protection of life or physical safety” can also cover health, this could be considered duplication.
On the legal basis of public interests, the GDPR focuses on the task or activity, while the LGPD focuses on public authorities as a processor. The LGPD provides for research as a legal basis, while the GDPR mentions research as an exception to the need for a lawful basis for processing.
Like the research mentioned above, the GDPR mentions exercising legal rights as an exemption to the need for a lawful basis.
For the LGPD, exercising legal rights is listed as a legal basis with specific reference to the Brazilian Arbitration Law. Perhaps the most significant difference in justifications between both laws is that the LGPD provides credit protection as a justification, but the GDPR does not.
Age of Consent
In both laws, children cannot consent unless an adult does so. Both laws differ on the approved age for consent.
Under the GDPR, the age of consent is 16 years. Under the LGPD, the age of consent ranges between 13 - 18 years on the condition that the processing is in the child's best interest. If under 13 years, an adult’s consent is necessary.
Data Subject Rights
Except in one instance, data subject rights in the LGPD and GDPR are identical. In both laws, data subjects have a right to a privacy notice. However, the contents are slightly different.
When a data subject requests data subject access, businesses have 30 days (and another 30 days extension) within which to respond under the GDPR and 15 days under the LGPD.
Both laws provide for the right to erasure. Covered in the GDPR as the right to be forgotten and in the LGPD within three Articles (5, 16, & 18). In the LGPD, controllers must delete excessive, unnecessary or unlawful data. And data subjects could request deletion if the data were obtained using consent as justification.
The right to data portability is present in both laws, but the LGPD subjects the availability of the right “to the regulation of the controlling agency”.
While the GDPR grants data subjects the right to object to data processing, especially where justified under consent or legitimate interests, the LGPD makes no such provision. However, data subjects can withdraw their consent under the LGPD. Only the GDPR provides for the right to restriction of processing. The LGPD does not.
Data subjects' rights in relation to automated processing are interpreted differently under both laws. The GDPR has two interpretations.
Some businesses interpret it to mean a ban on the automated processing of personal data. Others interpret it to mean implementing Human in the Loop (HiTL). The LGPD has only one interpretation: mandating HiTL, human intervention, or review for automated decisions with irreversible impacts.
While not explicitly mentioned, both laws are thought to require a “privacy notice” that tells data subjects who they are, how they collect data, what data they collect and why it is collected.
Both require a privacy notice to contain the name and contact details of the data controller, the purpose for processing, the categories of third-party recipients, storage periods, data subject rights and the right to complain to the authority.
Under the GDPR, the privacy notice must inform data subjects of the justification for processing, while under the LGPD, notification of justification is not required. Under the GDPR, the privacy notice must list the categories of personal data processed, which is unnecessary under the LGPD.
Under the GDPR, businesses making international transfers of personal data must notify data subjects of what safeguards are in place for data protection.
This obligation is absent under the LGPD. The LGPD requires businesses to list the responsibilities of the controllers and processors in the privacy notice. These requirements are not necessary for the privacy notice under the GDPR, although the responsibilities are listed in the law.
Data security is an obligation of the controller and processor under both the LGPD and the GDPR. The LGPD makes it mandatory for businesses to keep a data processing record. Under the GDPR, this is only necessary for businesses with over 250 employees.
The GDPR specifies data security obligations, including pseudonymizing and encrypting data at rest and in transit. The LGPD does not specify what data security obligations include, only mentioning that the data protection authority will guide.
To ensure data security, both laws mandate businesses processing sensitive personal data to conduct an impact assessment first.
Data Breach Notices
Businesses must report a data breach to the data protection authority within 72 hours for the GDPR and a reasonable time for the LGPD.
The content of this report/notice differs. The GDPR notice contains more details, while the LGPD notice needs just the type of data breached and the data subjects affected.
Enforcement and Penalties
The GDPR came into force in 2018, while the LGPD came into force in 2020. Under both laws, data subjects are allowed to enforce their rights in court. Under the GDPR, the appointment of a DPO is optional, while under the LGPD, the appointment of a DPO is mandatory.
Fines under the GDPR range from €10 million ($11m+) - €20 million ($22m+) or 2% - 4% of global revenue. Fines under the LGPD are 2% of gross revenue up to R$ 50,000,000 ($10m+) or a daily fine of R$ 50,000,000. LGPD one-off fines are lower, but the daily fines can stack up quickly!
Most data protection laws resemble the GDPR because it provides an array of reasonable data privacy rights and rules. On the positive side, since most obligations overlap, your business may already be more than halfway compliant with regulations like the LGDP and just needs some tweaks.
At Captain Compliance, we take out the guesswork and provide all you need for holistic compliance at the snap of your fingertips. Contact us today for peace of mind, happy customers and booming business.
Does the LGPD apply to my business?
There is a high chance the LGPD applies to your business because it has extraterritorial reach. LGPD will apply if your business is established in Brazil, serves Brazilians and is processing the data of Brazilian residents, even if not established in Brazil.
Does the GDPR apply in Brazil?
Like the LGPD, the GDPR also has extraterritorial scope. This means the GDPR will apply to businesses in Brazil if they offer goods and services to EU residents.
The GDPR and the LGPD differ on this point of extraterritoriality in that the GDPR will apply where the Brazilian business is targeting EU residents.
I already comply with the GDPR; do I still need to comply with the LGPD?
Yes. While most compliance obligations in both laws overlap, some differences and nuances remain. Captain Compliance can help you identify gaps you need to cover.
What is the difference between the GDPR and the LGPD?
There are slight differences, often in wording and interpretation. For example, businesses can rely on ten justifications under the LGPD, but the GDPR provides for only ten.
What happens if I fail to comply with the LGPD?
Data subjects can sue your business and could be liable for 2% of gross revenue, up to R$ 50,000,000 ($10m+) or a daily fine of R$ 50,000,000 ($10m+).