Publicado em 29/01/2020

Attention gamers, the General Data Protection Law (LGPD) is fast approaching – Be ready to be compliant by August

Yesterday (28/01), we celebrated the International Data Protection Day. This date aims to promote education and awareness about the rights and obligations related to the use of personal data and of the need to protect privacy.

In this spirit, it’s important to remember that the enforcement date of the Brazilian General Data Protection Law (LGPD – Federal Law nº 13.709/2018) is fast approaching in less than 7 months. For that matter, we have prepared a brief summary of all you need to know to begin assessing the impacts of this law to your company.

What is the Brazilian General Data Protection Law?

The LGPD is the first Brazilian legislation designed exclusively to regulate personal data in Brazil. Its provisions were heavily influenced by the European General Data Protection Regulation (“GDPR”) and will have a deep impact on the way that personal data collected from Brazil is used.

When will the law come to force? August, 2020.

Will the law apply to foreign companies?

Yes, if you process data collected in Brazil or your activity imply the offering of goods and services to Brazil, LGPD will apply. Brazilian Law will apply to data protection irrespective of a choice of law clause (actually this is true already, due to the Brazilian Framework for the Internet Law).

Are there rules on international data transfers?

Yes, similar to the GDPR, but in the absence of the National Data Protection Authority we still do not have standard contractual clauses of ways to approve Global Corporate Rules.

Are there rules on the processing of data of minors?

Yes, among others, processing is contingent on consent of the parents and legal guardians. Controllers must perform all reasonable efforts to attest that consent was validly given by a parent, considering the technology available. Different treatment may be provided for children (under 12) and adolescent (btw 13 and 17), but currently this is still not clear.

Is the game industry targeted?

Yes, the law states that data controllers cannot condition the participation of children in games and applications to the supply of more data than strictly necessary for their activities

What happens if you are not compliant by August 2020?

Penalties vary from warnings to fines (limited to R$ 50 mm), elimination or blockage of data obtained unlawfully, suspension of activities pertaining the processing of data and publicization of the infraction.

I’m already compliant with the GDPR and CCPA, should I be concerned?

Yes, we recommend review of your Privacy Policy to make sure you are also compliant with the LGPD. Adjustments may be minor, but still relevant to ensure compliance. You should also be aware of the impact of local interpretation of the provisions of the law. Finally, we cannot stress this enough, if your policy is not in Portuguese, it will likely not be legally binding.

How do I become compliant in Brazil?

Most of what we mentioned above applies, we recommend review of all documents that regulate and affect the processing of data in Brazil. From securing legal grounds to ensuring data minimization and data subject rights, you should be aware of all.

Our Data Protection team is available to assist our clients in the process to ensure compliance with LGPD, including in:

(i) the performance of gap analysis, so companies have a clear picture of the data flow of their company;

(ii) review of agreements and contractual clauses;

(iii) drafting of internal data protection policies;

(iv) monitoring and updating of internal policies and its implementation;

(v) structuring of operations that involve data protection;

(vi) consulting in the development of products and services that comply with the requirements of LGPD.