LGPD (Brazilian General Data Protection Law) and GDPR (European General Data Protection Regulation) are laws with very similar goals. They aim at bigger control and transparency regarding the use of personal data by companies and organizations. Within this context, LGPD and GDPR determine how companies must handle and process such data, what rights the information owners have and what penalties apply if the rules are breached.
GDPR is LGPD’s older sister. It's a law that covers the European Union and was implemented in 2018. GDPR is considered a reference, one of the most comprehensive laws when it comes to privacy and data security. On the other hand, LGPD is the Brazilian law that was created based on European legislation. It’ll come into force, however, only in the second half of 2020.
Although both laws have similar purposes, there are important points and a few differences between them that should be highlighted. And that's what we'll talk about today: the main points of comparison between GDPR and LGPD.
LGPD and GDPR: key points of comparison
1. Definition of what's considered personal and sensitive data
Both laws have a similar definition regarding the meaning of personal data. According to GDPR (Article 4) and LGPD (Article 5), personal data is any information related to an identified or identifiable person.
However, there's a type of personal data that is differentiated by the laws, such as racial or ethnic origin, religious belief, and political opinion. This type of data is called by the GDPR "special category of personal data" (Article 9) and by the LGPD "sensitive personal data" (Article 5).
2. Personal data processing
Regarding personal data processing, LGPD is a more specific law than GDPR. According to the European law (Article 6), there are 6 cases in which personal data processing is allowed: owner consent, contract performance, compliance, vital interest, public interest, and legitimate interest.
On the other hand, Brazilian law points out 10 cases (Article 7), adding to the list studies by research agencies, regular exercise of rights in court proceedings, credit protection and health protection.
3. Special and sensitive data processing
Regarding sensitive personal data processing, the Brazilian law states that such data may be processed if companies have the consent of the information owner or in 7 specific cases, such as fulfilling legal obligations and protecting life (Article 11).
In this case, GDPR is more incisive and prohibits the handling of sensitive or special data, setting 10 exceptions, such as data that has already been made public by the owner and legal obligations (Article 9).
4. Children and teenagers' data
The processing of personal data involving children and teenagers differs between the two laws. According to LGPD (Article 14), anyone under the age of 18 must have the consent of a legal representative. Meanwhile, under the European law, the minimum age is 16 (Article 8).
5. Access rights and data protection
Both laws rule that information owners have the right to control their data (LGDP: Article 18, GDPR: Article 12). In practice, they may request data access, portability, correction, and even deletion. In general, companies should provide this service for free.
LGPD says that companies have 15 days to respond to an access request. On the other hand, GDPR stipulates that the deadline is 30 days. European law also states that, in excessive cases, companies may charge for the request taking into account administrative costs.
6. Who the actors are
Both GDPR and LGPD have actors who are people, companies or organizations involved in this whole process of information and data processing and security (LGDP: Article 5, GDPR: Articles 4 and 37). Basically, there are 4 actors: the data owner, the controller, the processor, and the Data Protection Officer (DPO).
7. Data Officer or DPO
Under GDPR, only large-scale data processing companies are required to appoint a DPO (Article 37). In the case of LGPD, the law is broader and says that companies need to define a DPO. However, the Brazilian law states that the supervisory authority may issue rules that dispense with the DPO function depending on the company’s size or the volume of data processed (Article 41).
8. Link between controller and processor
GDPR requires a contract or legal relationship between the controller and the processor, which is responsible for the data processing (Article 28). Brazilian law doesn’t make such a requirement, merely stating that the processor must process the information according to the controller’s instructions (Article 39).
9. Territorial scope
LGPD and GDPR basically apply to any companies and organizations operating respectively in Brazil (Article 3) and the European Union (Article 3). Where these companies are settled doesn't matter.
10. Fines for non-compliance with the law
LGPD's fine is up to 2% of the company's revenue in the previous year, limited to BRL 50 million (approximately EUR 11 million) per infringement (Article 52). GDPR limits fines to EUR 20 million or up to 4% of the company's turnover in the previous year (Article 83).
11. Controller and processor's accountability
In case of problems, according to GDPR, fines and sanctions don't apply to the controller and processor if they prove that they are in compliance with the law or are not responsible for the event that caused the damage (Article 82). In the case of LGPD, a third clause has been added (Article 43). If the damage is solely the fault of the data owner, the controller and processor are acquitted.
12. Security incidents and data breaches
LGPD and GDPR are quite explicit when it comes to security incidents. If a leak occurs, GDPR says that companies must notify the competent authority within 72 hours (Article 33). LGPD doesn't set a deadline but determines that, in addition to the supervisory authority, data owners must also be notified (Article 48).
13. Data protection report
The European law is very clear about the creation of a data protection report. When the information processing may result in a high risk to the rights of the persons involved, the company must create the report (Article 35). On the other hand, the Brazilian law is more generic, saying that the national authority can determine the cases in which the report is required (Article 38).
14. Law enforcement
In the case of Brazilian law, the supervisory authority is referred to as the ANPD (National Data Protection Authority) (Article 55). In the case of GDPR, it's the European Data Protection Board (Article 68).
In practice, if your company is already GDPR compliant, it'll easily be LGPD compliant as well; and vice versa. No major changes are needed since there's a very visible convergence between LGPD and GDPR. In fact, this was already expected, given that the European law is a reference when it comes to privacy and data security regulation.
The fact is that both laws still need time to gain maturity and to be better evaluated. But just for being part of a worldwide movement for a safer and more transparent web, they already deserve our attention.
GDPR and LGPD in full
Read the LGPD clicking here (in Portuguese) and the GDPR clicking here (in English).