Brazil has a new data protection law – GDPL. What’s in it?
The Brazilian General Data Protection Law - GDPL is a new data privacy law that will apply to businesses (both inside and outside Brazil) that process the personal data of users located in Brazil.
The Brazilian General Data Protection Law - GDPL (Lei Geral de Proteção de Dados) is a new data privacy law that will apply to businesses (both inside and outside Brazil) that processes the personal data of users located in Brazil. It is expected that the new law will take effect on August 16, 2020. Ongoing discussions in the Brazilian government may change the LGPD effective application date.
The LGPD is Brazil’s first comprehensive data protection regulation and it is largely aligned to the EU General Data Protection Act (GDPR). Certain LGPD provisions were already amended since its enactment, including the postponement of its enforceability to August 2020 and the creation of the National Data Protection Authority (ANPD).
Prior to the LGPD, data privacy regulations in Brazil consisted of various provisions spread across Brazilian legislation. For example, Federal Law no. 12,965/2014 and its regulating Decree no. 8,771/16 (together, the Brazilian Internet Act), which imposes some requirements regarding on security and the processing of personal data and other obligations on service providers, networks and applications providers, as well as rights of Internet users.
General provisions and principles applicable to data protection are also found in:
The Federal Constitution
The Brazilian Civil Code, and
Laws and regulations that address
Particular types of relationships (eg, Consumer Protection Code  and employment laws)
Particular sectors (eg, financial institutions, health industry, or telecommunications), and
Particular professional activities (eg, medicine and law)
Additionally, there are laws on the treatment and safeguarding of documents and information handled by governmental entities and public bodies.
The LGPD applies to any processing operation carried out by a natural person or a legal entity, of public or private law, irrespective of the means used for the processing, the country in which its headquarter is located or the country where the data are located, provided that:
The processing operation is carried out in Brazil
The purpose of the processing activity is to offer or provide goods or services, or the processing of data of individuals located in Brazil, or
The personal data was collected in Brazil
On the other hand, the law does not apply to the processing of personal data which is:
Carried out by a natural person exclusively for private and non-economic purposes
Performed for journalistic, artistic or academic purposes
Carried out for purposes of public safety, national security and defense or activities of investigation and prosecution of criminal offenses (which will be the subject of a specific law), or
Originated outside the Brazilian territory and are not the object of communication
Shared data use with Brazilian processing agents or the object of international transfer of data with another country that is not the country of origin, provided that the country of origin offers a level of personal data protection adequate to that established in the Brazilian law.