7 important details between the LGPD (Brazilian) and the GDPR (European)

The European GDPR as inspiration for the Brazilian LGPD

The General Data Protection Law (LGPD) and the Data Protection Regulation (GDPR) are very similar pieces of legislation, but their difference is the Data Privacy Officer (data controller) that the GDPR predicts, unlike the LGPD, which is still waiting for Congress to approve.

The GDPR is the updated version of another European Union privacy law, called the “Data Protection Directive”, which has been in force since 1995. The GDPR has legal protection and the Data Protection Directive is just a guide for good practices.

The European Union considers the protection of personal data as a right of any person living or being within the European territory. Therefore, if the person is a Brazilian and is in Europe, their data will be secured by the GDPR just because they are on European soil.

The LGPD complements the Civil Rights Framework for the Internet (Law 12,965 / 14) and comes to light at a moment marked by large leaks of information that involve the misuse of personal information.

In general terms, the two pieces of legislation are very similar, since both deal with the Privacy issue, defining the protection of personal data present in corporate databases.

The main proposal is that the individual’s right to know what information they provide to the services they use is fulfilled. In addition, the entity must explain why it requests certain data to the customer, and for what purpose they will be used.

7 important details between the LGPD (Brazilian) and the GDPR (European)

Despite the similarity, the Brazilian legislation has some more specific items. Here are seven important details about the rights guaranteed to Brazilians:

1. be informed of the collection and sharing of your data whenever it occurs;
2. full access to your data, including the possibility of correcting them;
3. request that your data stay anonymous;
4. guarantee of data blocking or deletion;
5. have the option of disallowing cookies when accessing a website and receive information stating that this compromises the browsing performance and customization;
6. request the interruption of communications and rest assured this is respected;
7. review automatic algorithmic decisions about your data, with the right to request a human review.

Differences between the penalties provided for in the LGPD and those of the European law (GDPR)

Regarding the penalties, in the Brazilian LGPD, the penalties for non-compliance range from 2% of gross revenue to R$ 50 million (per violation).

In the European GDPR, the company can receive from a simple notice up to a fine of € 20 million or up to 4% of the company’s annual global revenue, whichever is greater.

In January of this year (2019), French CNIL, based on the GDPR, sued Google for € 50 million (estimated at $ 57 million) for the supposed breach of privacy rules contained in the law (in force in the EU since May/2018).

CNIL’s investigation began from a series of civil actions filed by privacy activist Max Schrems, who stated the following:

“We welcome the fact that, for the first time, the European Data Protection Authority is using the opportunities offered by the GDPR to punish gross violations of the law. After the introduction of the GDPR, we have found large companies that, like Google, simply interpret the law differently and constantly adapt their products superficially.”

(Original version: “Nous nous félicitons de ce que, pour la première fois, l’autorité européenne de protection des données utilise les possibilités offertes par le GDPR pour punir les infractions flagrantes à la loi. Après la mise en place du GDPR, nous avons trouvé de grandes entreprises qui, comme Google, interprètent simplement la loi différemment et adaptent constamment leurs produits de manière superficielle.”)

The GDPR and its impacts on Brazilian companies

In order to comply with the two regulations, technological solutions such as senhasegura – a management solution for privileged access, which automates all access management of privileged users, including the recording of sessions for later auditing, among other features – are fundamental for the success of a data management strategy.

The enactment of the law puts Brazil in the list of more than 100 countries that today may be considered adequate to protect the privacy and the use of data.

These regulations related to data privacy are very positive because they seek to bring a balance between the protection of personal data, the dignity of a human being, the privacy, honor and the image of people, as well as free initiative, and economic use of data in a legitimate, responsible, proportional, and reasonable way.