The Brazilian General Data Protection Law (the “LGPD”—Lei Geral de Proteção de Dados) came into effect in September 2020.
Given the LGPD’s relatively recent adoption, there has been uncertainty surrounding how public authorities and courts in Brazil will interpret and apply the law. On February 27, 2023, the Brazilian national data protection authority (the “ANPD” Autoridade Nacional de Proteção de Dados) addressed some of this uncertainty when it issued sanctioning guidelines for the LGPD (the “Sanctioning Guidelines”). The Sanctioning Guidelines offer insight into the types of sanctions companies may face and the factors the ANDP will consider when imposing such sanctions.
Notably, the LGPD applies not only to Brazilian companies, but also to U.S. and other foreign entities that process data collected in Brazil or offer any goods or services associated with data in Brazil.
By the same token, Brazilian companies processing data of U.S. residents are exposed to U.S. data privacy laws, which are more developed—yet still in flux. While the regulation and enforcement of data privacy in the United States can differ depending on the U.S. state and industry, the growing enforcement of data privacy by various regulators in the U.S. offers a potential playbook for the possible sanctions companies may face in connection with the ANDP’s enforcement of the LGPD.
Taking into account recent developments in both countries, we provide here an overview of the Brazilian data privacy rules and contrast them with equivalent rules in the U.S.