How Brazil’s new General Data Protection Law could affect Asian companies

Back to Asia Pacific Regional Forum publications

Leopoldo Pagotto
FreitasLeite, São Paulo
pagotto@freitasleite.com.br

Eric Nakahara
FreitasLeite, São Paulo
enakahara@freitasleite.com.br

 

There has generally been no reason for a company located in Asia to worry about Brazilian legislation. However, due to the rapid advancement of technology and globalisation, the conduct of corporations has begun to have impacts beyond geographical boundaries, and countries have started to address this issue by encouraging extraterritorial reach in their legislation.

It is becoming almost a standard that the most of newly-passed personal data protection legislation around the globe to adopt extraterritorial reach. After all, the internet plays a major role in how personal information is processed in almost every single company and country worldwide.

Given this situation, Brazil’s General Data Protection Law (LGPD), loosely inspired by the European Union’s GDPR, has set its regulations applicable to any individual or organisation, private or public, regardless the country where the entity’s headquarters is based or the country where the data is located. Furthermore, the LGPD applies if the processing of personal data: is carried out in Brazil; has the purpose of offering or supplying goods and services to or the processing of personal data of individuals located in Brazilian territory; or involves personal data collected in Brazil.

In other words, the LGPD applies to Asian companies as long as they have an affiliate or subsidiary in Brazil, offer goods or services in the Brazilian market, or collets the personal data of individuals located in Brazil.

The LGPD will come into force shortly and represents a watershed on how privacy of the individual is treated in Brazil. The population will enjoy greater control and independence over their own personal information, which may only be processed, collected, and stored under strict rules imposed by the new legislation.

The LGPD also provides a clear and detailed framework for international transfers of personal data, which can only be authorised at a corporate level under the following circumstances:

• to countries or international organisations that provide a degree of protection of personal data which is adequate with LGPD standards;

• when the controller offers and proves guarantees of compliance with the principles and rights of individuals and the regime provided by LGPD (ie, contractual clauses, global corporate norms, certificates);

• when the individual has given their specific consent for the transfer, with prior information about the international nature of the operation, clearly distinguishing it from other purposes; and

• when the personal data is necessary for complying with legal obligations or to execute an agreement in which the data subject is a party.

The considerable distance between Brazil and Asia does not mean that there is low risk of enforcement.Brazil is one of the main recipients of Asian outward investments due to the size of its internal market. An increasing number of Asian companies own assets in Brazil. For example from 2007 to 2018, China invested more than US$57bn in Brazil, accounting for 49 per cent of the total investment on Latin America.[1] Asian companies must bear in mind that all these investments are subject to fines imposed by Brazil’s data protection authorities. The sanctions for non-compliance with LGPD can include fins of up to two per cent of the company’s, group’s or conglomerate's turnover in Brazil in its most recent fiscal year, excluding taxes, limited to the amount BRL50m per violation (approximately US$9.36m) and/or the total ban of activities relating to data processing.

Another reason to be cautious is the fact that Brazil’s data protection authority has yet to be created, which means that it is not possible to identify how the extraterritorial enforcement and data transfer will take place. Asian companies could be targeted by the new Brazilian authority since, according to the French Data Protection Authority (CNIL),[2] most Asian countries still do not ensure an adequate level of data protection recognised by the EU.

As major investors in Brazilian infrastructure projects, Asian companies such as power companies with millions of consumers and their personal information, could come under the radar of Brazil’s data protection authorities. This is exactly why Asian companies and investors should worry about the Brazilian market: there is a unique combination of legislation and enforcement in Brazil that is difficult to predict and diverges a great deal from each case, and shortly, LGPD will become a significant part of this regulatory system.



Notes

[1] Tulio Cariello, ‘Chinese investments in Brazil 2018: Brazilian framework in a global perspective’, Brazil-China Business Council, available at: http://cebc.org.br/download/4229/l, last accessed 20 August 2020 (in Portuguese).

[2] CNIL, ‘Data Protection around the world’, available at: https://www.cnil.fr/en/data-protection-around-the-world, last accessed 20 August 2020.