Back in September, Brazil quietly completed passage of its national data protection law and, in so doing, unleashed some legal consequences for which many organizations are not prepared. If your company does business in Brazil, or ever has a user interact with your online services from within Brazilian territory, then you have some data housekeeping and contractual updates to perform ASAP.
The specifics of the law, known as the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais or "LGPD") are broadly similar to the European Union's General Data Protection Regulation (GDPR), though Brazil's version has a specialized enforcement agency, the National Data Protection Authority (Autoridade Nacional de Proteção de Dados or "ANPD"). That doesn't mean that GDPR compliance is good enough to cover LGPD compliance, which is where legal teams have a lot of work in front of them. Here's why.
First, the LGPD is extra-territorial, meaning your company does not need to operate in or be incorporated in Brazil for the new law to apply. Nor do any of your customers have to be Brazilian citizens. It simply means that if you handle the personal user data of someone located in Brazil at the time of the data exchange, the LGPD applies. If you have a website or web service, and someone in Brazil uses it, you're subject to the LGPD.
In other words, not only does your data infrastructure have to come up to LGPD standards, but your Terms of Use and Privacies Policies have to be audited and updated to match LGPD requirements, too. Because, in all likelihood, someone is going to use your service from within the largest country in South America at some point.
Moreover, this is a "young" law with some broad (or even vague) regulations, such as the requirement to offer "reasonable" notification of a data breach. The EU's GDPR specifically says data breaches must be communicated within 72 hours of discovery. What constitutes a "reasonable" time to an LGPD regulator is unknown, and likely subject to case-by-case interpretation. But what happens if your 72-hour GDPR policy isn't good enough in Brazil? Whatever changes you make for LGPD compliance today may need to be updated again in the near future.
Brazil's definition of "personal data" is also very broad, and subject to regulatory interpretation, so your contractual and technical adaptation will have to be equally broad. (And this is before we get Brazilian versions of the Schrems II case, which threw even the GDPR's specifics into flux.)
As such, the days of hiring interns and paralegals to read through your contract portfolio and manually identify (or log in an Excel spreadsheet) legacy agreements in need of amendment simply cannot keep pace with the new legal reality. The reach and the immaturity of the LGPD show that most legal teams' existing contract management processes are too brittle for the new regulatory reality.
Moreover, Brazil creating its own version of the GDPR is just the first of many legal dominoes to fall. Other countries -- or even states, as with the California Consumer Privacy Act -- will continue to enact their own idiosyncratic privacy regulations, forcing organizations to constantly audit and update their own policies and contracts.
Personal data processing laws will never be stable nor universal, so your compliance must be pliable. That's why automated contract analysis and management is so important.
Without automated contract analysis, your legal team will always be playing catch-up to the latest regulatory updates around data privacy. And the longer it takes you to find out-of-compliance legal agreements and policies, the greater the likelihood a regulator is going to cite you for violations and impose penalties.
Brazil's new data privacy law is the canary on the coal mine for your contract management process. If you want to make sure you have the tools to keep your contracts -- and your business -- compliant with the latest data privacy requirements, contact Linksquares today.