By Leonardo Neri

A prominent topic in the national legal-economic scenario, the General Law for the Protection of Personal Data (Law No. 13,709, of August 14, 2018 – LGPD) was sanctioned with the aim of addressing problems related to the storage, collection and transmission of individuals' personal data, as well as allowing greater control by the regulatory body, thus empowering the consumer, since it guarantees protection, mainly, in terms of access, elimination and revocation of consent.

In line with the legislation of the group of countries that have adopted a General Data Protection Law, the internal legal regulations were inspired by the regulations in force in Europe (General Data Protection Regulation – GDPR), which aims precisely at the protection and privacy of the data of all individuals in the European Union and the European Economic Area. It is important to connect the LGPD with the GDPR, since it could, according to the text of the European law, prevent the sharing and transfer of data to Brazil, harming the development of the Brazilian economy.

The LGPD has several points of convergence with the GDPR, so that consent is vehemently safeguarded and protected by both laws. Informing data subjects about possible incidents, proof of consent, data portability, indication and responsibility of agents responsible for data operation and security rules for storage, transmission and handling are essential points regulated by the LGPD and also included in the GDPR regulations.

Despite having more similar points, some differences are clear when comparing the two laws. Unlike the LGPD, the first law to govern the subject in a broader manner, the GDPR has legislative support of around 25 years, which deals with the issue of protection and security of personal data in detail, with the European law being more incisive on certain points than the Brazilian law. Another difference is that the LGPD, in a concise manner, concerns itself with relating the definition of “sensitive data”, provided for in article 5, item II, of the aforementioned law, while the GDPR, in a specific manner, defines terms such as “biometric data”, “health data” and “genetic data”. Thus, the LGPD presents a more superficial definition of the term, while the European regulation defines them in a more detailed manner.

Other differences are present in the comparison between the laws, such as the relationship between Controller and Operator, addressed in the GDPR the need to formalize, by means of a contract or valid legal act, the link between the Operator and the Controller, providing for the matters contained in the contract, while the LGPD points out the need for the Operator to process data according to the instructions of the Controller, but does not require the formalization of the link. Another difference is highlighted in the treatment of the topic of “Direct Marketing”, which is addressed specifically by the GDPR, guaranteeing the right of the data subject to the possibility of opposing the processing of their personal data, in the direct marketing relationship, while Brazilian legislation applies general rules of consent, objection and security of the holders of personal data.

Therefore, the LGPD is greatly influenced by the GDPR, despite the significant differences between them. It is also important to emphasize the need to propose a law that specifically addresses a topic of such importance today, especially with the evolution of the internet and new technologies. The General Personal Data Protection Law, in this way, emphasizes the regulation of important topics, empowering the consumer, as well as imposing severe fines in case of non-compliance (ranging from 2% of gross revenue to R$$ 50 million per violation), giving the regulatory body a role of utmost importance, despite being absent in the way the LGPD was approved, as provided for in the GDPR, a fact that should be further debated in relation to the practical consequences in the implementation of the national standard.