Related People: Alistair Ho, Trainee Solicitor, Mayer Brown
As Brazil's Data Protection General Law ("LGPD"), which entered into force on September 20, 2020, was mostly inspired by the European General Data Protection Regulation ("GDPR"), the two laws are similar in key areas, including: fundamental principles, scope, definitions of controllers and processors and data subjects' rights. However, differences exist in how they address extraterritoriality.
In the European Union ("EU"), the GDPR applies, by virtue of Article 3 to processing: (1) in the context of activities of an establishment in the EU, regardless of whether the processing takes place in the EU or not (the "Establishment Criterion"); or (2) where the personal data of people located in EU (regardless of nationality) is processed by a non-EU controller, if the processing relates to (a) the offering of goods and services to such persons in the EU, or (b) the monitoring of their behaviors in the EU (the "Targeting Criterion").
The GDPR differs from the LGPD in its application to processing in the context of activities of an establishment in its jurisdiction as opposed to processing activities performed in it. The Establishment Criterion means that processing may still be caught where undertaken by a controller/processor outside of the EU if it is sufficiently linked to the activities of its EU establishment. For instance, if a Chinese controller processes personal data in relation to their Swedish subsidiary's marketing campaign in EU markets, the Chinese controller's processing of that personal data would likely be subject to the GDPR. This analysis should be undertaken on a case-by-case basis for each processing activity.
The definition of what an "establishment" is for the purposes of Article 3(1) GDPR is broad, with guidance stating that "the notion of establishment extends to any real and effective activity — even a minimal one — exercised through stable arrangements"1. While an EU branch or subsidiary is likely to constitute a "stable arrangement" so too can a single EU based employee or agent if acting with a sufficient degree of stability (and the processing is in the context of their activities). Both the degree of stability of the arrangements and the effective exercise of the economic activities must be considered.
Absence of an establishment in the EU does not necessarily mean that processing activities by will be excluded from the scope of the GDPR, since the Targeting Criterion applies to a controller or processor not established in the Union, depending on their processing activities. The Targeting Criterion largely focuses on what the processing activities are related to and should be considered on a case-by-case basis. The processing must be in relation to the personal data of natural persons located in the EU at the moment the relevant trigger activity takes place, i.e. the moment of offering of a good or service or the moment when the behaviour is being monitored.
Notably, the offer of goods or services under Article 3(2)(a) GDPR must be intentional not incidental or inadvertent. For instance, if a U.S. company offers web-based content exclusively to U.S. subscribers, and one such subscriber continues to use their services whilst on holiday in Germany, this will not amount to an intentional offer of services to a data subject located in the EU, as it is inadvertent. Similarly, not all online collection or analysis of personal data of individuals in the EU would automatically count as "monitoring" under Article 3(2)(b) GDPR. It will be necessary to consider the controller's purpose for processing the data and, in particular, any subsequent behavioural analysis or profiling techniques involving that data.
In Brazil, the LGPD defines, in Articles 3 and 4, item IV, its scope of territorial application; the LGPD is applicable to processing activities performed not only in Brazil but also in other countries in certain cases. Extraterritoriality applies to processing operations that (i) aim to offer or supply goods and services to people located in Brazil; (ii) process the personal data of people located in Brazil; or (iii) process personal data that has been collected in the Brazilian territory. Moreover, the LGPD clarifies that this extraterritoriality applies regardless of where the processing company is headquartered or the data is stored.
It is noteworthy that there is controversy around whether item (ii) is in fact another limb of the LGPD's extraterritorial application or not. Item II of the LGPD's Article 3 provides: "This Law applies to any processing activity carried out by either a natural person or legal entity of either public or private law, regardless of the means or the headquarters' country or the country where the data are located, as long as (…) II – the process activity aims to offer or supply goods or services or the data processing of individuals located in national territory."
It is noticeable that the legislator has chosen an alternative conjunction while drafting item II, which means that it is not clear if the data processing of individuals located in Brazil would constitute another provision or not. In light of this obscurity, and that we still do not have a National Data Protection Authority ("ANPD") guidance on such point, a conservative reading of the item is recommended, interpreting it as more of a distinct provision.
Therefore, the LGPD has a fairly broad extraterritorial scope, posing an even bigger challenge to foreign companies that fit any of the three conditions listed above. When interpreted as a distinct provision, the LGPD would apply to processing of all personal data collected in Brazil, regardless of the purposes for which it was collected and/or processed. This implementation would create broader extraterritorial application than that found in the GDPR.
Such implementation also brings repercussions for the ANPD's performance—and that of other authorities, especially the public prosecutor and those who act in the consumers' defense—in cases of noncompliance with the LGPD and even from the data subjects themselves, regarding their rights. The LGPD does not force foreign companies to appoint a representative in Brazil, as the GDPR does in Article 27 when the GDPR applies, but the company does not have an EU establishment. Under the GDPR, an action can be brought against the representative for the failings of the company. Thus, the enforcement of the LGPD against foreign companies, which would be challenging in itself, becomes even more difficult due to the absence a company representative in Brazil.
It is noteworthy, then, that how the LGPD's extraterritorial application will play out is not clear. Despite the LGPD being in full force, guidance regarding the interpretation and implementation of its essential provisions is currently lacking. How these provisions are implemented directly affects companies, especially those not located in Brazil. Such tasks, which would be the responsibility of the ANPD, remain on hold until that entity begin to issue any guidance on the LGPD.
1 European Data Protection Board, 'Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – version 2.1', adopted on 12 November 2019, p.6 https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf.