Law n.º 13.709, General Data Protection Law

Establishing the general principles and rules for the protection of personal data
Document type
Luiz Fernando
Marrey Moncau
Felipe Octaviano
Delgado Busnello

The Brazilian General Data Protection Law (Lei Geral de Dados Pessoais – LGDP) is the result of Bill 5276/2016, based on an online public consultation organized by the Brazilian Ministry of Justice, which collected more than 1,000 contributions from various stakeholders. It was enacted on August 14th, 2018.

The law is deeply influenced by the European Union Data Protection Directive (Directive 95/46/EC), which was in force during the consultations, and also borrows much from the European General Data Protection Regulation, which was under discussion at the time. It enshrines core principles for the processing of personal data. It encompasses the activities of both the private and public sector, and creates a data protection entity that would be responsible for creating norms, supervising, and enforcing data protection legislation.

According to Article 2, the LGDP pertains to (i) respect for privacy; (ii) informed self-determination; (iii) freedoms of expression, information, honour, and opinion; (iv) the guarantee of honour and image rights; (v) economic development and innovation; (vi) freedoms of enterprise and competition, and consumer defence; and (vii) human rights, freedom of development of personality, dignity, and the exercise of citizenship rights by natural persons.

It regulates data collection and treatment, with special regulations for data pertaining to minors, and for termination. It also regulates the liability of various classes of entities, similar to the European GDPR.

Compared to the European GDPR, the Brazilian law has milder sanctions for violations of data protection rules. Like its European counterpart, it also privileges informed consent over free use, and links the gathering and treatment of data to the purpose of such acts.

The bill provided for the creation of a National Data Protection Authority, which would be within the Ministry of Justice, and would be responsible for regulating, fiscalizing, and promoting data protection. These provisions were vetoed by the President when the bill was enacted, as the creation of such an entity is within the purview of the President of the Republic. However, the President has publicly stated he plans to enact a decree with similar content.

Topic, claim, or defense
Privacy or Data Protection
Document type
Issuing entity
Legislative Branch
Type of service provider
General or Non-Specified
OSP obligation considered
Block or Remove
Type of law
General effect on immunity
General intermediary liability model