“The LGPD replicates the GDPR’s extraterritorial scope and then takes it one giant step further. The LGPD, like the GDPR, applies to processing carried out in Brazil, as well as processing related to the offering or provision of goods or services to individuals in Brazil,” writes Caitlin Fennessy for IAPP, the International Association of Privacy Professionals.
“Importantly…if your company is processing personal data related to individuals in Brazil, the LGPD ( Lei Geral de Proteção de Dados) now applies regardless of the origin of that data.”
Until the ANPD (Brazilian Data Protection Authority) takes action, “companies may be limited to two data transfer mechanisms only — specific and distinct consent and the necessity for the execution of a contract”.
“Since each of the mechanisms listed above has a close relative under the GDPR, the EU’s experience, as well as the experience of other nations that have replicated the EU model, is instructive [may].. offer insight into how the ANPD might operationalize them and the impact that could have on companies.”