GDPR Goes Global: The Case of Brazil and India

Posted on 19th September 2018

The GDPR has decisively reshaped the global privacy debate, as evident by Brazil and India’s proposed new data protection laws that bear the GDPR’s mark. While harmonising approaches to privacy may make international compliance easier, they also presage how GDPR will provoke an additional wave of new, divergent rules in key markets. It’s worth keeping a weather eye open to what other GDPR-inspired laws may wash ashore.


After several changes in government and nearly eight years of development, Brazil has finally approved a new General Data Protection Law (LGPD). The law replicates GDPR’s tripartite division of data subjects, controllers, and processors, as well as its stringent consent standards.

Under the LGPD, businesses will be required to appoint a Data Protection Officer and citizens will have the right of data portability. Similar to the GDPR, the LGPD will be applicable to organisations with headquarters in Brazil as well as those processing data in Brazil and the personal data of Brazilian residents.

While similar in content to GDPR, the law does not create of a national data protection authority; this line item was vetoed by the Brazilian president, Michel Temer, although a data protection authority will likely eventually be proposed by a successor. The law will take effect in February 2020 and in the meantime, the EU must determine whether Brazil offers an adequate level of protection to approve data flow between the two jurisdictions.


The national government’s ‘Srikrishna Committee’ has issued its long-anticipated draft legislation for a new Personal Data Protection Bill (PDPB).

While not based on the same principle of “fundamental rights” as the GDPR, the PDPB maintains a consent-centric framework. It keeps the tripartite division of data subjects, “data fiduciaries” (controllers), and processors and also seeks to exert broad, extraterritorial jurisdiction, limiting data collection and processing with regards to purpose, necessity, notice, quality, period of storage, and ‘fair and reasonable’ processing.

Alongside this, the draft law offers a new and complex system for cross-border data flow, whereby copies of personal data must be stored in India. Processing “critical” categories of data, as identified by the Indian government, must also take place exclusively in India.

New Burdens on Industry

A proliferation of regulatory regimes with standards that are still incompatible is the worst possible outcome for business. High compliance demands will impose new burdens on global business and data-driven innovation, while fragmentation threatens the ability to operate across borders.

The GDPR represented a radical change in global privacy rules and, regardless of its virtues or flaws, it set the standards for future national regulation across the globe. Nevertheless, while the GDPR may be the first point of departure for upcoming privacy regulations, policy-makers in many places are adding unique features and nationally specific data protection rules that complicate global business. As a wave of shifting global privacy rules approaches, globally engaged companies can’t take their compliance for granted and need to stay on top of new developments.

Want to find out more about what leading companies are doing to comply with new requirements? Watch our “GDPR Goes Global: The Case of Brazil and India” webinar.

GDPR and data protection regimes are just some of the issues that our team advises on. We have the tools to help you stay ahead in this ever-changing regulatory landscape. Find out more about out Data Governance Advisory Tool here.

Back to document archive