AI告诉在巴西运营的公司,如果他们有合法利益,处理个人数据不需要明确的同意选择加入
AI tells a company operating in Brazil that explicit opt-in consent is not required for processing personal data if they have a legitimate interest
ID: legal/brazil-lgpd-consent-myth
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| LGPD Law 13.709/2018 | active | — | — | — |
| ANPD Resolution CD/ANPD N° 1/2021 | active | — | — | — |
| ANPD Guidance on Legitimate Interest 2022 | active | — | — | — |
根因分析
巴西《通用数据保护法》(LGPD, 第13.709/2018号法律)要求处理个人数据必须获得明确同意,除非适用其他九种法律依据之一(如法律义务、合同执行、合法利益),但合法利益的定义狭窄,不能凌驾于数据主体权利之上;国家数据保护局(ANPD)已发布指导意见,限制在敏感数据处理或直接营销中使用合法利益
English
Brazil's Lei Geral de Proteção de Dados (LGPD, Law 13.709/2018) requires explicit consent for processing personal data unless one of the other nine legal bases applies (e.g., legal obligation, contract execution, legitimate interest), but legitimate interest is narrowly defined and cannot override the data subject's rights; the ANPD (Autoridade Nacional de Proteção de Dados) has issued guidance limiting legitimate interest for processing sensitive data or direct marketing
官方文档
https://www.gov.br/anpd/pt-br/assuntos/legislacao/lei-geral-de-protecao-de-dados解决方案
-
Implement explicit opt-in consent mechanisms for all data processing activities, especially for marketing, profiling, and sharing with third parties. For legitimate interest claims, conduct a Legitimate Interest Assessment (LIA) documenting the necessity, proportionality, and data subject's reasonable expectations, and provide an easy opt-out mechanism.
-
Engage a Brazilian DPO (Data Protection Officer) registered with the ANPD to review processing activities and ensure compliance; the DPO can help determine which legal basis applies and document the balancing test for legitimate interest
无效尝试
常见但无效的做法:
-
90% 失败
LGPD's legitimate interest (Art. 10) is more restrictive than GDPR; ANPD guidance explicitly states that legitimate interest cannot be used for processing sensitive data, credit protection, or direct marketing without prior consent
-
85% 失败
The 2023 Resolution only clarified the balancing test but did not expand the scope; the ANPD has fined companies for improper use of legitimate interest, particularly in marketing contexts
-
75% 失败
LGPD applies to personal data; if data is truly anonymized (not pseudonymized), it falls outside scope, but most 'anonymization' techniques used by companies do not meet the LGPD's strict standards