The General Personal Data Protection Law (LGPD) in Brazil applies to processing activities aimed at offering goods or services to individuals located in Brazil, regardless of the location of the data controller or processor.

Text of Relevant Provision

LGPD Article 3, Paragraph II states:

"II – the processing activity is aimed at the offering or provision of goods or services, or at the processing of data of individuals located on the national territory; or"

(Original language: "II – a atividade de tratamento tenha por objetivo a oferta ou o fornecimento de bens ou serviços ou o tratamento de dados de indivíduos localizados no território nacional; ou")

Analysis of Provision

The provision extends the LGPD's applicability to processing activities that target individuals in Brazil, even if the data controller or processor is located outside the country. This is evident from the phrase "aimed at the offering or provision of goods or services" ("tenha por objetivo a oferta ou o fornecimento de bens ou serviços"), which indicates an intentional targeting of the Brazilian market.

The provision also covers "the processing of data of individuals located on the national territory" ("o tratamento de dados de indivíduos localizados no território nacional"), further emphasizing the law's focus on protecting Brazilian residents' data, regardless of the data processor's location.

This approach aligns with other modern data protection laws, such as the EU's GDPR, which also apply to non-domestic entities targeting their residents. The rationale behind this is to ensure that Brazilian citizens' data rights are protected even when interacting with foreign companies, preventing potential loopholes in data protection based on a company's geographical location.

Implications

1. Extraterritorial application: Companies outside Brazil offering goods or services to Brazilian residents must comply with the LGPD, even if they have no physical presence in the country.
2. Market targeting: The law likely applies when a company specifically targets the Brazilian market, for example:
   • Offering a website in Portuguese
   • Using Brazilian currency (Real) for pricing
   • Providing Brazil-specific domain names or contact information
3. Online businesses: E-commerce platforms, digital service providers, and online marketplaces targeting Brazilian consumers must ensure LGPD compliance.
4. Data processing location irrelevant: The physical location where data processing occurs does not affect the law's applicability if the processing is aimed at Brazilian residents.
5. Compliance requirements: Foreign companies targeting the Brazilian market need to implement LGPD-compliant data protection measures, including appointing a Data Protection Officer and establishing mechanisms for data subject rights.
6. Potential exceptions: Companies not actively targeting the Brazilian market but incidentally processing data of Brazilian residents (e.g., a tourist using a foreign service while abroad) may not fall under this provision's scope.