Overview

On 14 August 2018 the president approved, with a partial veto, the Project for a General Law regarding Data Protection (Bill 53/2018).

The bill was published in the Official Journal on 15 August 2018, except for the vetoed excerpts, which mainly concern certain penalties and data processing by the administration. These sections will now be considered by the National Congress. The law will enter into force by February 2020.

Changes to data processing

The law will regulate the processing of personal data in Brazil. According to the law, 'personal data' is defined as data relating to an identified or identifiable individual. In other words, any data that can be used, solely or in conjunction with other information, to identify an individual. According to the law, processing refers to the collection, use, access, reproduction, archiving, storage, disposal and transfer of personal data in online or offline environments.

Before the law was drafted, Brazil had other laws (eg, the Internet Civil Regulation, the Civil Code and the Consumer Protection Code) and principles (eg, the constitutional protection of privacy) that protected personal data. However, such protection was not uniform and this resulted in conflicting interpretations and inconsistent enforcement.

The new law seeks to compile and harmonise these protections in a general multi-sectoral law in order to strengthen the protection of the privacy of individuals and bring legal certainty to business models that involve the processing of personal data. The law will apply to public and private agents. It is hoped that the law will help to foster economic and technological development by modernising Brazil and bringing it into line with international data protection standards – especially now that the EU General Data Protection Regulation has come into force.

The law is also expected to affect many areas of law and introduces the following requirements and protections:

  • The protection granted by the law affects all public and private agents processing personal data.
  • Individuals now 'own' their personal data and must provide specific consent before their data can be processed or shared. Further, the data gathering must relate to the specific goal presented to the user to obtain their consent.
  • The law gives special protection to certain data defined as 'sensitive', including information on individuals':
    • racial and ethnic background;
    • religion;
    • political opinions and affiliations;
    • health and sexual orientation data; and
    • genetic or biometric data.
  • Individuals are free to access their personal data. This will likely increase compliance costs and, as the transfer of databases will need to comply with stricter requirements, this will likely affect transactions involving cooperation and concentration.
  • The personal data should be portable and interoperable. This will likely affect companies that have large personal databases, resulting in commercial strategies based on the personal data portability and in standards that may reduce the costs for interoperability.
  • Personal data will need to be processed in a non-discriminatory manner.
  • International companies that do not comply with the law will have restrictions to operate in Brazil.

Penalties for non-compliance

The law also establishes penalties for non-compliance, including, for example:

  • a warning indicating a deadline for corrective measures;
  • fines of up to 2% of the group's revenues in the past fiscal year (limited to Rs50 million);
  • publication of the infraction; and
  • deletion of the affected data.

When a penalty is applied, the safety, technical and administrative measures taken by the data holder before, during and after the incident, as well as any rules of good practice or governance programmes in place, will be considered.

Comment

There have been many recent discussions regarding the law, as companies and the administration start to prepare to adjust the way in which they process personal data. Even though this adaptation may be costly and time consuming, the enforcement of the law is expected to guarantee greater protection of personal data, increasing confidence in the economic environment in Brazil.

For further information on this topic please contact Bruna Sellin Trevelin at BMA Barbosa Müssnich Aragão by telephone (+55 21 3824 5800) or email ([email protected]). The BMA Barbosa Müssnich Aragão website can be accessed at www.bmalaw.com.br.

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.