We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
18 September 2018
On 14 August 2018 the president approved, with a partial veto, the Project for a General Law regarding Data Protection (Bill 53/2018).
The bill was published in the Official Journal on 15 August 2018, except for the vetoed excerpts, which mainly concern certain penalties and data processing by the administration. These sections will now be considered by the National Congress. The law will enter into force by February 2020.
The law will regulate the processing of personal data in Brazil. According to the law, 'personal data' is defined as data relating to an identified or identifiable individual. In other words, any data that can be used, solely or in conjunction with other information, to identify an individual. According to the law, processing refers to the collection, use, access, reproduction, archiving, storage, disposal and transfer of personal data in online or offline environments.
Before the law was drafted, Brazil had other laws (eg, the Internet Civil Regulation, the Civil Code and the Consumer Protection Code) and principles (eg, the constitutional protection of privacy) that protected personal data. However, such protection was not uniform and this resulted in conflicting interpretations and inconsistent enforcement.
The new law seeks to compile and harmonise these protections in a general multi-sectoral law in order to strengthen the protection of the privacy of individuals and bring legal certainty to business models that involve the processing of personal data. The law will apply to public and private agents. It is hoped that the law will help to foster economic and technological development by modernising Brazil and bringing it into line with international data protection standards – especially now that the EU General Data Protection Regulation has come into force.
The law is also expected to affect many areas of law and introduces the following requirements and protections:
The law also establishes penalties for non-compliance, including, for example:
When a penalty is applied, the safety, technical and administrative measures taken by the data holder before, during and after the incident, as well as any rules of good practice or governance programmes in place, will be considered.
There have been many recent discussions regarding the law, as companies and the administration start to prepare to adjust the way in which they process personal data. Even though this adaptation may be costly and time consuming, the enforcement of the law is expected to guarantee greater protection of personal data, increasing confidence in the economic environment in Brazil.
For further information on this topic please contact Bruna Sellin Trevelin at BMA Barbosa Müssnich Aragão by telephone (+55 21 3824 5800) or email (firstname.lastname@example.org). The BMA Barbosa Müssnich Aragão website can be accessed at www.bmalaw.com.br.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.
Bruna Sellin Trevelin