New Brazilian General Data Protection Law – GDPR Alignment
Our guest blogger Fernando Bousso is head of Privacy and Data Protection at Felsberg Advogados, a full-service law firm based in São Paulo Brazil, whose history of more than 45 years is written with dynamism and pioneering in a world in constant transformation, tells Aphaia all about the New Brazilian Data Protection Law.
Brazil has passed a General Data Protection Law (‘LGPD’), which regulates how natural and legal persons can collect, use and process personal data. The project was under debate in the National Congress for years now, gaining weight with the entry into force, in May, of the European General Data Protection Regulation (‘GDPR’) – this is the GDPR viral effect! –, and the Facebook/Cambridge Analytica case.
The new Brazilian data protection law is a major move towards a safe, legal data protection framework since it strengthens and supplements the several other rules concerning privacy and data protection that are scattered and deal, separately, with different scopes of privacy (intimacy, private life, secrecy of communications, etc.).
The new Brazilian data protection law is greatly inspired by the GDPR and brings the concepts of personal data, sensitive data, anonymous data, data controller and data processor relevant to the personal data processing activities, as well as establishes ten different lawful bases of processing, which go beyond the prior, express and informed consent of the data subject, including the legitimate interest.
In addition, the new Brazilian data protection law deals with general principles – including the purpose principle, according to which personal data processing should be conducted only for legitimate, specific, explicit and informed purposes –, requires the agents to designate a Data Protection Officer and establishes new rights for data subjects, including the right to access the personal data processed, as well as the right to require the deletion of their personal data from the databases of the entities involved in the processing activities.
Similarly to the GDPR, the new Brazilian data protection law has an extraterritorial scope and applies not only to Brazilian natural and legal persons but to any personal data processing activity, regardless of the medium, country of the company’s headquarters or country where the data is located, if: (i) the processing activities occur in Brazil; (ii) the purpose of the processing is the supply or offering of goods or services to individuals located in Brazil; (iii) the data processed relates to individuals located in Brazil; or (iv) the personal data processed were collected in Brazil.
Also, the new Brazilian data protection law provides certain conditions for international data transfer, including based on the adequacy rule, upon the data subject’s express and informed consent or in case the data controller provides contractual guarantees of compliance of the new Brazilian data protection law rules abroad.
Noncompliance with the new Brazilian data protection law may subject the agents responsible for data processing to penalties ranging from a warning to fines of up to 2% of the companies’ revenue in Brazil.
The bill of law contemplated the creation of a National Data Protection Authority, which would be responsible for foreseeing and enforcing the rules. However, the President vetoed the creation of the National Authority due to the constitutionality of the legislative procedure. Therefore, in case the Authority is not created prior to the entering into force of the new Brazilian data protection law, enforcement, and application of the above sanctions will be subject to judicial decisions. The National Authority, though, is expected to be created soon, via a new bill of law.
The new Brazilian data protection law was sanctioned on Tuesday (14) and published on Wednesday (15) in the Official Gazette, and will now come into effect within 18 months, i.e., on February 2020.