On August 14, 2018, less than three months after the coming into force of the European General Data Privacy Protection Regulation (“GDPR”), the President of Brazil sanctioned, with partial veto, bill PLC 53/2018, which regulates the protection of personal information and outlines how personal information can be collected and processed by both private companies and public authorities.
Almost all South American countries currently have laws in place for the protection and regulation of personal data. Interestingly, certain countries in Latin America, such as Chile, Colombia, Costa Rica, Peru, Uruguay and Argentina, currently stand out for having laws in place that are similar to the GDPR.
Although Brazil had previously tried to regulate data privacy through bills proposed in 2012 (PL 4060/2012) and again in 2016 (PL 5276/2016), no legislation was ever passed. The worldwide movement towards enacting data protection laws, including the GDPR, combined with being a jurisdiction with one of the highest number of Internet users in the world, resulted in mounting pressure for Brazil to regulate the collection, storage and use of personal data, especially data that is shared on the Internet.
The new bill 53/2018 (the “Brazilian Data Protection Law”) is an improved combination of bills PL 4060/2012 and PL 5276/2016, and includes many provisions similar to those of the GDPR. It contains 10 chapters with 65 articles which define how personal data can be collected and handled in Brazil, especially with respect to digital media.
Summary of Bill
The Brazilian Data Protection Law outlines the manner in which personal data about Brazilian domiciled individuals can be collected and handled by private companies and the government, especially through digital platforms. Similar to the GDPR, it provides that individuals have the right to view, correct and delete their data, including any personal information such as posts and photos shared on social media accounts. It also provides that no data shall be used, processed, profiled and commercialized without the prior consent of the individuals, which must be given freely and unequivocally.
The Brazilian Data Protection Law also requires private companies and government bodies to appoint a privacy officer and to conduct Privacy Impact Assessments as a means to mitigate privacy related risks. Further, in the event of a cybersecurity incident, notifications must be made both to the data protection authority and to affected data subjects.
While the Brazilian Data Protection Law will apply to Brazilian based corporations and government entities, it is similar to the GDPR in that it will have extraterritorial scope, meaning it will apply to companies with headquarters abroad, as long as the data processing operations target Brazilian domiciled individuals.
International data transfers will be permitted only where the country of destination has a level of protection comparable to Brazilian Data Protection Law or when the company responsible for the data acquisition can demonstrate that it can guarantee the same level of protection by way of contracts or corporate policies.
Prohibitions and Penalties
The Brazilian Data Protection Law establishes penalties for infractions. Non-compliance with the requirements of the GDPR could result in fines of up to R$50 million (approximately US$13,000,000) per infringement, in addition to a partial or total suspension of any activities related to data processing.
The Brazilian Data Protection Law is the most recent example, following the GDPR and the recently adopted California Consumer Privacy Act of 2018, whereby international privacy and data protection standards are reinforced and their extraterritorial scope is becoming the norm. Given the size of the Brazilian market, Canadian businesses engaged in the collection, use or disclosure of personal information of Brazilian domiciled individuals will need to comply with these new privacy requirements.
Co-authored with Eliane Leal da Silva, Student Intern