On Aug. 14, 2018, Brazil enacted its first data privacy protection legislation, which provides protection of the data of individuals. The General Data Privacy Law will become effective on Aug. 14, 2020.
The law (Law No. 13.709/2018) is the first legislation in Brazil that provides data protection of individuals. The law was largely inspired by the European Union’s General Data Protection Regulation (GDPR).
Among other important provisions, the Brazilian law:
- defines the term “personal data";
- establishes the principles that govern the use of “personal data” by specifying how the information must be treated, the rights of the subjects of the personal data, the duties and obligations of the individual and private and public entities responsible for the protection of the data; and
- provides for the penalties applicable in case of violation of its provisions.
Law Applicable to Processing of ‘Personal Data’
The law is applicable to any activity that involves the processing of “personal data,” which is defined and encompasses the processing of data of individuals, identified or identifiable, by individuals and private and public legal entities. Pursuant to the law, any data is identifiable if even after the anonymization of the information, the process to which they were submitted can be reversed by reasonable efforts and means, and therefore they are referred to as personal data for the purposes of the law.
Companies headquartered in Brazil, foreign affiliates located in Brazil, and companies located outside Brazil that offer or provide services or goods to individuals or entities located in Brazil or that collect or processe personal data of data subjects in Brazil must comply with the law.
Like similar comprehensive data protection laws, it imposes restrictions on the international transfer of data. It permits the exchange of data with countries or international organizations that provide an appropriate level of protection for personal data, or that provide assurances for the protection of personal data. Standard contractual clauses, global corporate standards, seals, certificates, or codes authorized by the national data protection authority are considered appropriate assurances for cross-border data transfers.
In order to avoid discrimination between people based on the information, the law also provides strict protection to information defined as “sensitive data,” which encompasses data related to race, national origin, religion, sexual orientation, health condition, and political view. This information cannot be used to redirect advertisements. Unlike the European GDPR, the Brazilian law prohibits the trade in medical information regarding a patient’s health conditions, with very few exceptions, such as prior consent by the data subject and based on the legitimate interest to provide adequate medical treatment.
Companies subject to the law must also be conscious as to the standards provided for the collection and use of publicly available information, as the law only allows for their collection and use in good faith and without deviance of such purpose. For different purposes, the controller must identify a legitimate interest (i.e., public interest).
Furthermore, data subjects are authorized to have access, at any time, to their personal data, and to request rectification, cancellation, exclusion, and transfer of the data to another service provider. To ease the communication between data subjects and controllers, companies subject to the law must appoint a data protection officer to be in charge of the communication among the company, the data subject, and the National Data Protection Authority (ANPD).
Companies must ensure the protection of personal data, adopting all necessary technical measures to do so. ANPD was mainly created to ensure the protection of personal data, supervise and apply sanctions, through administrative proceedings, in cases of non-compliance with the law, and may request “impact reports” on the protection of personal data from companies, including “sensitive data,” that identify the measures taken to protect the data.
Non-compliance with the provisions of Brazil’s new law may result in harsh penalties. The ANPD may apply a fine of up to 2 percent of income for the preceding fiscal year, subject to a maximum limit of BRL 50 million per violation ($13.35 million).
For the application of the penalty, authorities will take into consideration the extent of the measures adopted to comply with the law (such as existence of internal policies and training). Moreover, the ANPD will take into consideration the steps taken by the companies in the case of unauthorized disclosure of personal data (companies must give notice to the data subject and to the national authority within a reasonable time).
Law No. 13.709/2018 provides for a grace period of 24 months to allow companies to adapt to the new model and therefore be able to comply with the provisions, and will become effective on Aug. 14, 2020.
Diego Capistrano is an attorney and senior foreign legal consultant with Squire Patton Boggs in Houston. He began his career in Brazil, where he served as a litigation, arbitration, and bankruptcy lawyer. He now works closely with the firm’s Corporate Practice Group to represent the interests of international clients in matters relating to Latin America.