Brazil has adopted a law introducing new and more stringent GDPR-style data protection provisions. On 14 August 2018 President Michel Temer sanctioned the new Brazilian General Data Protection Law (LGPD), which regulates the processing of personal data by individuals, private entities and public authorities.
The LGPD reproduces some of the central points of the European General Data Protection Regulation (GDPR), which became effective on 25 May 2018, and which imposes significant compliance obligations on companies that process data or offer services to individuals in Europe. In common with the European legislation, the LGPD establishes the principle of extraterritoriality, that is, the Law also applies to companies based outside Brazil that treat data collected in Brazil or provide services intended for Brazilians.
The Bill of Law that was the starting point for the LGPD was widely discussed for about eight years in various sectors of Brazilian society (including public agencies, data specialists and companies) and its approval is a major step forward for the country in terms of data protection. The new Law is expected to foster business and bring greater legal certainty to relationships involving the processing of personal data.
Aiming at creating an environment offering enhanced protection for consumer data, the new legislation creates requirements and obligations, with which organisations and individuals involved in processing data will have to comply. These requirements include, for example, the need for free, specific and revocable consent from the data subject; easier access to information about data treatment; a right for the data subject to demand the correction or deletion of data; and specific rules on international data transfers.
The Bill of Law submitted for approval to the Presidency was subject to certain vetoes, justified by public interest arguments and the possible unconstitutionality of certain articles. Sections that prohibited the sharing of personal data by the government with private legal entities were excluded. The section stating that if personal data was shared among public law entities, that fact needed to be made public was also excluded, on the basis that it would have an impact on surveillance and control activities by public authorities, and on the activities of the administrative police.
Some administrative sanctions were also excluded from the final text of the Law. The administrative sanctions that still apply include daily fines, or one-off fines of up to 2% of sales of the corporate group in Brazil, up to a ceiling of BRL 50 million.
The most important veto, which had been predicted, related to the creation of the National Data Protection Authority (ANDP) and the National Council for the Protection of Personal Data and Privacy. Several Ministries, in addition to the Central Bank of Brazil, considered the articles establishing these bodies were unconstitutional, given that both the ANPD and the Council should be created on the initiative of the executive branch of government. A Provisional Measure or a new Bill of Law is expected to be published soon, to address this gap.
The Law was published in the Official Gazette on 15 August 2018 and data processors have 18 months from that date to adapt their procedures to comply with the new rules.