The plenary session of the Senate approved on Tuesday, July 10, Bill of Law (PLC) No. 53/2018, which deals with the protection of personal data. The text is now proceeding for signature by the president of Brazil and, if signed, Brazil will have a data protection law in force 18 months after its publication in the Official Gazette.
Waited for a long time, the new law will put Brazil at a level similar to that of developed countries. We highlight below some points of the new legislation.
Main concepts employed, which deal with the scope of application of the rules and the individuals and legal entities covered by the new framework:
Personal data: any information related to an individual (a natural person) that can be identified based on the data collected. This is the central concept of the new legislation whose purpose is to protect the privacy of owners of personal data that is being processed.
Data subject: an individual (natural person) to whom the personal data subject to processing refers.
Processing: is any operation performed with personal data, such as collection, use, processing, storage, and deletion.
Controller: an individual or legal entity responsible for decisions concerning the processing of personal data.
Application: the new legislation applies to individuals or legal entities, private or government entities, who process personal data in Brazil or collect data in Brazil or, further, when the processing has the purpose of offering or supplying goods or services to data subjects located in Brazil.
Scenarios for processing: the processing of personal data can only be carried out in one of the following scenarios: (a) based on the consent of the data subject of the personal data; (b) when it occurs to fulfill a legal or regulatory obligation on the part of the controller; (c) by the public administration, for the execution of public policies; (d) by research bodies, to carry out studies; (e) where necessary for performance under a contract or preliminary procedures for a contract to which the data subject is a party, at the request of the data subject; (f) for the regular exercise of rights in judicial, administrative, or arbitration proceedings; (g) for the protection of the life or physical safety of the data subject or a third party; (h) for protection of health, with procedures performed by health professionals or by health entities; (i) when necessary to meet the legitimate interests of the controller or a third party, except in the event that the fundamental rights and freedoms of the data subject of the personal data that require the protection of personal data prevail; or (j) for the protection of a debt claim.
Children and adolescents: In the case of processing of personal data of children and adolescents, there should be specific and clear consent given by at least one parent or legal guardian.
Rights of data subjects: the new legislation establishes the following rights of data subjects: (a) to obtain information about the existence of processing of their personal data; (b) to access their personal data; (c) to correct incomplete, inaccurate, or outdated personal data; (d) to have unnecessary or excessive personal data or personal data processed in contravention of the legislation anonymized, blocked, or deleted; (e) to carry out portability of personal data to another provider of a service or product (that is, to have someone who holds their personal data transfer it to a third party, at the request of the data subject); (f) to delete their personal data processed on the basis of their consent (that is, the right to revoke their consent given earlier); (g) to obtain information on the public and private entities with which the controller has shared the data subjects' personal data; and (h) to obtain information about the possibility of not giving consent to the processing of their personal data and the consequences of such denial.
International transfer of data: the transfer of personal data outside the territorial limits of Brazil shall be allowed only in the cases provided for by law, including: (i) to countries that provide a degree of protection of personal data equal to that provided for by Brazilian law; (ii) when the transfer is necessary for the protection of the life or physical safety of the data subject or a third party; or (iii) when the data subject has given specific and clear consent to the transfer. Accordingly, controllers should take extra precautions when they transfer personal data, including upon hiring IT service providers who may store data in other countries and thus may violate the rules governing international transfer of data.
Person responsible for the processing of personal data: controllers must appoint a person responsible for the processing of personal data, whose main functions shall be to respond to complaints and requests from data subjects; to receive communications from the national data protection authority (described below); and to take the steps necessary, as well as to guide employees and contractors regarding practices related to the protection of personal data.
Penalties: Among other penalties, the law provides for penalties of up to 2% of the billing of the private legal entity, group, or conglomerate in Brazil in its last fiscal year, excluding taxes and limited to a total of R$ 50 million per infraction. Following the model of the European General Data Protection Regulation (GDPR), the new legislation established fairly stringent penalties, which emphasize the importance of the subject.
Creation of a National Data Protection Authority: The law creates the National Data Protection Authority, whose main function shall be to protect personal data.
In the coming months, people who process personal data subject to the new law, especially Brazilian companies, should take a number of measures to ensure compliance with the new legislation. These include the implementation of appropriate corporate policies, the hiring of information technology resources, and the training of personnel both to respect the rights of personal data subjects (usually customers, employees, and other contractors) and to avoid the penalties provided for.