Skip to main content

Data collection is a potential minefield for businesses looking to collect or monetise user’s data. MEF Policy & Initiatives Advisor Simon Bates shares the key take-aways from the latest edition of our regional guides for businesses and the regulatory issues around data collection, this time looking at Brazil.

Once again the eyes of the world are on Brazil as Rio hosts the Olympics. But the global business community hardly needed reminding of what the country has to offer: a rapidly growing middle class has created a tech-savvy consumer base that offers big opportunities for the mobile ecosystem. However, any company looking to collect data on Brazilian nationals must comply with local laws.

Regulation can be an intimidating minefield for mobile entrepreneurs and industry executives who simply don’t have time to wrap their head around pages and pages of legal jargon.

That’s why MEF has teamed up with local experts FAS Advogados to create a Business Guide to Data Regulation in Brazil. It explains in straight-forward business language the rules that govern what to do and what not to do with the data you collect from users and share with other companies. The following are just some of the important questions you’ll find answers to…

Why should I care about this?

There are tough penalties in place to deter businesses from breaking the rules. You can face a fine of up to 10% of the company’s annual income in Brazil, as well as a suspension of all related activities.

  There are tough penalties in place to deter businesses from breaking the rules. You can face a fine of up to 10% of the company’s annual income in Brazil, as well as a suspension of all related activities.

Who do I report to?

The key regulation the Brazilian Civil Rights Framework for the Internet which is enforced by Brazilian courts.

What exactly is personal data, anyway?

The current version of the Data Protection Bill defines personal data as the information pertaining to an identified or identifiable natural person, including identification numbers, location data or electronic identifiers, whenever such data is connected to a person.

Do I need to register with someone if I want to collect data?

Not at this time. The current version of the Personal Data Protection Bill requires that businesses appoint a data protection officer rather than registering the company itself as a controller.

Aerial zoomDo I need a user’s consent to collect their personal information?

Yes. The best approach is to explain what information you plan to collect and share, then secure consent via a tick box.  Consider text like “I have read the privacy policy and agree with the processing of my personal data as stated within it”. Only then can personal data be sent to the application or connection provider.

What if I don’t want to collect personal information in the first place?

All providers must keep a record of the date and time of the application’s use from a particular IP address for at least six months, in accordance with regulation. The administrative or police authority or the Prosecutor’s Office may require certain companies to keep records for longer periods.

How about the rules around storing data?

Access to the data must be strictly controlled and authentication protocols established. Every time records are accessed, a note should be recorded of the time, duration, identity of the employee and the file which was accessed. Finally, encryption or equivalent protection measures must be in place

Can I transfer user data from the UK/Germany to another country?

The law does not make specific provisions about the transfer of data to other countries. However, it is recommended that you ask for the user’s consent before transferring data outside of Brazil.

Must I share data with law enforcement agencies if they request it?

Law enforcement agencies can, if approved by the courts, request customer data such as usage logs, IP logs, personal identifiable information and also to monitor ongoing conversations. There is no obligation to tell the user this is going on and in some cases this might even be forbidden.

The request may be enforced, e.g. by means of a raid.

What about the upcoming Data Protection Bill? How will that change things?

Simon Bates

Senior Advisor, Policy & Initatives


color-linkedin-128 color-twitter-128 color-link-128

The Brazillian Congress is currently considering a new bill governing the use of personal information. It is based around a set of principles, especially the following:

  • Data must be used for legitimate, specific and explicit purposes, which are clearly indicated to the user;
  • Transparency, with clear, adequate and easily accessible information relating to the use of data available to the user.

It also provides new definitions for ‘sensitive’ and ‘anonymized’ data, and provides a greater degree of clarity around the transfer of data out of Brazil.

Thanks to FAS Advogados for their help and guidance in compiling the Guide.

For more information, members can download the Business Guide to Data Regulation.

If you have more detailed questions, or are unsure about these rules and how they relate to a specific service, you should always consult a qualified legal expert.