Rafael Pellon, MEF LatAm advisor and partner at Focaccia, Amaral, Salvia, Pellon & Lamonica Advogados discusses the ongoing debate in the Brazilian legislature surrounding the adoption of GDPR-like rules governing data privacy for the country.

At the end of May the House of Representatives in Brazil approved the Bill of Law 4060/2012 that would establish a General Data Privacy Law in the country. On this week, given the strong engagement of internet rights NGOs, trade associations, government authorities and luminaries of the academia and legal sectors, Senator Renato Ferraço defined that the Bill is  going to be discussed at one last Senate Committee and its heading to the Senate floor just afterwards, in time to approve the Bill before the mid-year vacations and the general election period from September until November.

The decision is a victory for lawmakers from the House of Representatives and the Brazilian civil society organizations that were pushing for the the Bill created there, strongly inspired on the European GDPR. The Bill disputed its prominence with other bills of law elaborated on the Senate that were more business driven and wouldn’t have all of the dispositions of the General Data Privacy Law.

The urgency of the topic is palatable, given the little time on the current legislature. If there’s no final approval on the Senate floor, the country would see a new data protection law only in 2019 when the newly elected Congress starts its activities, with new discussions delaying the setup of such data protections even more.

The proposed General Data Privacy Law has a more protectionist attitude regarding personal data collected from Brazilians within the country’s territory. Among its main topics we could highlight:

The rights of citizens over their personal data – setting various alternatives for the management of them, whenever such data is stored or is being processed by companies.

  The urgency of the topic is palatable, given the little time on the current legislature. If there’s no final approval on the Senate floor, the country would see a new data protection law only in 2019 when the newly elected Congress starts its activities, with new discussions delaying the setup of such data protections even more.

Consent – Mandatory prior, expressed and unequivocal consent for the collection and processing of personal data, including the right of any citizen to cancel or refrain from such consent at any time, the right to rectify any collected data and the right to port any collected personal data from one company or platform to another, as long as such data isn’t anonymized, which is, such data no longer can identify its owner.

The sole exemption from this provision would be in cases of “legitimate interest” or when the owner of any personal data has distributed it on public spaces such as social media.

Sensitive Data – Classification of certain types of data as sensitive personal data, with more restrictive management and processing. The Bill defines as sensitive the data related to health, sexual life and options, biometric and genetic; racial and ethnic data; religious, politic or philosophic data; and union affiliation or religious affiliation.

The data considered as sensitive cannot be processed by companies, unless in specific hypothesis, mostly allowed to government branches for the management and enforcement of public policies in health and security, specific topics regarding a citizen in a life threatening situation, among other minor scenarios.

Objective Liability – Classification of data processing activities as a risky activity, imposing the objective liability to any data processing agents, which is, its liability independently of any proof of a conscious burden;

Creation of the National Authority for Data Protection – branched under the Ministry of Justice, with specific roles and positions. The mission of the National Authority will be to propose the National Data Protection Policy and stimulate the adoption of good practices on the management of data and the self regulation of specific economic sectors.

The National Authority will also have the power to issue specific regulations, investigate and punish the processing companies and its agents in case of wrongdoings. This government body will have the power to issue penalties of up to 4% of the annual revenues of a company, limited to R$ 50 million (approximately 10 million pounds).

Creation of the Privacy and Personal Data National Council – gathering mostly public authorities from other government branches, but also appointed counselors from academia, civil society and private companies. Such Council will perform a consulting role and will support the National Authority for Data Protection on the creation of public policies.

International Transfers – The possibility of international transfers of collected personal data to other countries, provided that such destinies have adequate mechanisms for data protection, institutional and judicial manners to guarantee the protection of personal data from citizens of other countries.

This is one key topic under discussion, given the restriction of the banking industry in Brazil to accept it, with the suggestion to allow the transference and storage of data in any countries as long as the Brazilian legislation applies to data collected within Brazil or from Brazilians. There’s multiple players with conflicting view on this matter, but since the Brazilian Internet Civil Rights Law established such provisions of storage anywhere, it is possible that the General Data Privacy Law will adopt the same rules.

Rafael Pellon

Policy & Initatives, LatAm, MEF Board Member

  

Join The Discussion

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Sign up for our email list

Sign up to our mailing list to get updates on our programmes, events & activities.

* indicates required
Email Format

You can customise the content and frequency of communications in our email preferences centre.

See our privacy policy for further details how we manage your personal data. We never share your data with third parties and you can opt out at any time.