Skip to main content

Rafael Pellon, MEF LatAm advisor and partner at Focaccia, Amaral, Salvia, Pellon & Lamonica Advogados discusses the ongoing debate in the Brazilian legislature surrounding the adoption of GDPR-like rules governing data privacy for the country.

At the end of May the House of Representatives in Brazil approved the Bill of Law 4060/2012 that would establish a General Data Privacy Law in the country. On this week, given the strong engagement of internet rights NGOs, trade associations, government authorities and luminaries of the academia and legal sectors, Senator Renato FerraƧo defined that the Bill isĀ  going to be discussed at one last Senate Committee and its heading to the Senate floor just afterwards, in time to approve the Bill before the mid-year vacations and the general election period from September until November.

The decision is a victory for lawmakers from the House of Representatives and the Brazilian civil society organizations that were pushing for the the Bill created there, strongly inspired on the European GDPR. The Bill disputed its prominence with other bills of law elaborated on the Senate that were more business driven and wouldnā€™t have all of the dispositions of the General Data Privacy Law.

The urgency of the topic is palatable, given the little time on the current legislature. If thereā€™s no final approval on the Senate floor, the country would see a new data protection law only in 2019 when the newly elected Congress starts its activities, with new discussions delaying the setup of such data protections even more.

The proposed General Data Privacy Law has a more protectionist attitude regarding personal data collected from Brazilians within the countryā€™s territory. Among its main topics we could highlight:

The rights of citizens over their personal data –Ā setting various alternatives for the management of them, whenever such data is stored or is being processed by companies.

Ā  The urgency of the topic is palatable, given the little time on the current legislature. If thereā€™s no final approval on the Senate floor, the country would see a new data protection law only in 2019 when the newly elected Congress starts its activities, with new discussions delaying the setup of such data protections even more.

Consent –Ā Mandatory prior, expressed and unequivocal consent for the collection and processing of personal data, including the right of any citizen to cancel or refrain from such consent at any time, the right to rectify any collected data and the right to port any collected personal data from one company or platform to another, as long as such data isnā€™t anonymized, which is, such data no longer can identify its owner.

The sole exemption from this provision would be in cases of ā€œlegitimate interestā€ or when the owner of any personal data has distributed it on public spaces such as social media.

Sensitive Data –Ā Classification of certain types of data as sensitive personal data, with more restrictive management and processing. The Bill defines as sensitive the data related to health, sexual life and options, biometric and genetic;Ā racial andĀ ethnic data; religious, politic orĀ philosophic data; and union affiliation or religious affiliation.

The data considered as sensitive cannot be processed by companies, unless in specific hypothesis, mostly allowed toĀ government branches forĀ the management and enforcement of public policies in health and security, specific topicsĀ regarding a citizen in a life threatening situation, among other minor scenarios.

Objective Liability –Ā Classification of data processing activities as a risky activity, imposing the objective liability to any data processing agents,Ā which is, itsĀ liability independently of any proof of a conscious burden;

Creation of the National Authority for Data Protection –Ā branched under the Ministry of Justice,Ā with specific roles and positions. The mission of the National Authority will be to propose the National Data Protection Policy and stimulate the adoption of good practices onĀ theĀ management of data and the self regulation of specific economic sectors.

The National Authority will also have the power to issue specific regulations, investigate and punish the processing companies and its agents in case of wrongdoings. This government body will have the power to issue penalties of up to 4% of the annual revenues of a company, limited to R$ 50 million (approximately 10 million pounds).

Creation ofĀ the Privacy andĀ Personal Data National Council –Ā gathering mostly public authorities from otherĀ government branches, but also appointedĀ counselors fromĀ academia, civil society and private companies. Such Council will perform a consulting role and will support the NationalĀ Authority for Data Protection on the creation of publicĀ policies.

International Transfers –Ā The possibility ofĀ international transfers of collected personal data to other countries, provided that such destinies have adequateĀ mechanisms forĀ data protection, institutional and judicial manners to guaranteeĀ the protection of personal data from citizens of other countries.

This is one key topic under discussion, given the restriction of the banking industry in Brazil to accept it, with the suggestion to allow the transference and storage of data in any countries as long as the Brazilian legislation applies to data collected within Brazil or from Brazilians. Thereā€™s multiple players with conflicting view on this matter, but since the Brazilian Internet Civil Rights Law established such provisions of storage anywhere, it is possible that the General Data Privacy Law will adopt the same rules.

Rafael Pellon

Policy & Initatives, LatAm, MEF Board Member

Ā Ā 

MEF