(English) An overview of the new Brazilian General Data Protection Law

Desculpe-nos, mas este texto está apenas disponível em English. For the sake of viewer convenience, the content is shown below in the alternative language. You may click the link to switch the active language.

The recently enacted Law 13,709/2018, the so-called Brazilian General Data Protection Law (“GDPL”), establishes a legal framework for the protection of personal data of citizens, determining how companies, organizations and public authorities should process data in their activities.

The GDPL was published on August 15, 2018 and will enter into force within 18 months after its publication. As the GDPL is highly protective of data subjects and imposes a lot of obligations on data processing agents, they must do their homework during this 18-month period so as to bring their data processing activities into compliance with the law.

The GDPL is an intricate law with many details and nuances which still need to be further detailed by rules that will probably be issued by the National Data Protection Authority (“NDPA”) when it is created.

The creation of the NDPA, an independent public entity responsible for the supervision and enforcement of the law and originally contemplated in the initial bill, was vetoed by the Brazilian President on the argument that such authority should be created by the executive branch following certain specific legislative procedures. It is still not clear, though, when this will happen. Thus, data processing agents must be attentive during the next months to further developments on this matter.

So as to be compliant with the GDPL, companies should map their activities that involve the use of personal data, identify the legal basis for the processing of such data, and adopt operational, administrative and technical measures to ensure that the necessary adjustments have been made before the new law enters into force, such as the creation or updating of existing privacy and security policies, terms of use, review of contracts with third parties, among others.

1. SCOPE OF APPLICATION. The GDPL applies to all processing of personal data carried out by public or private entities and individuals, if (i) the data is collected or processed in Brazil; (ii) the purpose of the processing activity is the supply of goods or services to individuals located in the Brazilian territory; or (iii) the processing of personal data relates to individuals located in Brazil.

The GDPL defines as ‘processing’ any operation involving personal data (for example, collection, reproduction, use, access, distribution, evaluation, storage, transfer, etc.).

The GDPL has an extraterritorial reach and, therefore, it applies even to foreign companies that either (i) have a branch or subsidiary in Brazil; (ii) offer goods or services in the Brazilian market; or (iii) collect personal data from individuals located in the country.

2. DATA COVERED BY GDPL. Generally speaking, the GDPL covers any data that may allow the identification of a natural person, such as name, e-mail, age, marital status, address and financial situation, obtained in any format (paper, electronic, computer, sound, image or other), isolated or aggregated to another.

The law defines and provides for specific treatment for (i) personal data: any information related to an identified or identifiable individual; (ii) sensitive data: personal data regarding racial or ethnic origin; religious beliefs; political opinions; membership of syndicates or religious, philosophical or political organizations membership; data relating to health or sexual life; and genetic or biometric data when linked to a natural person.

Personal data may also be considered any data used to develop the behavioral profile of a natural person, if identified.

Anonymized data (data which has lost the possibility of being associated to an individual) is outside the scope of application of the law, except if the anonymization process may be reversed.

3. GDPL PRINCIPLES. The GDPL sets out ten principles that must be strictly followed by all who intend to process personal data:

• Purpose limitation: all processing must be for legitimate, specific and explicit purposes duly disclosed to data subjects.
• Adequacy: compatibility of the data processing with the purposes informed to the data subject.
• Necessity: limits the processing of data to what is strictly necessary to achieve the purpose for which the data is being processed.
• Free access: guarantee, to the data subjects, of free and facilitated consultation on the form and duration of the processing.
• Data quality: provides for the accuracy, clarity, relevance and updating of the personal data.
• Transparency: guarantee, to the data subjects, of clear, precise and easily accessible information on the data processing.
• Security: adoption of technical and administrative measures to protect personal data from unauthorized access and accidental or illegal destruction, loss, alteration, communication or dissemination.
• Prevention: adoption of measures to prevent the occurrence of damages due to personal data processing.
• Non-discrimination: impossibility of data processing for unlawful or abusive discriminatory purposes.
• Accountability: adoption of effective measures capable of proving compliance with personal data protection rules.

4. LEGAL BASES FOR DATA PROCESSING. The GDPL establishes that data processing is allowed in ten cases:

• Upon consent of the data subject.
• Compliance with legal or regulatory obligations by the controller.
• Fulfillment of public policies by the public administration.
• Performance of studies by research entities.
• Performance of contract or of preliminary procedures related to a contract to which the data subject is a party.
• Regular exercise of rights in judicial, administrative or arbitration proceedings.
• Protection of data subject or third parties’ life or physical safety.
• Protection of the data-subject’s health, involving procedures performed by health professionals or healthcare entities.
• Legitimate interests of the controller or a third party.
• Credit protection, under the terms of the applicable legislation.

With regard to consent, it must be free, informed and unambiguous and must be provided in writing or by any other means that can demonstrate the will of data subject. Data subjects may revoke consent at any time.

5. SENSITIVE DATA. In comparison with the legal bases for processing personal data, there are more stringent provisions for the processing of sensitive data. Consent from data subject is mandatory, but the GDPL provides that consent is dismissed in some specific cases, such as, among others (i) for compliance with legal or regulatory obligation by the controller; (ii) for conducting studies by research entities; (iii) for protecting data subject or a third party’s life; (iv) for ensuring prevention of fraud and safety of the data subject in the process of identification and authentication of registration in electronic systems.

It is worth mentioning that communication or shared use of health-related sensitive personal data among controllers aimed at obtaining economic advantage is expressly prohibited, except in cases of data portability, when consented to by the data subject.

6. RIGHTS OF DATA SUBJECTS. Data subjects should have their rights guaranteed by data agents in an accessible and effective manner. Among data subject’s rights, the most relevant are (i) confirmation regarding existence of data processing; (ii) access to data; (iii) correction of incomplete, inaccurate and outdated data; (iv) anonymization, blocking or elimination of unnecessary data; (v) data portability, which allows the data subject not only to request an entire copy of their data, but also to have such data provided in an interoperable format, which aims at facilitating its transfer to other services, even for competitors; (vi) withdrawal of consent; (vii) review, by a natural person, of decisions taken solely on the basis of automated processing of personal data affecting his or her interests.

When the processing of personal data is a condition for the provision of products or services – such as in cases of contracts of adhesion -, the data subject must be informed in detail about this fact and about how he or she can exercise his or her rights.

7. DATA AGENTS. We have summarized below certain obligations imposed by the GDPL that must be complied with by legal entities and individuals involved in data processing:

• Data controllers are responsible for making decisions regarding data processing; providing instructions to data processor; keeping records of data processing operations; appointing a data protection officer; preparing the data protection impact assessment report, if so required by the
• NDPA; communicating to the NDPA and data subject any security breaches which could lead to significant risk or damage.
• Data processors are responsible for carrying out data processing according to controller’s instructions; keeping records of data processing operations.
• Data Protection Officer (encarregado) is the individual appointed by the controller, who is mostly responsible for being the communication channel between the controller and data subjects, the NDPA, employees and contracted parties.

8. LIABILITY. In principle, processor may be held jointly liable with controller for damages caused by breach of obligations set forth in the law or when he or she has not followed controller’s lawful instructions. Controllers may also be held jointly liable whenever they are directly involved in data processing from which damages to data subject arise.

Nonetheless, the GDPL has established few exceptions to agents’ liability, such as when the agents could prove that they have not performed any data processing activity; or even if they have performed such data processing activity, that it has not been done in violation of the law or, finally, when the damage arises from data subject or third party’s fault.

9. PRIVACY BY DESIGN AND PRIVACY BY DEFAULT. The GDPL makes it compulsory to implement privacy and personal data protection measures as part of the creation of new services, products and business models. General principles and safety standards must therefore be observed from design to execution and offering of products and services.

10. CROSS-BORDER TRANSFERS. The GDPL also created specific rules on international data transfers, allowing it only in certain cases, such as:

• To countries or international organizations deemed by the data protection authority to provide an adequate level of data protection;
• When there is a guarantee, by the controller through contractual instruments, that it will comply with the principles, rights and the data protection regime provided by law;
• For international legal cooperation between government agencies; or
• Based on the specific and express consent of the data subject.

The NDPA (still to be created) will assess the level of data protection of the foreign country or of the international organization.

11. PENALTIES. Non-compliance with the GDPL’s requirements can result in administrative penalties, such as warnings, publication of the violation, blocking or deletion of data and fines of up to 2% of the sales of the company or group of companies in Brazil, in the last fiscal year, limited to BRL 50,000,000 per infringement. There is also the possibility of a daily fine to compel the entity to cease violation. The fine is calculated based on Brazilian revenue only, not global revenue.

Source: ABA Section of International Law –  Latin America and Caribbean Committee