Similar to the European General Data Protection Regulation in scope and breadth, Brazil’s newly passed data protection regulation covers the processing of personal data and establishes a fundamental right of privacy for data subjects, among other protections.
On August 14, 2018, Brazilian President Michel Temer signed Brazil’s first comprehensive data protection regulation into law, the result of a years-long effort by Brazil to match the more inclusive data protection rights found in European laws, most recently with the passage of the European General Data Protection Regulation (GDPR). The new Brazilian law (Law 13,709/2018, known as the Lei Geral de Proteção de Dados or LGPD), amends the Brazilian Civil Rights Framework for the Internet (Law No. 12,965) which was passed in 2014 and governed the use of the internet in Brazil. The LGPD is expected to go into effect in February 2020.
The LGPD is organized into 65 articles and is similar to the GDPR in its expansive scope. It covers the processing of personal data (with special protections carved out for sensitive personal data and children’s personal data) and establishes a fundamental right of privacy for data subjects, including the right to obtain information about data processing from data controllers. It is also similar to the GDPR in its extraterritorial breadth, protecting personal data even when it is collected outside of Brazil, so long as it is processed for the purpose of providing goods within Brazil.
The LGPD includes security measures and notification requirements in the event of a data breach, requiring controllers to notify the national authority and any affected data subject in the event of a security incident that could cause damage to data subjects. Also similar to the GDPR, the Brazilian law includes guidelines for the processing of personal data by public authorities and personal data processing agents, and prohibitions against the international transfer of data in certain circumstances.
Sanctions for infractions by data processing agents include a fine of up to 2% of “conglomerate revenues in Brazil for the prior financial year” and/or a daily fine. (These fines cannot exceed a total maximum of 50 million reais ($12,315,880.00) per infraction). Nonmonetary sanctions include publicizing the infraction and possibly blocking or deleting the personal data at issue until compliance is achieved.
When signing the regulation into law, President Temer vetoed the sections that created an independent data protection authority to enforce the LGPD, arguing that the legislature did not have the power to create such an entity. Thus, as of now, it is unclear how the bill will be enforced. News sources report that President Temer has indicated he will quickly send a bill to Congress that creates a new data protection authority.
The Brazilian law is the latest in a string of similar data protection laws passed in the wake of the GDPR’s long-awaited enactment in May. Stay tuned for similar works from India (which released the draft of its new Personal Data Protection Bill on July 27) and Thailand (which approved a revised draft of its first personal data protection act in May).
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers: