The Brazilian government’s proposal for Brazil’s first data protection framework (‘the Proposal’) hit a stumbling block after major concerns were raised in public comments.

After the public consultation period ended, those reviewing the comments made numerous suggestions for changes, such as tightening the definition of what constitutes personal data, clarifying the consent for processing rules, defining the jurisdictional scope of the laws, adopting a more European approach to international transfers of data, and creating a data protection authority.

The definitions of personal data and consent are considered by many to be too broad. In relation to personal data, the extent to which anonymised data falls within the definition is unclear. The issue with such a broad definition of consent is that individuals could become desensitised to the importance of privacy, as no distinction is drawn between the varying types of consent.

Public comments noted that the Proposal applies to all Brazilian data without restriction, meaning that international organisations processing Brazilian data would also need to comply with Brazilian data protection laws.

Regarding international transfers, personal data may only be transferred to countries that offer a similar level of protection to Brazil. However, many have argued that other transfer mechanisms – such as, for example, the EC standard contractual clauses – should be considered. Disputes also arose as to whether a separate data protection authority should be created or whether an existing government ministry could be utilised.

Clearly many points need to be revisited, and with the comments received from the public still being considered by the Ministry of Justice, it seems unlikely that a new draft will be produced by the end of the year. With approval from the various houses of Congress still required, those processing Brazilian data may still have a long wait before new legislation is enacted.