We have recently been made aware that Brazil has published a revised draft law on data protection. The English translation which we have indicates that the law protects the processing of personal data in Brazil whether or not the entity carrying out the processing is in Brazil.
Exemptions apply for processing for domestic purposes and/or journalistic purposes and the majority of the principles of the draft law are in line with the principles of the EU Data Protection Directive including transparency, data quality, data management and information security.
The bill provides for data subject rights including subject access rights.
With regard to international data transfers Chapter V of the draft law applies the EU style rules on data transfers and it will be interesting to see whether binding corporate rules or model clauses from the EU will be acceptable for use in Brazil.
The draft law defines controllers and processors, much like the EU, and also sets out the role of the data protection officer.
The draft law anticipates the creation of a data protection authority (competent body) which will have rights to investigate, provide guidance and to be consulted with in respect of particular categories of data processing.
The Brazilian law is intended to come into force 120 days from the date of its publication, which as yet is unknown.