On 14 August 2018 Brazil passed its Data Protection Law (Law No. 13.709/18) (the "new law"), which will come in force in 18 months, in February 2020. This law establishes similar concepts to the EU's General Data Protection Regulation, such as the rights that are provided for data subjects [1] , the obligations and liabilities imposed on controllers and processors. It also creates a role similar to the Data Protection Officer.

Under the new law, personal data processing activities will require consent and breaches must be notified to both the data subjects and the national authority (which has not been created yet). Breaches will also be subject to sanctions such as administrative warnings, fines, publicity of the incident and suspension or prohibition from processing the relevant personal data. The data protection national authority will be created and it will be empowered to establish additional rules.

The new law will apply to any kind of personal data collected [2] and processed in Brazil, whether it is performed by a natural person or a legal entity, private or public, with the purpose to offer goods or services or treatment of data of individuals located in the country. It will not apply to data processing performed by natural persons for private, non-economical purposes; or performed for journalistic, artistic or academic purposes; or for purposes of public safety, national defence, safety of the State or activities related to investigation and repression of crime. It will not apply to data originated outside of Brazil, which has not been communicated to or shared with a Brazilian agent nor transferred to a third country, if the country of origin already had adequate personal data protection.

Personal data processing is only permitted where express consent was given by the data subject, or in the following circumstances:

(a) to fulfil a legal or regulatory duty of the controller;(b) by public bodies, concerning execution of public policies;(c) by research bodies, granting anonymization of the data whenever possible;(d) to exercise legal rights in judicial, administrative or arbitration proceedings;(e) for protection of life or safety of the data subject or of a third party;(f) for tutelage of health, when performed by health professionals;(g) when necessary to perform a contractual obligation, being requested by the data subject;(h) when necessary for the legitimate interests of the controller or of a third party, except when the data subject's fundamental rights and freedoms concerning data protection prevail;(i) for credit protection reasons.

For sensitive data, items (g), (h) and (i) do not apply, although some exceptions apply.

Similar to the GDPR in Europe, the new law introduces financial risks for the data controllers and processors acting in Brazil or in connection with the Brazilian market. In cases of breaches, the liabilities to which data controllers and processors will be exposed are likely to include redress for data subjects; defence costs in litigation or regulatory investigation; administrative fines. The fines may be up to 2% of the company's previous year's turnover, after taxes, limited to BRL 50 million.[3]

Associated costs will also include the costs to investigate a breach, notify potentially affected data subjects and to preserve or mitigate damages to the organisation's reputation. There may also be administrative expenses necessary to rectify or erase personal data. With all of this disruption, business interruption losses are also likely.

Furthermore, the culpable organisation's Directors and Officers could face the risk of actions initiated by shareholders, in cases of a fall in share prices after a publicised breach, especially if the data breach is considered, for instance, the result of poor or ineffective management of cyber security measures.

As cyber policies issued for the Brazilian market might need to be adjusted over the following months, D&O policies issued for organisations that handle personal data in or from Brazil might also need adjustments in their wordings, to avoid unwanted, non-affirmative coverage for cyber related risks.