Law and the regulatory authority

Legislative framework

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

The Brazilian Federal Constitution grants protection to the intimacy, private life, honour and image of the individual as a fundamental right (section 5, X, Brazilian Federal Constitution). In the legal sphere, historically, Brazil has adopted a sectorial regulation on privacy, data protection and cybersecurity matters.

More recently, the Brazilian Congress has passed a general data protection law (Law No. 13,709/2018 - the LGPD), which is intended to significantly transform the data protection system in Brazil. The LGPD is inspired in the European data protection framework, particularly the General Data Protection Regulation (GDPR).

The LGPD establishes detailed rules for the collection, use, processing and storage of personal data and it will affect all sectors of the economy, including the relationship between customers and suppliers of products and services, employees and employers, transnational and national commercial relations, as well as other relations in which personal data is collected in the digital environment or outside the digital environment.

The LGPD will enter into force on August 2020, by which date legal entities subject to the LGPD will have to adapt its data processing activities to the new requirements imposed by such law.

On 8 July 2019, the Brazilian President sanctioned Law No. 13,853/2019, which converted Provisional Measure No. 869/2019 into law, creating the National Data Protection Authority (ANPD) and amending certain provisions of the LGPD.

Data protection authority

Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.

As mentioned on question 1, Law No. 13,853/2019 has recently created the ANPD, which is the administrative body, with technical autonomy, but connected to the Cabinet of the Presidency, responsible for overseeing, issuing guidelines and enforcing the LGPD and other data protection laws. The ANPD has the specific powers to issue guidelines for compliance with the requirements imposed by LGPD, investigate, audit, and apply administrative sanctions. Law No. 13,853/2019 expressly provides that ANPD has exclusive jurisdiction to interpret and enforce the LGPD and, concerning the protection of personal data, such jurisdiction shall prevail over the correlated jurisdiction of other public entities or bodies.

Legal obligations of data protection authority

Are there legal obligations on the data protection authority to cooperate with data protection authorities, or is there a mechanism to resolve different approaches?

LGPD provides that ANPD shall articulate with other government bodies in relation to data protection matters, but shall remain the central body concerning the interpretation of the LGPD. In addition, ANPD has jurisdiction to promote cooperation actions with data protection authorities of other countries or international agencies.

Breaches of data protection

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

Breaches of data protection law may lead to administrative investigations handled by ANPD, which shall grant the right to present a defence and an appeal, and may possibly result in the administrative sanctions listed below. Breaches to data protection law do not normally lead to criminal penalties or liability. The sanctions that may be applied by the ANPD are the following:

  • warning, which will include a deadline for the adoption of corrective measures;
  • fine of up to 2 per cent of the company or group income, limited to 50 million Brazilian real per violation;
  • disclosure of the violation after it is verified and its occurrence confirmed;
  • blocking of personal data corresponding to the violation; and
  • elimination of personal data corresponding to the violation.

Scope

Exempt sectors and institutions

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

The LGPD does not apply to the processing of personal data performed exclusively:

  • by individuals for private and non-economic purposes;
  • for journalistic, artistic or academic purposes;
  • processing activities carried out exclusively for public security, national defence or state security;
  • for public and state security or national defence purposes; and
  • for investigation and prosecution of criminal offences.

Processing operations involving personal data originated in other countries or for other countries that only passes through the national territory without any other processing operation carried out in Brazil, are also not subject to the LGPD. Except for the foregoing, the LGPD covers all sectors and types of organisations. It has not revoked other sector-specific legislations that shall continue to apply.

Communications, marketing and surveillance laws

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

LGPD mainly covers matters related to electronic marketing or monitoring and surveillance of individuals. But other laws also address these issues.

The Civil Rights Framework for Internet in Brazil (Internet Act or Law No. 12,965/14) sets forth that the storage and availability of the connection and access logs to Internet applications, as well as of personal data and the contents of private communications, must observe intimacy, private life, honour and image of the parties directly or indirectly involved. The content of private communications may only be provided by a court order, as provided by law.

The confidentiality of telephone and computer communications is protected under the Wiretap Act (Law No. 9,296/96) and the Telecommunications Act (Law No. 9,472/97). The Wiretap Act provides that the access to and interception of telephone and telematics communications may only occur under the authority of a valid court order in criminal investigation proceedings. The Telecommunications Act provides that clients’ information can only be used for the purpose of delivering services, and that telecom bills can only be revealed upon the express consent of the user or by a valid court order.

On electronic marketing, Brazil has a Self-Regulation Code for Email Marketing Practice 2009 (Email Code) that representative entities of marketing companies, internet service providers, and consumers have signed. The Email Code permits electronic marketing with opt-in and soft opt-in (when there is an evidence of previous commercial relationship between the sender and recipient). For these cases, senders do not need express consent from recipients, but must provide an option to opt out. Although prior to the LGPD, the Email Code is consistent with the LGPD, as organisations may rely on consent (opt-in) or legitimate interest (soft opt-in) to justify the sending of electronic communications.

Concerning monitoring and surveillance of individuals, Labour precedents establish some rules on the monitoring of employees. Generally, court decisions sustain that the monitoring of computer systems made available to employees is allowed. Therefore, IT resources made available for the exercise of the employees’ functions may be subject to surveillance. The surveillance of employees’ personal devices may be possible (for example, in the event a professional email account is installed in the employee’s cellphone or computer) to the extent that it focuses only on the company’s information. Employees’ personal email shall not be monitored or accessed by the employee, and employees shall be informed in advance by their employer about all monitoring activities performed.

Other laws

Identify any further laws or regulations that provide specific data protection rules for related areas.

  • Data processing on the internet: the Internet Act establishes rules applicable to internet services and applications. Under the Internet Act, access logs to the internet and internet applications shall be retained for a period of 12 and six months, respectively.
  • Employee monitoring: see question 6.
  • Health: The Medical Ethical Conduct Code (Federal Council of Medicine, Resolution No. 2,217/18) provides for certain rules on the protection of patients’ information and medical records. Except for limited exceptions, the patient’s data may only be disclosed to third parties with his or her written consent. In addition, the Federal Council of Medicine governs the use of computer systems for storage, handling and retention of such data, authorising the electronic storage of documentation instead of paper. Electronic Medical Chart Law (Law No 13,787/2018) provides for the digitisation and use of computerised systems for storing and handling patient records. The Ministry of Health and the National Health Surveillance Agency (ANVISA) provide for specific rules applicable to data processing activities in clinical trials.
  • Banking: Pursuant to Bank Secrecy Act (Complementary Law No. 105/01), financial institutions, such as banks, credit card administrators and the stock exchange must maintain strict confidentiality of financial transactions and financial information of their clients. Resolutions 4,480 and 4,474, of 2016, issued by the National Monetary Council have regulated, respectively, the opening and closing of bank accounts by electronic means and the digitalization of documents, providing for specific cybersecurity rules to ensure privacy in those situations. Resolution No. 4,658/2018, issued by the National Monetary Council, determines that financial institutions shall implement and maintain a cybersecurity policy, an incident plan and observe certain requirements for engaging data processing, storage and cloud service providers. Similar to Resolution No. 4,658/2018, Circular 3,909/2018 establishes the same cybersecurity rules for payment institutions.
  • Government: The Information Access Act (Law No. 12,527/11) governs the use and processing of data by the public administration and establishes rules and procedures by which individuals may request details of the information collected by the public administration.
PII formats

What forms of PII are covered by the law?

The LGPD defines personal data as information related to an identified or identifiable natural person, and any processing of such personal data carried out by any form, whether in the digital media or physical environment.

Extraterritoriality

Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?

No. The LGPD has a significant extraterritorial reach, applying to any processing activity carried out within the Brazilian territory and out of the Brazilian territory, regardless of where the processing agents are domiciled or the data are located, as long as:

  • the purpose of the processing activity is to offer or provide goods or services in the Brazilian territory;
  • the purpose of the processing activity is to process personal data of individuals located in the Brazilian territory; and
    • the personal data is collected in the Brazilian territory.
Covered uses of PII

Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?

The definition of ‘processing’ established in the LGPD encompasses almost any activity performed with personal data. In both statutes ‘processing’ is defined as any operation performed with personal data, such as those that concern the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, evaluation or information control, modification, communication, transfer, dissemination or extraction. In practical terms, any processing operation with personal data shall be subject to the LGPD.

Also under the LGPD, processing agents may be defined as controllers or processors. Controller is the natural or legal person, whether public or private, who is responsible for decisions concerning the processing of personal data. The processor is a natural or legal person, whether public or private, who performs the processing of personal data on behalf of the controller and only in accordance with controller’s instructions.

The controller has more obligations than the processor, but both must follow some duties equally. There is neither a definition nor a distinction of requirements to those who own PII.

For example, controllers and processors must:

  • abide by data processing principles provided in the LGPD; and
  • adopt technical and organisational measures to protect personal data from data incidents.

For example, controllers must:

  • appoint a data protection officer (DPO);
  • make easily accessible information to the data subject on how personal data is processed;
  • justify and document the data processing in one of the 10 lawful bases set forth in the LGPD, which include, but are not limited to consent of the data subject, compliance with a legal obligation, performance of a contract; and legitimate interest (see question 11), and also for sensitive data;
  • justify and document the lawful bases for transfer of data out of the country, when applicable (see question 31);
  • comply with the data subject’s rights;
  • perform privacy impact assessments, when required;
  • comply with the specific requirements for obtaining the consent and processing children’s personal data; and
  • notify the data protection authority in the event of an incident, such as unauthorised disclosure or use of personal data.

Both controllers and processors may be jointly and severally liable for the processing data in activities in which they are involved.

Legitimate processing of PII

Legitimate processing – grounds

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

According to the LGPD, personal data can only be processed and collected when justified in one of the 10 legal bases, which are:

  • Consent of the data subject: the LGPD requires the consent to be a prior, free, informed and unambiguous manifestation of the data subject, for a specific purpose. It shall be provided in writing or by another demonstrable means, showing the data subject’s intention. If the data subject’s consent is given by a written declaration, the request for consent shall be presented in a manner clearly distinguishable from the others. Generic authorisations for data processing are considered null and void.
  • When necessary for the performance of a contract or preliminary understandings.
  • When necessary to comply with a legal or regulatory obligations imposed on the controller.
  • Based on the legitimate interest of the controller or third parties, if the interest or the fundamental rights and freedoms of the data subject are not overridden by such legitimate interest.
  • When necessary for the protection of credit.
  • Exercise of rights during a court, administrative or arbitration proceeding.
  • When necessary for the protection of life or physical integrity of the data subject or third party.
  • When necessary for the protection of health, exclusively in procedures conducted by healthcare professionals, health services and sanitary authorities.
  • For research and studies conducted by non-profit research entities.
  • By the government to perform public policies.
Legitimate processing – types of PII

Does the law impose more stringent rules for specific types of PII?

Yes. The LGPD establishes more stringent lawful basis for processing sensitive data. Sensitive personal data is personal data related to an individual in connection with racial or ethnic origin, religious belief, political opinion, trade union, philosophical or political organisation affiliation, heath data, sexual life, genetic or biometric data. Processing sensitive personal data may only be carried out:

  • with specific consent, which must be provided separately from other consents that might be sought; or
  • without consent, in case the processing is required for:
    • compliance with a legal or regulatory obligation;
    • protecting life or the physical safety of the data subject or third parties;
    • lawful exercise of rights, including in contracts and in connection with judicial, arbitral or administrative proceedings;
    • protection of health, exclusively in procedures conducted by healthcare professionals, health services and sanitary authorities; or
    • ensuring fraud prevention and data subject’s authenticity, in electronic systems.

Data handling responsibilities of owners of PII

Notification

Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

Data controllers shall make available to the data subject an easily accessible and detailed privacy notice with information regarding the data processing activities that are carried out. Such privacy notice shall contain clear, adequate and ostensive information including, but not limited to:

  • specific purposes of the data processing; form and duration of the data processing;
  • identification and contact information of the controller;
  • information regarding the shared use of personal data by the controller, to whom and the purpose of why data is shared;
  • responsibilities of the processing agents; and
  • rights of the data subjects.

As detailed in question 15, if requested by the data subject, controllers shall inform and provide to the data subject the personal data they hold. Security incidents that may entail significant risk or damage to data subjects may have to be communicated to the data subject, as detailed in question 21.

Exemption from notification

When is notice not required?

There is no exception to the requirement of making available clear and complete information to data subjects, as described in question 13.

Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

The collection of consent from the data subject shall be related to limited informed purposes. Even when consent is not required, data subjects must be guaranteed with clear, precise, and easily accessible information regarding the processing and the respective processing agents, considering commercial and industrial secrecy.

In addition to the right to have clear information about data processing, controllers shall guarantee that, without any additional cost and at any time, the following data subject rights are observed:

  • confirmation of existence of the data processing;
  • access to the data;
  • rectification of incomplete, inaccurate or outdated data;
  • anonymisation, blocking, or elimination of data that is unnecessary, excessive, or processed non-compliant with the provisions of the LGPD;
  • portability of the data to another service provider;
  • withdrawal of his or her consent and erasure of data processed with the data subject’s consent, except where retention is authorised by the LGPD;
  • information on the possibility of not providing consent and on the effects of consent denial; and
  • information regarding public and private legal entities with which the controller has performed shared use of data.

Moreover, when decisions related to PII are made solely based on automated processing, data subjects have the right to request the review of such decisions.

Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

Yes, the LGPD lists a series of principles that must govern every data-processing activity, including:

  • data quality: guarantee to data subjects that their data is accurate, clearly displayed and highlighted, as well as the right to update it, according to the necessity and to fulfil the purpose of its processing;
  • adequacy: the data processing must be limited to the purpose for which that data was collected; and
  • necessity: limitation on the processing of personal data to the minimum necessary for fulfilling its purpose, using appropriate and proportional data that is not excessive when compared to the purpose of its processing.
Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

There is no specific provision related with the duration of the PII storage. As mentioned in question 16, controllers shall observe the necessity principle, whereby excessive data shall not be collected.

As mentioned in question 7, under the Internet Act, access logs to the internet and internet applications shall be retained for a period of 12 and six months, respectively. Access logs must include the date, time and duration of connections to the internet application.

Finality principle

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

Yes. According to the purpose limitation principle imposed by LGPD, the processing of personal data must be carried out for legitimate, specific and explicit purposes and be communicated to the data subject, observing the established purpose for which the data was collected.

Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

If the purpose has changed, the controller must inform the individual and observe whether the legal basis initially applied is still compatible with the new purpose. Besides, publicly available personal data may be processed for new purposes, subject to the legitimate purposes of the new processing activity and the rights of the data subject, as well as the principles established by LGPD.

Security

Security obligations

What security obligations are imposed on PII owners and service providers that process PII on their behalf?

Controllers and processors must adopt technical and organisational security measures, in order to protect PII from unauthorised access and accidental or illegal destruction, loss, change, communication or dissemination events, or any other event resulting from inappropriate or unlawful processing.

The ANPD may provide minimum technical standards, taking into account the nature of the data, the specific characteristics of the processing and the current state of technology, especially in the case of sensitive personal data.

In addition, the LGPD establishes that such measures shall be applied from the conception phase of the product or service through its execution (privacy-by-design). The systems used for processing personal data shall be structured to meet the security requirements, standards of good practice and governance, general principles provided in the LGPD and other regulatory rules.

Notification of data breach

Does the law include (general or sector-specific) obligations to notify the supervisory authority or individuals of data breaches? If breach notification is not required by law, is it recommended by the supervisory authority?

Yes. Data incidents that may entail significant risk or damage to data subjects must be communicated to the ANPD, the data subject and specific regulatory bodies. The notification should be provided in reasonable time. The notification must contain, at least, the following:

  • a description of the nature of the personal data affected;
  • the categories of affected data subjects;
  • the technical and security measures adopted;
  • the risks related to the incident;
  • the reasons for any delayed communication, if applicable; and
  • the measures adopted to revert or mitigate the effects of the damage caused by the incident.

Internal controls

Data protection officer

Is the appointment of a data protection officer mandatory? What are the data protection officer’s legal responsibilities?

Yes, it is mandatory to appoint a DPO. The DPO may be appointed by the controller and processor. The DPO has to be a communication channel between the processing agent, the data subject and the ANPD. According to the LGPD, DPO’s legal responsibilities are:

  • accepting complaints and notifications from the individuals, providing clarifications and adopting necessary measures;
  • receiving notifications or communications from the ANPD and provide measures;
  • advice the entity’s employees and contractors regarding practices to be taken in relation to the protection of personal data; and
  • performing any other activities determined by the controller or established in complementary standards issued by the ANPD.
Record keeping

Are owners or processors of PII required to maintain any internal records or establish internal processes or documentation?

Yes. Controllers and processors shall document and be able to demonstrate compliance with the requirements imposed by the LGPD - for example, keeping records of personal data processing activities carried out by them. In circumstances defined by ANPD, controllers may be required to produce privacy impact assessments.

New processing regulations

Are there any obligations in relation to new processing operations?

As mentioned in question 20, both controllers and processors must adopt security measures suitable to protect personal data, and such measures shall be applied from the conception phase of the product or service through to its execution, requiring organisations to adopt a privacy-by-design approach.

In circumstances to be determined by the ANPD, the controller must produce a privacy impact assessment (PIA). Such PIAs are likely to be required when the data-processing activities concern sensitive personal data or is justified in the legitimate interest.

Registration and notification

Registration

Are PII owners or processors of PII required to register with the supervisory authority? Are there any exemptions?

No. Under the LGPD, it is not necessary to register the controller, the processor, the database, or any other document or processing activity with the ANPD.

Formalities

What are the formalities for registration?

Not applicable. See question 25.

Penalties

What are the penalties for a PII owner or processor of PII for failure to make or maintain an entry on the register?

Not applicable. See question 25.

Refusal of registration

On what grounds may the supervisory authority refuse to allow an entry on the register?

Not applicable. See question 25.

Public access

Is the register publicly available? How can it be accessed?

Not applicable. See question 25.

Effect of registration

Does an entry on the register have any specific legal effect?

Not applicable. See question 25.

Other transparency duties

Are there any other public transparency duties?

There are no specific transparency requirements prior to the processing activity, such as making public statements regarding the nature of the processing. However, note that ‘transparency’ is one of the underlying principles of the LGPD that must govern every data-processing activities. According to this principle, clear, precise and easily accessible information shall be made available to data subjects whose data is being processing. This shall include at least the set of information mentioned in question 15.

Transfer and disclosure of PII

Transfer of PII

How does the law regulate the transfer of PII to entities that provide outsourced processing services?

The LGPD does not provide for any specific requirements for outsourcing data processing services. It sets forth general obligations for both controllers and processors.

The LGPD establishes a joint and severe liability regime to controllers and processors for any unlawful processing.

Sector-specific regulation may establish requirements for outsourcing processing services. See question 45.

Restrictions on disclosure

Describe any specific restrictions on the disclosure of PII to other recipients.

Besides general requirements of transparency, notice and purpose limitation, the LGPD specifically prohibits the disclosure or shared use (i) of sensitive data to obtain financial gain, in the cases determined by ANPD, and (ii) of health data - deemed sensitive data - to obtain financial gain, except for the provision of health services, pharmaceutical care or healthcare. Sector-specific laws may impose additional requirements or prohibitions on disclosure of personal data.

Cross-border transfer

Is the transfer of PII outside the jurisdiction restricted?

The LGPD expressly determines the cases in which an international transfer of data is permitted, which are detailed below:

  • to countries or international organisations that offer an adequate level of personal data protection as established in the LGPD;
  • when the controller offers and demonstrates compliance with principles in the LGPD, the data subject’s rights and the data protection system established in the law, through specific contractual clauses for a given transfer, standard contractual clauses, binding corporate rules or regularly issued seals, certificates and codes of conduct (all of which shall be previously approved by ANPD);
  • when the transfer is necessary for international legal cooperation between government intelligence, investigations, and prosecution authorities, according to instruments of international law, or when it is the result of a commitment established in an international cooperation agreement;
  • when the transfer is authorised by the ANPD;
  • when the transfer is necessary for the execution of public policies or public service activities;
  • when the data subject has provided specific and highlighted consent for the transfer upon prior information regarding the international character of the activity, clearly distinguishing this from other purposes for data processing;
  • when necessary for the protection of life or physical integrity of the data subject or third party;
  • when it is necessary for the fulfillment of a legal or regulatory obligation on the part of the controller;
  • for the execution of a contract or procedures related to the contract in which the data subject is a party, as long as required by the data subject him or herself; and
  • for the regular exercise of rights, including contractual performance and in court, administrative, or arbitration proceedings.
Notification of cross-border transfer

Does cross-border transfer of PII require notification to or authorisation from a supervisory authority?

No. Each specific cross-border data transfer does not require notification or authorisation of the ANPD.

Note, however, that some of the hypotheses that authorise international transfer may include a preliminary registration with the ANPD, namely, when (i) the international transfer is based on the authorisation granted by ANPD; or (ii) the controller or processor uses customised contractual clauses for a given transfer (ie, clauses customised for a particular transfer and which were not previously approved by ANPD). See question 34.

Further transfer

If transfers outside the jurisdiction are subject to restriction or authorisation, do these apply equally to transfers to service providers and onwards transfers?

Yes. To the extent the transfer cannot fit in one of the hypothesis mentioned in question 34, it shall not be deemed a lawful transfer.

Rights of individuals

Access

Do individuals have the right to access their personal information held by PII owners? Describe how this right can be exercised as well as any limitations to this right.

Yes, the LGPD establishes that the data subject has the right to obtain confirmation of the existence of processing of his or her data and access to the personal data at any time. This can occur in two different ways:

  • in simplified form, if the confirmation or access is provided immediately; or
  • by means of a clear and complete statement, indicating the origin of the data, non-existence of records, criteria used and purpose of the processing, as the case may be, within 15 days counted from the date of the request.

The information will be provided free of charge, electronically or in hard copy, in accordance with the data subject’s request.

In addition, when the processing of data is a result of a consent or a contract, the data subject may ask for a complete electronic copy of his or her personal data.

Other rights

Do individuals have other substantive rights?

As mentioned in question 15, besides the right to confirm the existence of or have access to data collected (see question 37), the LGPD sets forth the following data subject rights:

  • right to correct incomplete, inaccurate or outdated data;
  • right to have their personal data blocked, deleted or anonymised when the data processing is excessive or unlawful;
  • right to portability;
  • right to withdraw a previously granted consent for processing their personal data;
  • right to have their personal data eliminated when consent has been withdrawn;
  • right to information about the public or private entities with whom the controller has shared the personal data;
  • right to information about the possibility to not provide consent and the eventual negative consequences;
  • right to oppose to the unlawful processing of their personal data if the processing was based on one of the cases in which consent is waived; and
  • when the data processing is exclusively based on automated decisions that might affect the data subjects’ rights, he or she has the right to request the review of such decision.
Compensation

Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury to feelings sufficient?

Yes, any harm caused to individuals, both of material and moral nature, may trigger liability. Evidence of actual damage is not necessarily required to grant indemnification to data subjects.

Enforcement

Are these rights exercisable through the judicial system or enforced by the supervisory authority or both?

Both. All the rights and obligations set forth in the LGPD and other privacy-related laws are enforceable:

  • in the administrative sphere, by the ANPD; and
  • in court, individually or collectively.

Exemptions, derogations and restrictions

Further exemptions and restrictions

Does the law include any derogations, exclusions or limitations other than those already described? Describe the relevant provisions.

No.

Supervision

Judicial review

Can PII owners appeal against orders of the supervisory authority to the courts?

Yes. Any decision issued by ANPD may be subject to appeal and review by courts.

Specific data processing

Internet use

Describe any rules on the use of ‘cookies’ or equivalent technology.

There is no rule specifically dealing with the use of cookies and/or other equivalent technologies. The use of personal data by means of cookies and other tracking technologies (such as fingerprinting) are generally subject to the rules imposed by LGPD and the Internet Act.

Electronic communications marketing

Describe any rules on marketing by email, fax or telephone.

There is no binding and specific email marketing or anti-spam legislation in place. This type of activity usually falls under general privacy regulation, as mentioned in this questionnaire.

See question 6 for electronic email marketing.

The telecommunications regulators determined that mobile carriers are only allowed to send promotional messages to users who have expressly accepted receiving them. The Brazilian Court of Justice has ruled that telephone marketing without the prior consent of the consumer is considered an abusive practice.

Cloud services

Describe any rules or regulator guidance on the use of cloud computing services.

Currently in Brazil, there is no specific law to regulate cloud services. However, there are several rules that may affect the use of cloud services, such as:

  • Financial and Payment Institutions: Resolution No. 4.658/2018 and Circular No. 3.909/2018 issued by the Monetary Council establishes requirements for hiring data processing, data storage and cloud computing services to be observed by financial and payment institutions.
  • Government: Ordinance No. 9/2018 issued by the Institutional Security Cabinet of the Presidency of the Republic provides guidelines, principles and duties on Information Security, applicable to the processing of information in the cloud environment by Federal Public Administration (FPA). According to the Ordinance, data, metadata, information and knowledge, produced or stored by FPA bodies, as well as its backups shall reside in the Brazilian territory. Moreover, the Ordinance provides that public information may be processed in cloud environments. As a rule, the processing of sensitive information in cloud environments should be avoided. In addition, Decree 8.135/2013 and Interministerial Ordinance 141/2014 guidelines must be considered when the public administration plans to procure cloud services.

Update and trends

Key developments of the past year

Are there any emerging trends or hot topics in international data protection in your jurisdiction?

Key developments of the past year46 Are there any emerging trends or hot topics in international data protection in your jurisdiction?

Yes. The recent approval of the LGPD, which will come into force in August 2020, and the creation of the ANPD are hot topics in Brazil. Because the LGPD is the first general data protection law, there is a lot of debate in place regarding how to become compliant with it and also how it will be enforced by the ANPD. In this regard, becoming compliant with the LGPD has shown to be a significant challenge to both Brazilian and foreign organisations, including those with or without established privacy teams.