In late October, the Brazilian Ministry of Justice (the “Ministry”) issued its revised Draft Bill for the Protection of Personal Data (“Draft Bill”). The Ministry released its preliminary draft in January 2015, and the Centre for Information Policy Leadership at Hunton & Williams LLP (“CIPL”) filed public comments to the draft on May 5, 2015.
Key changes to the new Draft Bill include:
- Adding “legitimate interest” as a basis for processing non-sensitive personal information;
- adding a risk-based approach by data controllers and processors in establishing “best practices standards”;
- broadening the definition of “consent”;
- adding consent as a basis for legitimizing cross-border transfers;
- requiring the application of data processing principles to public data;
- adding a chapter on personal data processing by public authorities;
- clarifying the competence of the Competent Public Body (a privacy authority); and
- creating a multi-stakeholder, National Counsel of the Protection of Personal Data, to assist the Competent Public Body.
A more detailed summary of the revised Draft Bill can be found in an article titled Main Innovations of the Newest Version of the Brazilian Draft Law on the Protection of Personal Data, written by Brazilian attorneys Renato Leite Monteiro, Cyber Law and International Law Professor at Mackenzie University School of Law, and Bruno Bioni, Researcher for The Public Policy for Access to Information Research Group at the University of São Paulo. The next steps for the Draft Bill include an evaluation by the Brazilian Office of the Presidential Chief of Staff, followed by an introduction to Congress.
In addition, there are two other privacy bills currently moving through the Brazilian Congress, one in the Chamber of Deputies and another in the Federal Senate. An updated version of the Senate bill (PLS 330) was released on October 13, 2015. The current rapporteur for this bill is Senator Aloysio Nunes Ferreira. An English translation is not yet available.
In order for the Draft Bill to move forward, it would have to be merged with, or supersede, these other two privacy bills.