In Short

The Development: Brazilian President Michel Temer enacted the Brazilian General Data Protection Law on August 14, 2018.

The Purpose: The newly enacted General Data Protection Law is intended to regulate the treatment of personal data in Brazil.

Looking Ahead: The law will become effective 18 months after its official publication. 

Following a global trend and adopting international standards, on August 14, 2018, Brazilian President Michel Temer enacted the Brazilian General Data Protection Law. The Brazilian Senate approved the Bill of Law 53/2018 on July 10, 2018, in order to regulate the treatment of personal data in Brazil, but Temer vetoed portions of the bill.

Under the new regulation, personal data will be protected regardless of how it is collected or stored. The bill also establishes that personal data may be processed under only 10 scenarios, which include, among others: express consent, compliance with legal obligation, protection of life or physical integrity, performance of a lawful agreement, or in the legitimate interest of the entity responsible for the data processing or a third party.

The proposed regulation had aimed to create the National Data Protection Authority (Autoridade Nacional de Proteção de Dados) ("ANPD") to oversee data protection regulation and apply sanctions. Sanctions included a partial or total ban on data processing activities and fines of up to R$50 million (equivalent to approximately US$12 million) per violation. The creation of the ANPD, however, was vetoed by Temer. The vetoed articles will be sent back for deliberation and may be overturned by Congress. Temer may also create the ANPD through an executive order (medida provisória) within the period of 18 months after the law's official publication.

The bill defines "sensitive data" as "personal data on racial or ethnic origin, religious beliefs, political opinions, affiliation to trade unions or organizations of a religious, philosophical or political nature, data relating to health or sex life, and genetic or biometric data, when related to a natural person." (Art. 5, II). The bill mandates that this type of data be processed only in limited circumstances and that it must be handled with additional care.

The bill also does not specifically create an obligation to create policies or manuals. However, the general rules for data collection and processing, the rules concerning the data subjects' rights, and other obligations indicate the necessity of creating such documents.

The clearest requirement is the need to reformulate/create privacy policies and terms of use for activities that include some kind of data usage in order to reflect the bill's provisions. The need to obtain and be able to prove that consent was given will also be more important. Although there are a few situations in which consent is not required, it remains the default requirement for data processing in Brazil. Manuals and internal policies will be useful in order to keep track of the data controller's obligations, including procedures for data erasure, communication with data subjects and the data protection authority, procedures for incidents/breaches, and general rules on clearance and responsibilities.

The bill encourages companies to create rules of good practice and governance to comply with the law and better protect data and its subjects' interests, but it does not require data controllers to do so. Furthermore, the data controller must keep records of its operations related to data processing, and every company that undertakes any kind of data processing must have a data protection officer. 

Moreover, the new bill has extraterritorial affects and may be applied to foreign entities if they process personal data in Brazil, personal data collected in Brazil, personal data related to individuals located in Brazil, or personal data for the purpose of offering goods or services in Brazil. However, this does not apply to the processing of personal data in Brazil if the data was collected abroad and was not shared with entities in Brazil or any other country except the country in which the data originated, which must have data protection laws in accordance with the standards set forth in the bill. 

The bill does not apply to inbound data that is not shared with data processing agents in Brazil and sets forth rules for outbound data transfers. The international transfer of data is only possible when: (i) the receiving country has adequate standards of data protection compared to Brazil (to be evaluated by a national authority for data protection); (ii) the data controller provides warranties that the data will be protected per the standards of the Brazilian law (through contractual clauses, global corporate rules, or certificates); (iii) the data transfer is specifically approved by the national authority for data protection; (iv) the data subject gave specific consent concerning the possibility of international transfer and its specific destination; and (v) necessary to protect one's life or health.

The bill provides that the law will become effective 18 months after its official publication (Art. 59).