On August 14, 2018, after eight years of debates and drafting in the National Congress, Brazilian President Michel Temer sanctioned Law No. 13.709/2018, which regulates the General Data Protection in Public and Private Sectors.

The General Data Protection Law is the first legislation in the country that provides for the data protection of individuals and private and public legal entities. The law was largely inspired by the European Union’s General Data Protection Regulation (“GDPR”). Among other important provisions, Law No. 13.709/2018:

(a) defines very broadly the term “personal data”; (b) establishes the principles that govern the use of “personal data” by specifying:

(1) how the information must be treated; (2) the rights of the holder of the personal data; (3) the duties and obligations of the private and public entities responsible for the protection of the data; and

(c) provides for the penalties applicable in case of violations of its provisions.

Law No. 13.709/2018 also imposes restrictions on the international transfer of data. It permits the exchange of data with countries or international organizations that provide an appropriate level of protection for personal data, or provide assurances for the protection of personal data by means of standard contractual clauses, global corporate standards, seals, certificates, or codes authorized by the national data protection authority (to be known as the Autoridade Nacional de Proteção de Dados – APND).

According to Law No. 13.709/2018, non-compliance with its provisions may result in a fine to the transgressor of up to 2% of its income in the preceding fiscal year, subject to a maximum limit of BRL 50 million per violation.

Law No. 13.709/2018, which will become effective on 14 February 2020, provides for a grace period of 18 months to allow companies to adapt to the new model and therefore be able to comply with its provisions.