Brazil v. EU: The future of data protection in Latin America
The new General Data Protection Law of Brazil (GDPL) was published in the Official Gazette of Brazil on 15 August 2018 (Law No. 13,709)1. The law will enter into force in 18 months.
The law has been promulgated with a partial Presidential veto that mainly involved provisions related to the enforcement authority. So it is now up to
the President to decide where to locate the regulatory authority of the GDPL.
The provisions set forth in the GDPL generally follow the General Data Protection Regulation of the European Union (GDPR). For example, the
definitions are based on the GPDR.
With respect to the application of the Law, Section 3 establishes that the law is
applicable to any data processing carried out by a natural person or a legal entity, regardless of the country in which the headquarters is located or the country where the data is located.
The law provides the following legal bases for processing personal data:
1. Consent of the data subject.
2. Compliance with a legal or regulatory obligation by the controller.
3. Processing by the public administration when necessary for the execution
of public policies provided in laws or regulations.
4. Carrying out studies by research entities, ensuring, whenever possible,
the anonymization of personal data.
5. When necessary for the execution of a contract or preliminary procedures
related to a contract of which the data subject is a party, at the request
of the data subject.
6. For the regular exercise of rights in judicial, administrative or arbitration
7. For the protection of life or physical safety of the data subject or a third
Under the new law, consent, which can be provided by any means, is an
essential requirement for the processing of personal data. The GDPL establishes a series of specific requirements for consent. For instance, it has to be provided for specific purposes and in cases of written consent, it must appear highlighted so as to stand out from other clauses of
the agreement. Consent can also be revoked at any time.
Another highlight is that the GDPL incorporates a specific provision for processing personal data of minors (children and adolescents). In these cases, the processing of the data shall be done with the consent of one of the parents or the legal representative and consent should be also highlighted. According to the Brazilian Civil Code, children under 16 years of age cannot provide consent but require parental consent.
Other aspects that are similar with the GDPR include the following:
- International transfer of personal data is only allowed to countries that
provide a level of protection of personal data that is adequate to the provisions of the GDPL, unless the controller offers and proves guarantees
in the form of: a) specific contractual clauses for a given transfer;
b) standard contractual clauses; or c) binding (“global”) corporate rules.
- A requirement to prepare a data protection impact assessment.
- A data protection officer has to be appointed and his/her identity and
contact information has to be made public.
- Security measures have to be adopted by data controllers.
- Security incidents have to be notified to the DPA and the data subjects
The GDPL provides all data subjects (natural persons) with a rights of access
to personal data and correction. In case of no response from the data controller, there is a right to sue under the habeas data action (as already authorized in a previous law).
In addition, data subjects have the right to request a review by a natural
person when decisions are taken solely on the basis of automated processing of personal data that affects their interests, including decisions intended to define their personal, professional, consumer or credit profile or aspects of their personality.
The sections vetoed by the President included issues such as:
• the creation of an enforcement authority;
• the ability to suspend or prohibit data processing for breaches of the
law, without prejudice to the fact that judges may impose such sanctions;
• the requirement for public bodies that involves disclosing transfers
between government agencies.
Once the independent authority is created, Brazil may be a possible candidate
for adequacy under the new rules of the GDPR.
With respect to fines, Section 52.2 provides that fines may be up to 2% of
the company’s previous year’s revenue in Brazil, with a maximum of
50,000,000 reais (€11.4 million) per infringement. Added to this, paragraph
3 establishes that sanctions may be updated periodically.
The GDPL has considerably raised data protection standards in Brazil. Before the enactment of the GDPL, there was only a provision in the consumer
protection law limited only to credit reporting agencies, and a law
related only to Internet privacy (the well-known Marco civil de Internet). It
could be said that the new provisions are close to the level of data protection provided by European Union standards.
Brazil is not the only country in Latin America to incorporate GDPR style
laws. On 19 September 2018 the President of Argentine sent the new DP
bill to congress. The bill was widely debated by academia, government and
companies during 2017 and 2018 and finally the President sent it to Congress
for discussion and approval.