- Brazil’s first general law addressing personal data protection has come into force. Law 13,709/2018 (the General Data Protection Law or “GDPL”) is a comprehensive piece of legislation.
- The GDPL has extraterritorial application – it applies to any individual or legal entity (regardless of where they are located) that offers or supplies goods or services to Brazil, processes data in Brazil, or processes data belonging to Brazilian individuals or that has been collected in Brazil.
- The GDPL differs from its European (the General Data Protection Regulation, “GDPL”) and Californian (the Consumer Privacy Act of 2018, “CCPA”) counterparts.
- Although the GDPL will only come into force in August 2020, companies will need to prepare for its implementation well in advance.
Brazil has traditionally had very lax laws addressing personal data. With the exception of specific data (such as health, banking and airline passenger records), Brazil never had a comprehensive set of rules dealing with the storage, access and processing of personal data.
On 15 August 2018 the GDPL was published in the official gazette, thus becoming law. On 28 December 2018, Provisional Measure 869/2018 was published, creating Brazil’s Personal Data Agency. In July 2019, that Provisional Measure was approved by Congress and converted into Law 13,853/2019.
What is the GDPL all about?
The GDPL addresses how personal data is to be treated by individuals and companies. It aims to “protect the fundamental rights of freedom and privacy, and the free development of the personality of the individual”.
What principles govern the GDPL?
The GDPL sets out seven key principles that underpin the protection of personal data:
- respect to privacy;
- informational self-determination;
- freedom of expression, information, communication and opinion;
- inviolability of intimacy, honour and image;
- economical and technological development, and innovation;
- freedom of entrepreneurship, freedom of competition and consumer protection; and
- human rights and freedom of development of an individual’s personality, dignity and citizenship.
To whom does the GDPL apply?
The GDPL applies to any transaction performed by individuals of legal entities that process personal data regardless of the means used, the country where the company’s head office is located or the country where the data is stored, for as long as:
- the processing of the data is carried out in Brazil;
- the purpose of the processing is to offer or supply goods or services to Brazil;
- the data being processed belongs to individuals located to Brazil; or
- the data has been collected in Brazil.
The GDPL will not apply when the data processing is carried out by an individual for personal and non-business purposes; for journalistic, artistic or certain academic purposes; or for the sole purpose of public security, national defence, state security, investigations or prosecution of criminal offences, where the process is carried out by government entities.
Moreover, the GDPL provisions relating to processing will also not apply if the data comes from outside of Brazil and the data is not subject to communication or shared use with Brazilian data processing agents or subject to international data transfer with a third country, provided that the country of origin provides a degree of protection of personal data compatible with those contained in the GDPL.
What are the key definitions in the GDPL?
The key definitions of the GDPL are as follows:
|Consent||free, informed and unequivocal manifestation through which the owner agrees with the processing of the owner's data for a specific purpose|
|Controller||individual or legal entity, private or government owned, responsible for the decisions relating to the personal data|
|International data transfer||transfer of data to a foreign country or international body of which the country is a member|
|Operator||individual or legal entity, privately or government-owned, that process personal data on behalf of a controller|
|Owner||individual to whom the personal data subject to processing relates|
|Personal data||information relating to an identified or identifiable individual|
|Processing||every transaction carried with personal data, such as those that refer to the collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, broadcast or extraction|
|Processing agent||the controller and the operator|
|Sensitive personal data||personal data on racial or ethnic origin,
religious, political opinion, union membership or religious, philosophical organisation
or political, health or sexual life, genetic or biometric linked to a natural person
When and how can personal data be processed?
The GDPL provides that personal data may only processed as follows:
- upon receiving the owner’s consent (sharing of data with third parties requires specific consent);
- to comply with a legal or regulatory obligation;
- by government owned entities for the public interest (specific rules apply);
- for the performance of studies by research institutions, if the data does not identify the individuals;
- when required for the purposes of performing a contract upon request from the owner;
- for court, administrative or arbitral proceedings;
- for protecting life or the physical well-being of the owner or of a third party;
- for health treatments in procedures carried out by health professionals or sanitation authorities;
- when required to meet the “legitimate interests of the [data] controller or those of a third party, except where fundamental rights and freedoms of the owner demand protection of the personal data”; or
- for the protection of credit in accordance with the applicable specific legislation.
Sensitive data, on the other hand, may only be processed when the owner or the owner’s legal representative consents to a specific purpose. In cases where consent is not possible, sensitive data may only be processed when the processing is indispensable for compliance with a legal or regulatory obligation by the controller, in cases of data sharing for the implementation of public policies, for studies by research institutions, for the lawful exercise of rights, for the protection of life or for the physical well-being of the owner or of a third party, for health reasons, and for fraud prevention and safety measures for the owner’s benefit in those cases expressly set out in the GDPL.
The data processing must be for legitimate, specific, explicit purposes, which must be informed to the owner. The process must also be compatible with the purposes and limited to the minimum necessary to fulfill its purposes.
Owners must be given free access to the form and duration of the processing and and assured the right to keep the integrity of their personal data. The controller must appoint a data protection officer (defined as a “person in charge” in the GDPL), whose identification and contact information must be made public. The officer will be responsible for dealing with complaints from data owners and to guide employees and contractors regarding the protection of personal dat as well as to liaise with the national authority (once the authority has been set up – see further below).
Processing agents must guarantee to owners the accuracy, clarity, relevance and the possibility of updating the data. Additionally, there must be full transparency – owners are guaranteed clear, accurate and easy access to information regarding data processing and the processing agents.
Processing agents must use technical and administrative measures to protect personal data from unauthorised access and from accidental or unlawful destruction, loss, alteration, communication or dissemination. Furthermore, processing agents must adopt security measures to prevent damages due to the processing of data and are also responsible for notifying owners in case of data breaches.
Further, the processing agents are responsible for keeping a record of all processing transactions. In certain circumstances, processing agents may need to provide a report on the processing containing at least the description of the types of data collected, the methodology used for collecting them and the security methods implemented.
Data processing must not be performed for unlawful or abusive discriminatory purposes and processing agents are bound to adopt effective measures capable to prove compliance with the rules of protection of personal data.
All personal data must be deleted at the end of the processing.
Processing of personal sensitive data and data pertaining to children and adolescents is also addressed specifically in the new Law.
When can personal data be transferred internationally?
International data transfer of personal data is only allowed in specific circumstances. These include where:
- the transfer is to a foreign country or international organisation that provides a degree of protection equivalent the provisions of the GDPL;
- the controller proves that it will comply with the provisions of the GDPL through an agreement, global corporate rules or regularly issued certificates;
- the transfer is required for international legal cooperation;
- the transfer is to protect the life or physical safety of the owner or a third party;
- the transfer is necessary to implement public policy or undertaken under an international cooperation agreement; or
- the owner’s consent is obtained with prior information regarding the international nature of the transfer.
What is the role of Brazil’s Personal Data Agency?
Initially, the Brazilian President vetoed the provisions dealing with the creation of the national agency as in his view the GDPL Bill did not comply with the required constitutional formalities. On 9 December 2019, Law 13,853/2019 came into force officially creating the Personal Data Agency.
The agency is a new Federal body responsible for regulating, supervising and applying sanctions regarding data protection.
What is required for owners to give their consent?
Data processing will only be admissible with the owner’s free, informed and unequivocal consent. If consent is given in a contract, it must be set out in a clause that clearly stands out from the other clauses.
Consent for the purposes of personal data may be in writing or “by other means that demonstrates the owner’s assent”. However, for sensitive personal data consent must always be given in writing.
Where data relating to minors is involved, specific consent is required and must be given by at least one parent or legal guardian.
The owner may revoke his or her consent at any time. Moreover, the owner must be allowed to revoke his or her consent through a “free and facilitated procedure”.
Importantly, the controller has the burden of proof to establish that consent was properly given.
What are the owners’ rights?
Owners have the right to:
- confirm the existence of the data processing;
- access the data;
- correct incomplete, inaccurate or outdated data;
- anonymise, block or eliminate unnecessary and excessive data or data processed not in accordance with the provisions of the GDPL;
- take his or her personal data to another service or product provider upon request;
- delete, at any time, of his or her personal data for which he or she had previously consented to being processed;
- be informed about the persons and legal entities with which the controller has shared data;
- be informed about the possibility of not providing consent and the consequences of the refusal;
- revoke any consent previously given; and
- seek damages where a processing agent, as a result of the activity of processing personal data, causes material, moral, individual or collective damages in violation of the DPL.
In relation to a claim for damages, the burden of proof may be reversed in favour of the owner in civil court proceedings if the allegation appears to be true, there are no means for producing evidence or when production of evidence by the owner would be overly burdensome.
What are the administrative penalties provided in the GDPL?
The administrative penalties for breaching the various rights set out in the GDPL are:
- single or daily fines up to 2% of the company, group or conglomerate’s income in Brazil for the prior financial year (excluding taxes) limited to R$50 million;
- publicity of the infringement; and
- blockage or disposal of personal data related to the infringement.
The following criteria will need to be considered by the national authority when applying sanctions:
- the severity and the nature of the infringements and of the personal rights affected;
- whether the offender acted in good faith;
- the advantage obtained or intended by the offender;
- the economic status of the offender;
- the degree of damage caused;
- the level of cooperation provided by the offender;
- repeated and demonstrated adoption of internal mechanisms and procedures capable of minimising the damage, for secure and proper data processing, in accordance with the provisions of the GDPL;
- the adoption of a good practice and governance policies;
- the prompt adoption of corrective measures; and
- the proportionality between the severity of the breach and the intensity of the sanction.
How does the GDPL compare to Europe’s GDPR and California’s CCPA?
|Scope of coverage||Any individual or legal entity processing personal data if the processing is carried out in Brazil, the purpose of the processing is to offer or supply goods or services in Brazil, the data being processed belongs to individuals located in Brazil or|
the data has been collected in Brazil
|Any entity processing personal data with an establishment of a controller or a processor (any individual, legal or governmental entity) in the EU or that offer goods or services to individuals in the EU or trace their data||Only for profit entities with US$25m in revenue, 50,000 consumers based in California or more than 50% of their revenues obtained from sales of personal data|
|Definition of "personal data"||Includes information relating to an identified or identifiable individual, with publicly available information being included in the definition (its use must be consistent with purposes for which it was made public)||Includes data directly or indirectly identify a person, but does not deal specifically with public information in the definition||Includes data directly or indirectly identify a person, with publicly available information being expressly excluded from the definition|
|Obligations on third party vendors||Third party vendors are bound by the same principles as the entity requesting the data processing||Third party vendor agreements must contain specific commitments set by the regulating body||Agreements with third party vendors may contain commitments that allow for exemptions from the Act's general provisions|
|Rights of owners/consumers||Owners have the right to be informed, access, correct, take the data to another entity, anonymise and delete their personal data||Owners have the right to be informed, access, correct, obtain a portable copy, delete (in some specific cases), and restrict processing of their personal data||Consumers have the right to be informed, access, obtain a portable copy, delete (in some specific cases), and restrict processing of their personal data|
Does the GDPL bind government bodies?
It does at all levels (Federal, State and Municipal).
At the Federal level, Decree 10,046/2019 (published on 10 October 2019) contains the regulations regarding how data will be shared by Federal government bodies.
Among other things, the Decree provides that data held by the government will be classified according to their level of sensitivity – the less sensitive the data, the easier it will be for the data to be shared among government bodies. The Decree also creates a national central database that contains key information about individuals.
When will the GDPL come into force?
The GDPL will come into force on 15 August 2020.
Last modified: November 18, 2019