Brazil’s General Data Privacy Law Goes Into Effect in 2020

Written by: Anthony E. Stewart, Esq.

Brazil is one of the latest countries to implement comprehensive data privacy regulation. Brazilian President Michel Temer recently signed into law the General Law of Protection of Personal Data, which goes into effect in February, 2020. The new law imposes detailed rules for the collection, processing, and storage of personal data, and its key provisions closely mirror the European Union’s General Data Protection Regulation (GDPR).

 Key provisions include:

  • Data Protection Officer. All data controllers will be required to appoint, and publicly identify, a data protection officer.
  • Data Subject Rights. Brazil’s law will provide data subjects with the following rights: (1) confirmation of the existence of the processing; (2) right of access; (3) right to rectification; (4) right to anonymization, blocking or deletion of unnecessary or excessive data; (5) right to data portability; (6) right to delete personal data processed with the data subject’s consent; (7) right to obtain information about the entities with which the controller has shared data; (8) right to be informed about the possibility of denying consent and the consequences of denying consent; and (9) right to revoke consent.
  • Extraterritorial Application. Similar to the GDPR, Brazil’s new data protection law will be far reaching.  The Brazil law will apply to domestic and foreign entities if (1) the processing operation is carried out in Brazil; (2) the purpose of the processing activity is to offer or provide goods or services or the processing of data of individuals located in Brazil; or (3) the personal data being processed was collected in Brazil.
  • Legal Basis for Processing. Personal data can only be processed where a legal basis exists.  The legal basis must be registered and documented and may include, among other bases, when the processing is (1) with the consent of the data subject; (2) for compliance with a legal or regulatory obligation, (3) necessary for the execution of a contract of which the data subject is a party and at the request of the data subject; or (4) necessary to fulfill the legitimate interest of the data controller or third parties. Processing of sensitive data is subject to additional restrictions.
  • International Transfer of Data. The law will impose restrictions on cross-border transfers of personal data.  Under the new law, international transfer of personal data is allowed (1) to countries that provide an adequate level of data protection; (2) with the data subject’s specific consent, so long as the data subject was clearly and distinctly advised of the international nature of the transfer; and (3) using standard contractual clauses, corporate rules, or other mechanisms approved by the national authority.
  • Notification of Security Incidents. Controllers will be required to notify data subjects of any security incident that may create risk or relevant damage in a reasonable time period.
  • Privacy Notices – Notice of data processing must be given to data subjects in a clear, adequate and ostensible manner and include the following information: (1) specific purpose of the processing; (2) type and duration of the processing; (3) identification of the controller; (4) the controller’s contact information; (5) information regarding the shared use of data by the controller and the purpose; (6) responsibilities of the agents that will carry out the processing; and (7) rights provided to the data subject under the data privacy law.

Companies have until February, 2020 to bring their data processing practices into compliance.  Failure to comply can result in fines of up to 50 million reais ($11,884,750 USD) or two percent of gross revenue, whichever is less.