Law No. 13,709, published on August 15, 2018, addresses the processing of personal data by individuals or legal entities, whether governmental or not. It will apply not only to collection and processing of data through digital media, which was already covered by the Internet Civil Act of 2013 (Marco Civil da Internet), but also to any other means of collection and processing in any industry. Inspired on the recent European regulation on this matter, the General Data Protection Regulation – GDPR, the new law will come into force in 18 months as of its publication.
The new law defines “personal data” as any information related to an identified or identifiable individual (i.e., name, address, identity card number, email address, location data and IP address) and “processing” as any procedure carried out with personal data, such as collection, production, classification, use, reproduction, processing, storage, transfer and diffusion.
Even though it is not as detailed as the GDPR, the new Brazilian law is complex. It has 65 articles divided in 10 chapters. Among its several provisions, there are rules about processing of sensitive data (data on racial or ethnic origin, religion or beliefs, political opinion, health or private life, genetic or biometric information, among others), processing of children’s and teenagers’ data, international transfer of personal data and implementation of good practices and security measures.
Some relevant aspects of the new law, which are mostly consistent with GDPR provisions, are highlighted below:
Extraterritoriality. The new law is applicable not only to the processing of data carried out in Brazil or concerning individuals located in the national territory, but also to the processing carried out abroad, provided that such processing is performed with data collected in the national territory or for the purpose of offering or supplying goods and services to individuals located in Brazil.
Allowed Processing and Consent. The new law allows the processing of personal data only in certain situations. The data subject’s consent will not always be required for the processing of data. Such consent may be waived in some cases, such as: when required for the performance of contracts or preliminary procedures related to contracts involving the data subject, for compliance with legal or regulatory obligations, for the exercise of rights in legal or administrative proceedings or arbitrations, or in case of legitimate interest (“interesse legítimo”) of the party responsible for the processing of data. In all other cases, the processing will require the express and specific consent of the data subject, obtained based on clear information on the purpose, form and duration of such processing.
Data Subject’s Rights. The new law enables a comprehensive control by the data subject of her/his data. The data subject may, at any time, have access to such data, request its correction, anonymization or portability, revoke her/his previous consent to the processing of personal data, or request the removal of data processed without her/his consent.
Penalties and Liability. The new law establishes penalties for violation of its provisions that could reach R$ 50,000,000.00, as well as strict liability for damages to the data subject.
The new law was sanctioned by the President with vetoes, mainly regarding the creation of the National Data Protection Authority (“Autoridade Nacional de Proteção de Dados” or “ANDP”). According to the legislative bill of law approved by the Congress, ANDP would be a special agency with duties to look after the protection of personal data and monitor compliance with the new law. As a result of the veto on the creation of ANDP, uncertainties arise as to who will be responsible for such duties and how they will be performed.