In this post, we’ll break down Brazil’s General Data Protection Law—who needs to comply, what is protected, and how to meet its requirements.
Compliance is a complicated thing—the laws are long, and the patience of government regulators and auditors is short. Doubly so when it comes to international data compliance. But it doesn’t have to be. Here are Defrag This, we’ve been hitting the books so you don’t have to, trying to make sense of the maze of jargon and legalese that is the emergent international data compliance landscape.
In fact, we’re trying to put together a sort of dummies’ guide to international compliance… not that we’d ever call anyone a dummy for not knowing this stuff. Months ago, we got our start with GDPR, and I’d like to think we did a good job—those posts, which have recently been consolidated, are some of the most popular on our little blog.
Now, we’re doubling down on our mission to demystify international compliance—first with the guide to understanding China’s Cybersecurity Law, then with a breakdown of ISO 20022, and now with a look at Brazil’s new General Data Protection Law.
What is Brazil's General Data Protection Law?
Inspired by the GDPR, in mid-August of 2018, Brazil passed a new legal framework aimed at governing the use and processing of personal data in Brazil: the General Data Protection Law.
The law replaces approximately 40 or so laws that currently deal with the protection of privacy and personal data, and is aimed at guaranteeing individual rights, and encouraging economic growth by creating clear and transparent rules for data collection.
The Bill was signed into law in mid-August 2018 and is expected to take effect in February 2020.
Who is Affected, Do I Need to Comply?
The new law governs processing of personal data in Brazil, and it takes a broad understanding of data processing in doing so. Basically, if you touch the data of a citizen at all, you are processing it. That includes collecting the data, storing it, and transferring it.
So, if you, or your organization, perform any of these activities in Brazil, then you are subject to the law. With a few small exceptions for national security organizations, artistic, and journalistic pursuits, private and public sector organizations are both equally accountable to the law.
Like the GDPR, Brazil's law will have extraterritorial application, so if your organization offers services in Brazil and collects and processes personal data of people located in the country, you must be compliant. Interestingly, this holds true regardless of the nationality of the data subjects. So an American company processing the data of an American in Brazil will still need to be compliant.
What Are the Specific Requirements of the Bill? How Similar is it to GDPR?
Here’s where we get into the meat and potatoes of the law. While the General Data Protection Law certainly takes cues from the GDPR (including its name—at least in English), it’s no carbon copy. Below are the key requirements of the law:
Data Protection Officer
Like the GDPR, and China’s Cybersecurity Law, Brazil’s new law mandates that businesses must appoint a data protection officer to oversee compliance and data protection efforts within the organization.
Data Breach Notifications
Unlike the GDPR, Brazil’s law does not specify a specific timeline for data breach notification, but it does require regulated entities to notify users of any data breach affecting their information. Such notifications must include a description of the type of personal data affected, as well as details on the security measures taken to protect the data, and the risks resulting from the incident, such as identity theft.
Consent for Data Processing
According to Brazil's new law, wherever personal data is processed, the data subject must give advance consent. That consent can only be used for a specific purpose of data processing, and may not be taken as consent for data processing writ large. There are some exceptions to the consent rule, however, such as when data processing is required as in the carrying out of legal or compliance requirement, or in the performance of a contract. Basically, data processing may only be carried out when there is a necessary legal basis for it.
Improved Security and Privacy Requirements
According to the Law, regulated organizations must adopt protective measures against cyberattack, and must implement such measures whenever creating new products. Brazil's Data Protection Authority has the ability to conduct privacy audits to ensure that organizations are meeting these requirements.
The law requires that all personal data processing that takes place is recorded, with details indicating the type of data collected, the intended purpose, the legal basis, retention time, and the security practices employed on storage, such as encryption.
Data Transfer Requirements and Restrictions
Brazil's law places significant restrictions transfers of personal data, especially across borders.
Cross-border transfers are only allowed to nations that Brazil's Data Protection Authority determines to have an equal or adequate level of data protection, unless otherwise approved by the DPA. Other lawful bases for cross-border data transfer include standard contractual clauses between data controllers and subject and cases where the data subject has given specific consent.
Who Will Enforce the Law?
Brazil’s new law establishes a new National Data Protection Authority (DPA), which will be responsible for supervising compliance and enforcing penalties.
What Are the Penalties for Noncompliance?
Noncompliance with the Bill can result in fines of up to two percent of gross sales in Brazil, but that fine is limited to 50 million reais (roughly $13M USD) per violation. While that’s nothing compared to the penalties of the GDPR, it’s certainly not chump change.