Brazilian Congress passes a data protection bill that seeks to improve privacy and cybersecurity.
By Amadeu Ribeiro and Thiago Luís Sombra (Mattos Filho, Veiga Filho Marrey Jr e Quiroga Advogados) and Jennifer Archie and Terese Saplys
The Brazilian Congress has been working on a bill relating to the protection of personal data for over eight years. The Senate approved the bill, known as the General Data Protection Act (GDPA), on 10 July 2018, and the bill was sent to the President for execution. A window of 15 business days (i.e., up to and including 13 August 2018) within which the President may veto the bill now follows. If the President does not actively reject the bill, it automatically becomes law. Thereafter, businesses will have an 18-month grace period (i.e., up to and including 13 February 2020) to adjust to the change in law before it becomes effective on 14 February 2020.
What Is the GDPA?
The GDPA was motivated in part by Brazil’s desire to be admitted to the OECD and to prevent disruption in its commerce with the European Union and other important trading partners. As such, the GDPA seeks to match the level of protection afforded to data subjects by the laws of these trading partners.
The GDPA establishes rules on the collection, treatment, storage, and sharing of personal data, whether in digital or physical form. It provides various rights to data subjects, as well as a framework for private companies to develop their commercial activities. The GDPA has been greatly influenced by Europe’s General Data Protection Regulation (GDPR), but it also takes into account local sensibilities and certain best practices adopted by other countries in the area of data protection.
As presently drafted, the most sensitive issue (which may produce a Presidential veto) is the proposed creation of a Brazilian data protection authority (as described below). If the President decides to veto this part of the bill due to lack of constitutionality:
- The remainder of the GDPA would enter into law on 14 August 2018 (to the extent that other parts are not vetoed).
- The President has the option of sending a second draft bill (i.e., dealing solely with the creation of a data protection authority) to Congress within the 18-month grace period noted above. The President is expected to exercise that option, since otherwise Brazil may face difficulties obtaining recognition from other countries (notably the European Union) for providing adequate protection regarding the personal data of data subjects.
Key Elements of the GDPA
- Establishment of a data protection authority: The GDPA will create the National Data Protection Authority (Autoridade Nacional de Proteção de Dados or ANPD), an agency that will be responsible for regulating, supervising, and enforcing sanctions in the event of non-compliance with the GDPA. As presently drafted, the most sensitive matter (which may produce a Presidential veto) is the proposed creation of a Brazilian data protection authority. This is because the Brazilian Constitution provides that only the President is entitled to create administrative bodies if such creation may impact the public budget. As the GDPA was drafted by Congress as opposed to the President, and would likely impact the public budget, the President may veto this section due to lack of constitutionality.
- Legal basis for data processing: Personal data can only be processed on the basis of one of the legal grounds set out in the GDPA. Such grounds include the following:
- The data subject has consented to the processing
- The processing is necessary for the performance of a contract
- The processing is necessary to meet the legitimate interest of the controller of the data or third partie
The legal grounds for processing personal data must be documented in writing.
- Consent requirements: The GDPA specifies that consent must be given prior to the processing and must constitute the free, informed, and unequivocal manifestation of the data subject’s consent to processing for a specific purpose. Consent may be revoked at any time.
- Sensitive data: The GDPA requires a specific legal basis for the processing of sensitive data, which includes health information and the data subject’s biometric and/or genetic data.
- Data subject rights: The GDPA introduces new rights for data subjects, including the right to obtain information regarding the processing of personal data, rights to access, rights to rectify and delete personal data, the right to data portability, and the right to obtain review of automated decisions involving personal data.
- Data breach: Data breaches and security incidents must be reported to the ANPD and, in some cases, to the affected data subjects.
- International data transfer: International data transfers are permitted only if the transfer is to countries providing an adequate level of protection for personal data or if standard contractual clauses, global corporate standards, seals, certificates, or codes of conduct approved by the ANPD have been used. Further regulation is expected from the ANPD on these measures, and, at present, which form of clauses, standards, seals, certificates or codes will be prescribed is unclear.
- Administrative sanctions: Non-compliance with the GDPA may result in a warning, mandatory disclosure of the data incident, deletion of the relevant personal data, blocking, suspension, and/or partial or total prohibition from the exercise of activity relating to personal data processing. Non-compliant entities may also be subject to a fine of up to 2% of its Brazilian entities’ turnover the preceding fiscal year (excluding all applicable taxes). Fines are limited to a maximum cap of R$50 million per violation.
The parts of the GDPA that the President has not actively vetoed will enter into law on 14 August 2018. Thereafter, businesses will have an 18-month grace period (i.e., up to and including 13 February 2020) to adjust to the change in law. This period will provide Brazilian businesses with useful time to plan and implement the necessary measures to comply with this new legislation and continue to operate in Brazil’s new data protection climate. The ratified law would then come into full force and effect on 14 February 2020.