Brazil may be on the verge of enacting its first comprehensive data protection law in the coming weeks. The lower house of the Brazilian Congress has unanimously passed the Bill on the Protection of Personal Data, and the Senate is slated to consider a similar version the week of June 4. “This is Brazil's first law on the protection of personal data and it will generate a culture change on this theme as much for companies as for individuals,” attorney Pedro Vilhena of the law firm Kasznar Leonardos told Bloomberg Law in a May 30 email.
The 30-page bill would set rules for companies and organizations that collect information on individuals, both online and offline. Congressman Orlando Silva (PCdoB) said the effort is aimed at defending privacy while also attracting information technology company investments. Senator Ricardo Ferraco (PSDB-ES), who prepared the text of the Senate version, told Bloomberg Law May 31 that the chamber will approve the bill in early June. If the Senate passes the bill, it would be sent back to the House, which could accept or reject the Senate changes. The resulting bill would go to President Michael Temer, who is expected to act quickly on the measure, Silva told Bloomberg Law.
The measure was bottled up in committee for years but passed the House May 29 following the Facebook Inc. data scandal involving Cambridge Analytica and the institution of the General Data Protection Regulation (GDPR) May 25 in the European Union. The bill would disallow the collection and storing of personal data without the consent of the individuals involved. Even when consent is given, companies would have to ask for a new authorization if they sell or transfer the data to third parties under the measure.
Vilhena described the proposal as similar to data protection legislation in Argentina and Colombia, as well as European standards existing prior to the European General Data Protection Regulation. “Approval of the law will lift Brazil to an intermediate stage in the protection of personal data, superior to what now exists but still inferior to the GDPR. This is an important step to insert the country in the international data market,” Vilhena said.
Bill Provisions, Stiff Fines
Brazilian citizens would be able to demand deletion of personal information contained in a data bank. Brazilians also would have unrestricted access to information on them stored in data banks, and would be allowed to correct the information under the bill. Data on children under 12 could be collected only with the permission of one parent. The bill would create a regulatory agency, the National Authority for Data Protection, within the justice ministry. It would have the power to issue regulations and verify compliance as well as propose the contents of a National Data Protection Policy. The regulator would be assisted by a National Data Protection and Privacy Council with 23 members—11 from the government, four from citizen groups, four from business and four from universities.
Companies would subject to fines of up to $13.5 million for data breaches. Firms would be required under the bill to appoint a privacy officer, prepare privacy impact assessments, and apply general data protection principles. The legislation would take effect 18 months after being signed into law. “The changes are substantial and will demand efforts by all companies, from small retailers and service providers to large data collectors such as the government and internet service providers,” Vilhena said, adding “the areas that will be most affected in the beginning will be the departments of technology and information security, human resources and marketing”.
Stiff penalties in the measure for firms that don't meet the law's requirements would force companies “to take special care in the use and sharing of data,” attorney Larissa Claudino Delarissa of the law firm Brasil, Salomao and Matthes said. Attorney Flavia Rebello of Trench Rossi Watanabe told Bloomberg Law that “the law regulates the collection, processing and transference of personal data in a very amply way. In Brazil we don't have a culture of privacy and many adjustments will be necessary.”
Source: Bloomberg Law