After extensive discussions in the Brazilian Congress and debates with the private sector, Lower House’s Data Protection Bill nº 53/2018 was approved by the Senate yesterday (July 10). The final grammar revision of the text, led by the Senate, will likely be finalized by Friday (July 13), but all content changes are available here (Portuguese only). If you want to receive a copy of the final text once it is ready, please contact Joao Barroso. The Senate’s next step will be to send the bill to the Presidency of the Republic, to be signed into law within 15 days.
The bill establishes a national regulation on data protection, inspired by international guidelines. Over the past two years, the Council and the U.S. Chamber’s Center for Global Regulatory Cooperation (GRC) have shared with the Lower House and the Senate its experience and benchmark studies on key issues of the regulation, such as the definition of personal data, international transfer, liability, and Data Protection Authorities.
Highlights of the Bill
Scope: The regulation applies to the processing of personal data held by citizens or companies, whether public or private, regardless of the country of their headquarters or the country where the data is located, whereas the treatment is intended to offer or supply goods or services or data processing of individuals located in the Brazilian territory.
Definition: “Treatment of Data” is any operation performed with personal data such as collection, production, reception, classification, use, access, transfer, distribution, processing, storage, disposal, evaluation or control of information, modification, communication, diffusion or extraction.
Data transfer: The bill allows international transfer of data when companies ensure compliance with legal obligations established by the law.
Consent: The processing of personal data will depend on the consent of the data subject, whether in writing or by other means that demonstrate the willingness. An eventual consent waiver will not relieve companies and treatment agents of other obligations prescribed in the Law. Consent may be revoked at any time, by express manifestation of the data subject, without prejudice to treatments already performed while the consent was valid.
DPA: The project creates the National Data Protection Authority, which would be tied to the Ministry of Justice to exercise certain prerogatives, such as monitoring data protection and even imposing sanctions. Companies should report to the Authority any security incidents that could pose a risk to or harm to data subjects.
Responsibility: Companies should appoint a person responsible for the processing of personal data, which should guide employees and contractors in respect of the practices to be taken in relation to data protection.
Sanctions: The non-compliance with the law may lead to penalties, to be charged by the Data Protection Authority, limited to 2% of the institution’s revenue in Brazil in its last financial year, and up to the limit of BRL 50M per infringement.
It is expected that President Temer will veto the creation of the Authority due to an alleged inconsistency of the bill with the Brazilian Constitution. If that happens, the President may then send a new proposition to Congress, formally creating the body. The initial idea is that this second bill be approved within the 18-month-vacancy of the bill passed this week.
In the following weeks, the Council’s staff will meet with the Presidency of the Republic to address its understanding on the passed bill and the effectiveness of a Data Protection Authority. If you have comments regarding the bill approved this week, please share them in writing with Joao Barroso and Renata Vasconcellos by Wednesday, July 18.
With the technical assistance of:
Subject matter expert for the BUSBC’s innovation agenda.More Testimonials