Is Brazil Taking the Right Steps With Data Privacy?
Brazil's Chamber of Deputies last month gave the green light to the General Data Protection Act, long-debated legislation that follows Europe's sweeping General Data Protection Regulation, or GDPR, which went into effect May 25. The legislation would require consent for public and private companies to store users' private data, among other changes. How does Brazil's legislation compare to similar steps that Europe and other countries are taking on data protection and privacy? Will the measure soon be enacted into law? What do stakeholders stand to gain or lose the most from Brazil's new regulations?
Marcel Leonardi, senior counsel for public policy at Google Brazil: "Brazil's Chamber of Deputies approved a comprehensive data protection bill last month. Now the Senate and the executive branch need to review it together and decide how fast to move with it. When enacted, the legislation will take 18 months to come into effect—so in 2020 at the earliest. The adoption of a comprehensive data protection regime in Brazil has been a long process. Many stakeholders did not immediately grasp its impact, and only recently have traditional economic sectors really engaged in the conversation. The bill is similar to GDPR in several areas. 1) scope: it applies to any data collected or any data processing within Brazil and also to processing connected to offering goods or services to people in Brazil, regardless of the location of controllers or processors; 2) personal data: 'any information relating to an identified or identifiable natural person'; 3) legal basis for processing: unambiguous consent (explicit for sensitive data); contract; legal obligation; legitimate interests of the controller or third party; public interest; and vital interests of the subject; 4) international data transfers: adequacy model (the DPA issues adequacy decisions) or based on specific consent, binding corporate rules, model contractual clauses, code of conduct, certifications; 5) data protection authority: led by a three-person council, aided by a 23-person multi-stakeholder advisory board; 6) liability: separate liability for processors and controllers; 7) fines and sanctions: up to 2 percent of total turnover of the economic group in Brazil, per infraction, limited to 50 million reais ($13.1 million). Data leaks or incidents may be publicized, and companies may be prevented from processing personal data. Brazil has never had a comprehensive data protection regime, so the legislation will represent a sea change for the local private sector. It is too early to tell how companies will act—those seeking GDPR compliance will probably have an easier time."
Thomas Morante and Barbara Efraim, attorneys at Holland & Knight: "Although data protection bills had been proposed in Brazil for years, it took the implementation of GDPR, with its extraterritorial reach, to reignite debate about the need for data protection legislation in Brazil. In response, Brazil's Chamber of Deputies recently approved the General Data Protection Act and sent it to the Senate for debate. Under the bill, Brazil would create a National Data Protection Authority and a National Council for the Protection of Personal Data to govern the implementation and monitoring of the new law. The bill shares similarities with GDPR. This is not surprising, given that European officials advised the Brazilian government on the bill. For example, the legislation applies to those who process personal data, regardless of location, provided that the personal data is processed in Brazil, is intended to offer or supply goods and services for individuals in Brazil or is gathered in Brazil. It also defines personal data as any information relating to an identified individual. It requires companies to obtain their clients' (that is, data holders') consent before collecting their personal data. Additionally, it protects information on political affiliation, religious beliefs, sexual orientation and health. It also provides that people have control of their own data, and thus, have a right to transfer it. Finally, it lists penalties ranging from monetary fines to suspending data-processing activities. If adopted, most data-processing entities will have 18 months to comply by notifying customers, informing them of their rights and obtaining their consent. The Senate has not yet voted, but the measure is expected to be approved and proceed soon to the president for his signature. Likewise, Argentina has a draft bill intended to update its 2000 Personal Data Protection Law. Data privacy is clearly top priority in Latin America these days."
Tatiana Campello and Matheus Bastos Oliveira, attorneys at Demarest Advogados in Brazil: "Brazil's Congress is discussing two important draft bills aiming to set a new framework for general data protection. The Senate was debating bill number 330/2013, and the Chamber of Deputies recently approved bill 53/2018, handing the discussion of the bill over to the Senate. The Brazilian legislative bodies are riding a wave of European GDPR approval, which has sped up the discussion and influenced the concerns over general data protection in Brazil. The Senate is expected to approve bill number 53/2018 with minor changes. It is not possible to estimate a time frame yet. The measure has adopted some relevant aspects of Europe's GDPR, which is expected to be maintained in the final language, such as 1) scope of application, including extraterritorial jurisdiction; 2) the freely given, specified and informed consent for treatment of personal data; 3) the right to withdraw consent at any time; and 4) the creation of a public authority to be responsible for monitoring and enforcement of data protection regulation. Bill number 53/2018 also provides for a representative who will assume duties similar to the ones undertaken by the GDPR's data protection officer. The approval of a general data protection regulation in Brazil will lead the country to a future of international data transactions, with remarkable advantages for stakeholders and international commerce between Brazil and Europe."
Ashley Friedman, senior director of global policy at the Information Technology Industry Council: "There is a global discussion surrounding data privacy happening, and governments, consumers and businesses are working together to grapple with tradeoffs around technologies that are an integral part of our lives and our economy. Over the past few years, Brazil's Congress has been debating bills that seek to provide comprehensive protection of Brazilian citizens' data, encourage and enable economic growth and innovation in Brazil, and provide an interoperable framework that supports cross-border data flows and reflects the global value chains that businesses operate around the world. The version that passed the lower house in May and is being debated in the Senate now strikes a good balance by empowering users to understand how and when their data is used, while also enabling companies to continue providing services and developing new innovations. When this bill is passed, Brazil will serve as a model for the region in bridging various privacy regimes, like the European GDPR or the APEC Cross Border Privacy Rules, that protect personal data and allows the benefits of technology to flourish."
Michael C. Malarkey, managing director of Alvarez & Marsal Disputes and Investigations: "Brazil's data protection legislation reflects an E.U.-led trend of enabling consumers to opt-in to private data usage by companies. This mirroring of GDPR isn't surprising since the European Union accounts for more than 19 percent of Brazil's export volume, making compliance with the new law an economic issue as well as a consumer one. One might expect that any country with robust business ties to the European Union (Mexico, Chile, Colombia and Peru, for example) will follow suit with similar consumer protections that affect aspects of marketing, information technology, engineering and sales units."
Article published by Latin America Advisor