Impacts of the Brazilian Personal Data Protection Law in the insurance market
The Brazilian Personal Data Protection Law (13.709/2018) was published in the Official Gazette last Wednesday (15) and shall enter into force in February 2020.
This law provides for personal data protection and amends the main regulation on data protection existing in Brazil to date – the Brazilian Civil Rights Framework for the Internet (Law 12.965/2014). Strongly inspired by the European Regulation effectively from May on (the General Data Protection Regulation), it applies to most of the personal data processing (e.g., collection, access, storage, reproduction, transmission and others), with only a few exceptions.
For more information and further details on the regulation's provisions, as well as on the sections that were vetoed by the president, we recommend reading the latest Newsletters from Demarest's multidisciplinary Digital Law and Data Protection team (here and here).
The new regulation has a double impact on the Brazilian insurance and reinsurance market, either by creating the need for internal adjustments of the companies to comply with its requirements or by increasing the interest in Cyber Risks insurance products within the country.
One of the main provisions that will affect the companies' internal procedures and the current business operation of the market is the joint liability of all personal data controllers and/or operators. In view of that, insurers or reinsurers could hypothetically be held liable for damages to third parties due to the non-compliance of this law by their agents and representatives or eventually by coinsurers or brokers involved in data collection during the underwriting process.
The regulation also provides for a duty to notify incidents of personal data leaks to data owners (which it was not provided by law until date), as well as for other sanctions, including fines up to two percent (2%) the company's revenue or a daily fine application. The civil liability before third parties in case of data leakage is one of the main coverages of the Cyber Risks insurance, which will certainly have a relevant increase of interest - and of claims as well - due to the law.
Demarest's Insurance & Reinsurance team has highly qualified and specialized professionals that are part of the multidisciplinary team of Digital Law and Data Protection.
We are at your disposal for clarifications on the subject, as well as for advices on the Brazilian Personal Data Protection Law with regard to the necessary measures to comply with the law, as well as to structuring insurance programs or adjusting claims under the Cyber Risks insurance.