No. 53/2018 was approved by the Federal Senate, on July 10th, in accordance with the content voted by the Chamber of Deputies and is pending presidential sanction. This bill deals with the processing of personal data in any medium (including in digital media), changing Articles 7 and 16 of the Civil Rights Framework for Internet (Law No. 12,965/2014) related to the exclusion of personal data to conform to the language of the general law.
The norm applies to virtually any treatment of personal data (e.g. collection, classification, use, access, reproduction, transmission, distribution, processing, storage, disposal, etc.) made in Brazil, with some exceptions.
Bill No. 53/2018 provides for obligations to be observed by the Data Controller and the Processor. In general terms, the Data Controller is the individual or legal entity that is responsible for decisions regarding the processing of personal data. The so-called Processor performs the processing of personal data on behalf of the Data Controller.
One of the main obligations to be observed for the processing of personal data concerns the need to obtain consent for treatment, with some exceptions (e.g. compliance with legal obligations, such as data processing for compliance with tax, social security, etc). Bill No. 53/2018 establishes the form of such consent, which must, for example, be written in a prominent way from other contractual clauses, or by other means that demonstrate the willingness of the data subject, among other requirements.
A major obligation created by Bill No. 53/2018 concerns the obligation to report security incidents to both the competent authority established by that law and the holders of the personal data harmed, as well as other forms of communication that may be established by the competent authority. To date, this obligation does not exist in the country (there is only one recommendation of the Commission for the Protection of Personal Data of the Public Ministry of the Federal District).
Among other standards, Bill No. 53/2018 contains the following provisions:
(a) creates the authority in charge of personal data (similar to the Data Protection Officer - DPO established in the GDPR);
(b) lays down specific rules for the processing of sensitive data (e.g. relating to racial or ethnic origin, political opinions, sexual life, etc.);
(c) lays down specific rules for the processing of data concerning minors; and
(d) lays down rules for the international transfer of data.
Failure to comply with the obligations established in this norm, if sanctioned, subjects treatment agents to administrative sanctions, such as a fine (which may reach the ceiling of 50 million reais), warning, publicity of infractions, suspension or even prohibition of the activity of processing.
The new law establishes significant changes, even in relation to good practices that should be adopted by companies, which may even involve reducing sanctions. Thus, a multidisciplinary approach to the various areas of the organization, especially between the legal and IT sectors, will be of vital importance for companies to remain in strict compliance with the new legal framework that will soon come into force.
Demarest's Digital Law and Data Protection team is on hand to answer any questions and advise you on this matter.