Brazil Introduces a New GDPR-Inspired Data Protection Law

Inspired by the European Union General Data Protection Regulation (GDPR), the Brazilian Congress passed a new data protection bill that is expected to improve users’ privacy and online security. Mid-August, Brazilian President Michel Temer signed the new legislation into law, now known as the LGPD (lei geral de proteção de dados pessoais).

The law will take effect in less than two years from now, or more precisely in February 2018, 18 months after its publication. This will give the companies affected by the new legislation enough time to prepare and comply with the necessary changes.

Brazil Introduces a New GDPR-Inspired Data Protection Law

The draft of the new Brazilian data protection bill was approved by the Federal Senate earlier this summer, in July 2018, but was then vetoed by president Temer. The reason behind the veto was the creation of a new regulatory body – the National Data Protection Authority – with the excuse that such an agency should not be established by a Parliament-approved law, but by the Executive Branch.

According to the country’s constitution, only the president is entitled to create such regulatory bodies if they affect the public budget. The agency was supposed to regulate this data protection, as well as supervise the process of companies’ compliance and enforcing sanctions if needed. Obviously, the law was not sanctioned as a whole, as some of the parts were vetoed.

However, despite this, the new legislation is still an immense success for the country. The Brazilian Congress has been working on a law that will protect its citizens from data violations for eight years now. This new bill is very similar to the GDPR but also includes some country-specific parts.

Key Requirements of the Brazilian Data Protection Law and Similarities with the GDPR

In accordance with the new Brazilian LGPD, businesses now must get consent from the users in advance and for free if they want to acquire their personal information. The consent should be informed and provided for a specific purpose, as data subjects are allowed to revoke it at any given time.

This data protection law created a new legal framework that restricts using personal data, online and offline, by both the public and private sectors. Moreover, similar to the EU GDPR, this new data protection law requires that data collection only be carried out if there is a legal basis for it.

Additionally, businesses will need to appoint a data protection officer, which will take care of this whole process.

Other similarities between the two laws include:

  • The rules appointed by the laws are applicable on an extra-territorial basis. That means that not only companies in Brazil will be affected, but also businesses outside the country that process the sensitive information of Brazilian citizens. Any foreign business, no matter its location, that has at least a branch in Brazil and offers some kind of service to the Brazilian market will be subjected to the new rules. The GDPR is so widely incorporated into the world, that some businesses have limited its field of work, excluding EU countries.
  • As previously mentioned, the users’ consent is the leading force of the law, the same as with the GDPR. Customers need to consent for every alliteration of their personal information, including their collection and distribution.
  • In terms of fines, GDPR and LGPD are both incredibly strict. EU’s GDPR has fines that go up to 20 million dollars, or 4% of the total revenue, whichever is higher. Similarly, in Brazil, if companies are not compliant, they will be fined with 50 million reais (more than $10 million), or 2 percent of the company’s turnover or revenue.

On the other hand, when it comes to notifying in case of a data breach, there is a slight difference. According to the Brazilian LGPD, if a data breach occurs, the company is legally required to inform the data protection authorities. Reporting the breach to the affected users is required only in certain circumstances.

The data protection measures will be required when creating a new product or technologies. Moreover, the law imposed additional data transfer restrictions, in which cross-border transfers of users’ data is very limited. This is only allowed if the information is being transferred to countries that provide the same level of protection.

Why Is The New Data Protection Law Important?

When the GDPR came into force, users were excited to finally receive higher rights over their own personal data. Now, Brazil has joined this new wave of privacy and data protection.

The country already had more than 40 legal norms that, in one way or another, protected personal data. Now, the country is one step closer towards providing individuals with their rights, as well as setting transparent rules for a proper use of users’ personal data.

As pretty much any other law, the Brazilian LGPD has its own disadvantages. Nevertheless, in the long term, it is a rather positive step, as in 2020 Brazil will enter the list of countries that already offer the adequate level of privacy protection.

If you are in Brazil and you want to circumvent content restrictions caused by the LGPD, check out the best VPN services for Brazil.