New Brazil Data Protection Law: What It Means for Global Organizations

Published On October 24, 2018

Brazil was a late addition to the list of countries with data protection laws and regulations. On August 14, 2018, the president of the country approved the Brazil General Data Protection Law, which governs the circumstances in which so-called personal data can be processed (such as with explicit consent or to fulfill a legal obligation). More stringent restrictions apply to sensitive personal data, such as an individual’s health, racial or ethnic origin, and affiliations with religious or political organizations or with trade unions. The new Brazil data protection law levies steep fines for noncompliance — up to 2% of an organization’s global revenue.

According to the Council on Foreign Relations, the Brazil data protection law was inspired by the European Union’s General Data Protection Regulation (GDPR), which became effective on May 25, 2018. The Brazil law adds another layer of requirements for organizations doing business in the country. But there is some good news: The law will not take effect until 18 months after its official publication, meaning that the regulated community has until February 2020 to learn the law’s requirements.

The Brazil law applies to data processing conducted within Brazil and to any data processing that involves the data of people who are located in Brazil. Organizations both inside and outside Brazil’s borders may need to revise their policies to adhere to the new law. Their procedures for obtaining consent to collect data should be updated to prove that consent was provided, and to limit the amount of time allowed for data storage. Organizations that control data may also need to appoint a data protection officer (if they don’t already have one) who will be in charge of processing personal data.

The new Brazil data protection law makes organizations’ efforts to protect data more visible. Under the law, organizations may also need to prepare data impact reports describing the collected data and explaining how it is gathered and secured. Data subjects must be notified of data breaches in a reasonable amount of time, although the law does not specify this amount precisely.

As organizations modify their data processing policies and practices in response to the law, they should also watch for any further developments that could affect their progress. Though the president of Brazil approved the bulk of the proposal, he actually vetoed a portion of the bill that would have created a new governmental entity: a data protection authority. Nonetheless, this entity may still be created in the future.

Organizations that must comply with different data protection rules in different jurisdictions should consider following the most stringent set of rules globally. Doing so may ease the administrative challenges of complying with the varied requirements of multiple regulatory schemes.