9/13/18 - Promontory Currents: Brazil Enacts Landmark Privacy Law
Home > News & Insights > Insights & Publications

9/13/18 - Promontory Currents: Brazil Enacts Landmark Privacy Law

By Giovanna Carloni

On Aug. 14, the Brazilian Parliament enacted its first comprehensive data protection law. This law was inspired by the European Union’s General Data Protection Regulation (GDPR) and complements the data protection provisions of Brazil’s 2014 Internet Regulation Law (Marco Civil da Internet).

Brazil differs from jurisdictions like the EU in that it does not have a history or culture of data protection, and unlike neighboring Uruguay, is not a signatory of the Council of Europe’s Convention 108 on the automatic processing of personal data. Privacy was previously set out as a constitutional right, however; and data protection is a component of existing consumer protection regulation regarding credit scoring.

It remains to be seen how authorities will apply the new law in practice. Its implementation not only depends on an administrative regulation, which is yet to be drafted, but on the creation of a data protection authority. President Michel Temer, however, vetoed the provision relating to the creation of the DPA. Therefore, although all other provisions of the law are still valid, a DPA has not been established. The president argued that the government, rather than the parliament, should establish the DPA via administrative decree, but at present it is unclear when the government plans to create a DPA.

The vetoed provisions envisaged that the DPA would be linked to the Ministry of Justice, which could have called into question the DPA’s independence from government. The DPA would have sanctioning powers, issue guidelines and reports, suggest mitigation actions, and foster a culture of data protection in the country. According to the vetoed provision, the DPA would be composed of representatives from public bodies, industry, civil society, and academia.

Even without a DPA, several key provisions of the law will apply when it comes into effect on Feb. 17, 2020:

  • Sanctions: Fines can rise to 2% (limited to $50 million Brazilian reals, or approximately £9 million or $12 million) of the annual turnover of the organization within Brazil. Other sanctions include compensation for damages (with liability shared between controller and processor), compulsory deletion of personal data, blocking of personal-data processing or databases for up to six months, and prohibition of data-processing activities. Without a DPA, fines may have to be applied via court decisions.
  • Extraterritorial scope: The law applies to any processing activities that happen within the Brazilian territory; are aimed at, or offer services to, individuals located in the Brazilian territory; or involve personal data collected within the Brazilian territory. There is an exemption for household activities.
  • Legal bases for processing: Organizations must only process personal data if they are able to rely on people’s consent, a legal obligation, contractual necessity, or legitimate interests. Other options are also available, such as processing relating to credit scores, which is not an option under the GDPR.
  • Age of consent: Children’s data can be processed only with parents’ or guardians’ consent. No specific age threshold for “child” is defined, but the law makes reference to applicable legislation: the 1990 Children Protection Code, which defines children as those up to 12 years of age.
  • Rights of the data subject: The law includes most rights set out in the GDPR, as well as a new right to have organizations anonymize personal data when they no longer need to process the data according to the purposes for which the data was originally collected. Timelines for responding to data-subject rights will be set out by the not-yet-drafted administrative regulation.
  • Obligations and good practices: Obligations for organizations include ensuring the security of personal data, as well as deleting personal data when they no longer need to process the data for the purposes for which data was originally collected. The law also encourages organizations to adopt good practices such as setting out a privacy-governance framework that includes appropriate privacy policies and processes and data-incident response plans.

Although the new law does not create a DPA, it represents significant progress in the protection of the rights to privacy and personal data. Individuals could still seek protection of their rights by filing lawsuits, but this means that courts would interpret and apply the new law on a case-by-case basis. The uncertainty posed by awaiting court decisions could negatively affect business, which could be mitigated if the government quickly establishes a DPA with sanctioning powers and powers to provide guidance.

If Brazil fails to create an independent DPA, the European Commission may not recognize Brazil as a jurisdiction with adequate privacy safeguards. An adequacy decision from the European Commission is a prized status as it enables the free flow of personal data between the EU and those jurisdictions. It also demonstrates that a high standard of data protection has been achieved in that country.

In Latin America, adequacy status already applies to Argentina and Uruguay. Achieving adequacy is a lengthy process and a decision in favor of Brazil is not imminent. Therefore, organizations that transfer personal data from EU countries to Brazil will need to put in place additional protective measures such as contractual clauses or binding corporate rules to enable such data transfers.


Giovanna Carloni is an associate in Promontory’s London office.