< Back

Share |

Companies face new challenges regarding data protection in Brazil

May 2015

As the processing of personal data skyrockets around the world, protection of personal data rises up the agenda in Brazil which has seen a number of significant changes recently, with additional rules expected to follow. For the last three decades, the Brazilian legal framework has only superficially touched on the protection of personal data in provisions spread across the Federal Constitution, the Consumer Protection Code and a few other laws. The fragmentation of the framework and the lack of a unified regime of data protection has led to considerable legal uncertainty which Brazil is now attempting to resolve.

The recently enacted Civil Rights Framework for the Internet (Law 12.965, of 23 April 2014) established a set of rights regarding the protection of personal data electronically obtained through the internet, including the right for data subjects to be clearly and fully informed about the processing of their data, a requirement to obtain the consent of the data subject to such processing and a right to opt out of any processing.  The rules on enforcement and sanctions are, however, yet to be finalised pending an explanatory Decree.

people discussing documentationThe Ministry of Justice published the Draft Bill of Law on the Protection of Personal Data (the Draft) in January 2014. Long-awaited by companies, lawyers and consumer protection entities, the Draft has been subject to a public consultation, initially expected to run until 30 April 2015, but recently extended to 5 July, 2015, when it will be finally closed and sent back to the Ministry for refinement and eventual submission to the Congress. It is already possible, though, from an analysis of the document, to draw some conclusions that may guide companies with regard to the best practice to be adopted before the law comes into force.

The Draft's preliminary provisions set out a number of data protection principles which aim at enlarging and strengthening individual rights connected with personal data. Article 1 underlines that the objective of the law is to "protect natural persons' rights to liberty, intimacy and privacy", evidencing a connection between the protection of personal data and three of the constitutionally guaranteed fundamental rights. Further on, Article 6 lists general principles in accordance with which personal data must be processed.

Generally, the Draft requires consent to data processing which must be "free, express, specific and informed". Under Article 11, processing without consent will be allowed in exceptional cases. The Draft also contains a stricter regime for the treatment of sensitive personal data (including data which may reveal philosophical or religious convictions, political opinions or relating to health). If approved, the Draft will grant data subjects a new set of rights, including to access, correct, and delete personal data.

The Draft also touches on the transfer of personal data between national companies and outside Brazil.  External transfers will only be permitted on condition that the foreign company is subject to laws which guarantee a similar level of protection to that under Brazilian law. Several provisions in the Draft relate to information security requirements. Under the premise that such data belongs to the data subjects and not to data controllers or processors, companies are expected to protect third party personal data using higher standards than those applied to their own information. Finally, the Draft clarifies the different levels of liability for breach and the applicable administrative sanctions. 

maskFollowing the international trend, the Draft further establishes that a "competent organ" (it is not clear if new or existent) will be responsible for supervising compliance with data protection rules.

The outcome of the public debate will depend on the political agenda of the Ministry of Justice and no change is expected during 2015. Given the disarray under the status quo, it is, however, advisable for companies processing personal data in or from Brazil to start looking to the Draft for guidance on best practice and in order to reduce the compliance burden when the Draft becomes law.

Companies should consider introducing some transitional measures, such as:

  • providing tools for the owners to check, update and delete their information;
  • preparing and communicating more transparent information about the treatment of personal data;
  • strengthening security for the protection of the database and its integrity, preventing partial or total extractions; and
  • drawing up high level security policies, including state-of-the-art encryption for any sensitive personal data.

Introducing such measures would not only pre-empt the Draft but would also ensure compliance with the Civil Rights Framework for the Internet.  In addition (and not least), it would demonstrate good business practices both to individuals and to other organisations and institutions.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

blank cutout people
Pedro Vilhena

Pedro Vilhena      


Pedro (of Kasznar Leonardos Intellectual Property) looks at proposals to strengthen the data protection regime in Brazil.

"Given the disarray under the status quo, it is advisable for companies processing personal data in or from Brazil to start looking to the Draft for guidance on best practice and in order to reduce the compliance burden when the Draft becomes law."