Understanding Brazil's General Data Protection Law

Understanding Brazil's General Data Protection Law

Posted on May 07, 2019 0 Comments

In this post, we’ll break down Brazil’s General Data Protection Law—who needs to comply, what is protected, and how to meet its requirements.

 

Compliance is a complicated thing—the laws are long, and the patience of government regulators and auditors is short. Doubly so when it comes to international data compliance.  But it doesn’t have to be. Here are Defrag This, we’ve been hitting the books so you don’t have to, trying to make sense of the maze of jargon and legalese that is the emergent international data compliance landscape.

Defend yourself from fines and sanctions by downloading our free International  Compliance Handbook now!

In fact, we’re trying to put together a sort of dummies’ guide to international compliance… not that we’d ever call anyone a dummy for not knowing this stuff.  Months ago, we got our start with GDPR, and I’d like to think we did a good job—those posts, which have recently been consolidated, are some of the most popular on our little blog.

Now, we’re doubling down on our mission to demystify international compliance—first with the guide to understanding China’s Cybersecurity Law, then with a breakdown of ISO 20022, and now with a look at Brazil’s new General Data Protection Law.

What is Brazil's General Data Protection Law? 

Inspired by the GDPR, in mid-August of 2018, Brazil passed a new legal framework aimed at governing the use and processing of personal data in Brazil: the General Data Protection Law. 

The law replaces approximately 40 or so laws that currently deal with the protection of privacy and personal data, and is aimed at guaranteeing individual rights, and encouraging economic growth by creating clear and transparent rules for data collection. 

The Bill was signed into law in mid-August 2018 and is expected to take effect in February 2020.

Free Trial of MOVEit

Who is Affected, Do I Need to Comply?

The new law governs processing of personal data in Brazil, and it takes a broad understanding of data processing in doing so. Basically, if you touch the data of a citizen at all, you are processing it. That includes collecting the data, storing it, and transferring it.  

So, if you, or your organization, perform any of these activities in Brazil, then you are subject to the law. With a few small exceptions for national security organizations, artistic, and journalistic pursuits,  private and public sector organizations are both equally accountable to the law. 

Like the GDPR, Brazil's law will have extraterritorial application, so if your organization offers services in Brazil and collects and processes personal data of people located in the country, you must be compliant. Interestingly, this holds true regardless of the nationality of the data subjects. So an American company processing the data of an American in Brazil will still need to be compliant. 

What Are the Specific Requirements of the Bill? How Similar is it to GDPR?

Here’s where we get into the meat and potatoes of the law. While the General Data Protection Law certainly takes cues from the GDPR (including its name—at least in English), it’s no carbon copy. Below are the key requirements of the law:

Data Protection Officer

Like the GDPR, and China’s Cybersecurity Law, Brazil’s new law mandates that businesses must appoint a data protection officer to oversee compliance and data protection efforts within the organization.

Data Breach Notifications

Unlike the GDPR, Brazil’s law does not specify a specific timeline for data breach notification, but it does require regulated entities to notify users of any data breach affecting their information. Such notifications must include a description of the type of personal data affected, as well as details on the security measures taken to protect the data, and the risks resulting from the incident, such as identity theft. 

Consent for Data Processing

According to Brazil's new law, wherever personal data is processed, the data subject must give advance consent. That consent can only be used for a specific purpose of data processing, and may not be taken as consent for data processing writ large. There are some exceptions to the consent rule, however, such as when data processing is required as in the carrying out of legal or compliance requirement, or in the performance of a contract. Basically, data processing may only be carried out when there is a necessary legal basis for it. 

Improved Security and Privacy Requirements

According to the Law, regulated organizations must adopt protective measures against cyberattack, and must implement such measures whenever creating new products. Brazil's Data Protection Authority has the ability to conduct privacy audits to ensure that organizations are meeting these requirements. 

Recording Requirements

The law requires that all personal data processing that takes place is recorded, with details  indicating the type of data collected, the intended purpose, the legal basis, retention time, and the security practices employed on storage, such as encryption. 

Data Transfer Requirements and Restrictions

Brazil's law places significant restrictions transfers of personal data, especially across borders.

Cross-border transfers are only allowed to nations that Brazil's Data Protection Authority determines to have an equal or adequate level of data protection, unless otherwise approved by the DPA. Other lawful bases for cross-border data transfer include standard contractual clauses between data controllers and subject and cases where the data subject has given specific consent.

 

Who Will Enforce the Law?

Brazil’s new law establishes a new National Data Protection Authority (DPA), which will be responsible for supervising compliance and enforcing penalties.

What Are the Penalties for Noncompliance?

Noncompliance with the Bill can result in fines of up to two percent of gross sales in Brazil, but that fine is limited to 50 million reais (roughly $13M USD) per violation. While that’s nothing compared to the penalties of the GDPR, it’s certainly not chump change.

managed file transfer

Jeff Edwards

Jeff Edwards is a tech writer and analyst with three years of experience covering Information Security and IT. Jeff has written on all things cybersecurity, from APTs to zero-days, and previously worked as a reporter covering Boston City Hall.

Comments

Comments are disabled in preview mode.
Topics

Sitefinity Training and Certification Now Available.

Let our experts teach you how to use Sitefinity's best-in-class features to deliver compelling digital experiences.

Learn More
Latest Stories
in Your Inbox

Subscribe to get all the news, info and tutorials you need to build better business apps and sites

Loading animation