Brazil is close to enacting GDPR-like data protection legislation after both houses of Congress voted in favour of the law – but fears remain that the president may veto parts of the bill.
Brazil's Federal Senate followed the Chamber of Deputies in passing PLC 53/2018 on 10 July. Brazil's president Michel Temer can now approve the bill, or veto it in whole or in part.
The General Data Protection Law, known as LGPD, is Brazil's first measure to address data protection in a general way; the area is currently subject to a patchwork of sector-specific legislation. As passed by Brazil's legislature, the LGPD would also set up the country's first dedicated data protection enforcer, the National Data Protection Authority.
Fabio Luiz Barboza Pereira, a partner at Veirano Advogados in São Paulo, told Latin Lawyer's sister publication GDR that reaction to the law from both the private and public sectors has been positive, but there are lingering fears that the president may veto the creation of the data protection authority.
At issue is the way the authority would be created. According to the constitution, only the president is allowed to create public authorities, but in this instance Congress proposed the creation of the enforcer in an amendment to the law.
If the president decides to veto the creation of a standalone data protection agency, its duties could fall to an existing authority like the justice ministry's consumer protection body, said Gabriela Paiva Morette, a partner at Trench Rossi Watanabe.
Lawyers also worry about the way the authority will be funded. It is possible that the authority will finance itself through the fines it levies rather than through a budget assigned by government, an option lawyers dislike and that Sombra says will incentivise "bad practices".
Raphael de Cunto, a partner at Pinheiro Neto Advogados in São Paulo, said the uncertainty over the fate of the authority is "like a cloud hanging over [the act]".
Pereira voiced a common opinion by saying that the legislation had been "inspired" by GDPR, and is very similar to the EU regulation.
But Brasília-based Mattos Filho, Veiga Filho, Marrey Jr e Quiroga Advogados partner Thiago Sombra said that there are some ways in which the law is "more tailored" than GDPR, such as in the way it specifically addresses public administration data.
Sombra also praised the way the law's "modern approach" to anonymised data, which allows for the information to be covered by the legislation if future technology allows individuals to be identifiable from anonymised data.
Like the GDPR, the Brazilian law applies widely, including to any data processing involved in offering goods or services to individuals located in the country, regardless of where the company is based. Both sets of legislation contain exemptions for data processing for journalistic and national security purposes.
In addition to consent, the Brazilian law creates several legal bases for processing, such as for performance of a contract, legitimate interests and credit protection purposes. Any consent obtained must be specific and data subjects can withdraw their consent at any time.
The legislation also creates a distinction between personal and sensitive personal data, with categories of sensitive data including racial or ethnic origin, religious beliefs and political opinions. Processing of children's data requires the consent of parents or guardians.
Another similarity with GDPR is the rights the law grants to data subjects: they can ask controllers to delete any personal data they hold, receive information of which third parties are given access to personal data, and correct any incomplete, inaccurate or outdated data, among other rights.
Data transfers out of Brazil can only be made to countries with similar data protection standards, and companies must appoint a data protection officer whose identity and contact information must be made public in a clear way.
The only significant departure from the GDPR is the sanctions regime: while EU enforcers can issue fines worth 4% of global revenue, Brazil's regime allows fines of up to 2% of Brazilian revenues, capped at 50 million reais (US$13,056,535).
Brazil's law also gives companies less time to prepare: 18 months from the president's approval, rather than the 24 months it took between the GDPR's approval and coming into force. For Paulo Brancher, who spoke to GDR as an Azevedo Sette Advogados partner but has since moved to Mattos Filho, it will be a challenge for companies to be ready in time. "The issue is more cultural than anything else: companies need to start understanding that data is valuable, how they acquire data from third parties, and that once [data] is in their domain they may be liable and fined … that it's not just about how they collect data," he said.
According to Trench Rossi's Morette, the financial and insurance sectors face the biggest upheaval since they use a significant amount of data. "There is no privacy culture in Brazil, so companies are cautious of how the law will impact their business," she said.
Brazilian companies must notify authorities of a breach within a "reasonable time period", rather than the strict 72 hours mandated by the GDPR.
Lawyers expressed surprise that Brazil's Congress pushed the bill through in an election year.
"It's a positive surprise: it's not common in election year to see such a big effort to approve this kind of law," Brancher said.
"Normally by July Congress doesn't work any more [since] everyone is busy with reelections," Brancher said.
Observers expect a decision from Brazil's president within 15 working days of the senate's vote.