Brazil is set to become the latest country to pass comprehensive data protection laws, building on the EU’s recently implemented General Data Protection Regulation (GDPR).
On 14 August, Brazil’s president approved sweeping new data protection laws, which will take effect after an 18 month implementation period. The new law is broadly in line with draft data protection legislation (Law 53/2018) passed by the Brazilian Senate in July and approved by the House of Representatives on 29 May.
As a major world economy, Brazil is not immune to cyber attacks and data breaches. In what is thought to be the largest data breach in Brazil in recent times, hackers stole personal data of over 25,000 customers at one of Brazil’s biggest online banks, Banco Inter. A 2017 study by Thales found that 75% of Brazilian organisations polled had experienced a data breach.
Despite such data breaches, Brazil does not currently have comprehensive data protection laws in place; neither does it have a dedicated data protection regulator. As a result, the cost of a data breach is relatively low in Brazil – the country ranked as one of the least expensive for a data breach in a recent IBM/Ponemon Institute study. Yet, this is likely to change under the proposed Law 53/2018.
The law creates the legal framework to protect personal data in the country governing the collection, storage and processing of personal data belonging to Brazilian citizens. Although removed from the final legislation, the government is expected to now take the required steps to establish a National Data Protection Authority to oversee compliance and enforce sanctions.
Brazil’s new data protection law contains similar principles to EU data protection laws, and Law 53/2018 was reportedly inspired by the GDPR, which entered into force in Europe in May 2018. For example, like the GDPR, the law will give Brazil’s consumers new rights, such as the right to access, change and delete their data.
Law 53/2018 will require companies to obtain the consent of the data owner to collect and process their data, with additional requirements for sensitive data like health or biometric data. Consent would need to be obtained in advance and be specific to the intended use of the data. Companies will also be required to appoint a data protection officer, as well as carry out privacy by design and data impact assessments.
The regulations also introduce data breach reporting requirements, another key feature of the GDPR. Organisations will be required to inform the regulator of a data breach involving the personal data of Brazilians, and in some circumstances, to notify affected data subjects.
Like the GDPR, Law 53/2018 comes with tough penalties, although not as severe as the EU regime. Breaches of the new data protection law could result in a fine of up to 2% of an organisation’s revenue in Brazil, with a maximum penalty of BRL 50 million (USD 13 million) per infringement. In comparison, severe breaches of the GDPR can result in a fine of up to EUR 20 million or 4% of global annual turnover, whichever is greater.
When implemented, Brazil will become the latest jurisdiction to introduce comprehensive data protection laws in line with the EU’s GDPR.
The US state of California recently passed the California Consumer Privacy Act of 2018 (CCPA), the first legislation in the US to mirror key aspects of the GDPR. A number of other countries have also made changes to their data protection laws that bring privacy regimes more in line with the EU’s GDPR. For example, Australia introduced data notification requirements in February 2018, while Canada is to follow suit in November.
Japan, which recently modernised its data protection legislation, and the EU recently agreed to recognise each other’s data protection regimes - this is the first time the EU and a third country has agreed on reciprocal recognition of the adequate level of data protection. According to the European Commission, this has increased convergence between the two systems.