On July 10, 2018, the full session of the Brazilian Federal Senate approved Bill of Law (PLC) 53/2018, thus creating a general personal data protection law, with regulations for the collection and use of personal data both online and offline by companies and entities. The bill has been under debate in the National Congress for years now, gaining weight with the movement into effect, in May this year, of the European regulation for data protection, called the General Data Protection Regulation (“GDPR”), and the scandal involving Facebook in which data was used to influence the US Presidential Election.
Within the next fifteen business days the bill will move on for ratification by the President. If ratified by President Michel Temer, the Brazilian General Data Protection Law (LGPD) there will be an 18-month vacatio legis, this being the period in which companies and entities can adapt their activities to the proposed regulations. It should be stressed that this adaptation period will be shorter than that offered to companies by the GDPR (2 years).
The LGPD establishes a party’s obligation to obtain consent from the data owner prior to use of such data. This consent needs to be expressed freely, and be informed and indisputable, and should be made in writing or in some other form that demonstrates the free expression of the data owner’s willingness. It is worth remembering that the consent should be obtained for specific purposes that the data owners should be clearly and precisely informed of in advance.
Furthermore, the LGPD also covers the possibility of any Brazilian citizen requesting that companies or entities edit or delete the information and data that is personal to them and which is stored in those companies’ or entities’ databases. It also stipulates that a company or entity is required to exclude an individual’s personal data once the company/user relationship has been terminated, a regulation which is closely aligned with the contents of the GDPR.
The LGPD also outlines the situation regarding penalties applicable to those agents responsible for data handling who infringe the legal provisions, establishing punishments ranging from fines of up to two percent (2%) of the companies’ or entity’s revenue, to the obligatory elimination of data, partial or total suspension of the database, suspension from the exercising of the handling of personal data, and partial or total prohibition of the exercising of activities relating to data handling, amongst others. These penalties are to be determined by a regulatory agency called the “National Data Protection Agency”.
The bottom line is that all Brazilian and foreign companies operating in the Brazilian market, as well as public entities, should pay full attention to their compliance with the regulations contained in the LGPD, since non-compliance will undoubtedly subject them to the penalties also contained in the law.
The teams from the Technology and Intellectual Property Department, and the Innovation, Startups and Venture Capital Department at Felsberg Advogados are closely monitoring the progress of the LGPD and also drawing up more detailed information on the matter.
We are at your entire disposal to clarify any doubts on this issue that you may have.