Brazil’s “GDPR” Sanctioned with Extraterritorial Effects
By Renato Opice Blum and Camila Rioja
IEEE Internet Policy Newsletter, September 2018
The Brazilian House of Representatives approved the Brazilian data protection draft bill (PL 53/2018) on May 29, 2018, due to an agreement reached by the Reporting Deputy. Following the Brazilian legislative procedure, the draft bill was forwarded to the Senate for analysis and sanctioned by the President as of August 14, 2018. The draft bill is an important landmark in Brazilian history, and it draws inspiration from the European General Data Protection Regulation (GDPR).
The law will come into force 18 months after its publication, which is the deadline for companies to comply with the General Data Protection Law (LGPD). It may seem like a long time, but—considering all that needs to be done—it is actually a limited time-frame.
As a bit of a background, Brazil’s very first legislation concerning the internet, the Law 12,965 from 2014, best known as “Internet Civil Landmark” is quite recent and underwent a lot of criticism. Other legislations used to support data-related claims encompass the Brazilian Constitution, the Consumers’ Code (Law 8.078/1990) and the Information Access Law (Law 12.527/2011).
Back to the Brazilian GDPR, the draft bill’s origins date back to 2009, when it was first drafted within the Brazilian Ministry of Justice after a procedure that involved intense debates and public consultations. The final wording of PL 53/2018 is also the result of other bills that were under analysis by the chamber of deputies, PL 4060/2012 and PL 5276/2016. It is worth clarifying that a second draft bill concerning data privacy is currently under discussion in the Senate (PLS 330/2013). Both projects, the Chamber of Deputies and the Senate one, were facing delays in processing mainly due to the Brazilian political scenario, but were pushed forwarded by two main events: the Cambridge Analytica scandal and the GDPR, that came into force May 25, 2018.
LGPD applies to the processing (including operations such as collection, use, storage, transmission, and erasure) of personal data (any information relating to an identified or identifiable natural person, including but not limited to name, national identification numbers, location data, tastes, and interests) that takes place in Brazil or relates to data subjects who are in the country, even if by enterprises located abroad.
The provisions explained above stress that the LGDP provides for extraterritorial effects. All companies that treat or aim at Brazilian data will be subject to its provisions. Another important provision regards cross-border data transfer, which will be made easier among countries that meet adequate data protection standards.
The legislation sets principles which should guide the processing, including lawfulness; purpose limitation; data minimization; transparency; non-discrimination; safety; damage control; responsibility and accountability; free access; and data accuracy. Also, security by design; data portability; the drafting of personal data protection impact reports and the presence of a data protection office are examples of a new reality controllers will have to face, as soon as the legislation comes into full effect.
Side by side with such provisions, users’ rights rise, with emphasis on the right of access (i.e., data subjects can request access to all personal information held by controllers), which entails the right of rectification and information updating. Although children’s data already finds protection in specific child-related legislation, stricter provisions will apply to it under the Brazilian GDPR. Several industries will be affected by such provisions, including banks and the government itself.
In regard to pecuniary fines, these may reach as high as two percent of the total revenues earned by the company, economic group, or conglomerate in Brazil in the fiscal year preceding the commencement of the investigation, excluding taxes, but limited to a BRL 50 million cap per infringement (roughly USD 13 million).
The main goal of the legislation is to empower the individual towards the ownership and control of his own data, and the provisions outlined above set a coherent framework for granting this outcome. The creation of a data protection authority in Brazil is also expected to grant even further compliance, and some believe such authority will resemble—in structure and organization—the Brazilian Competition Authority (the Administrative Council for Economic Defense—“CADE”).
 Approval was accompanied by partial vetoes to the creation of the National Data Protection Authority, some provisions on data processing by public authorities and some penalties for infringement of the law - such as suspension of operations of the offender’s database.
 In Europe, for example, where regulations were already in place, companies had 2 years to adjust to the new regulations (GDPR), which in many cases proved not enough.
 For the Internet Civil Landmark bill (Portuguese only) please refer to http://www.planalto.gov.br/ccivil_03/_ato2011-2014/2014/lei/l12965.htm (last visited May 10, 2018).
 For the Brazilian Constitution (Portuguese only) please refer to http://www.planalto.gov.br/ccivil_03/constituicao/constituicao.htm (last visited June 20, 2018).
 For the Consumers’ Code (Portuguese only) please refer to http://www.planalto.gov.br/ccivil_03/Leis/l8078.htm (last visited June 20, 2018).
 For the Information Access Law (Portuguese only) please refer to http://www.planalto.gov.br/ccivil_03/_ato2011-2014/2011/lei/l12527.htm (last visited June 20, 2018).
 As a last remark on the legislative process, the Reporting Senator will have the option to fuse the wording of the PL 53/2018, with the PLS 330/2013. This would cause the amended text to revert to the Chamber of Deputies, and ultimately lead to a delay in the approval process, thus inflate further debates.
 Such promise is a given in a country that faced relevant data leaks recently, and has a public company currently under investigation by the Public Prosecutors’ Office for allegedly selling individuals data for companies and another branches of the government.
Renato Opice Blum
Judge at the MIT Inclusive Innovation Challenge (2018). MSc, attorney and economist; Digital Law Cyberlaw and Data Protection Program Coordinator at Research and Education Institute (INSPER); Digital Law Coordinator at Sao Paulo Law School (EPD); Member of the Executive Council of the Technical Study of the Internet of Things – IoT; Former Vice-Chair of the Privacy, E-Commerce and Data Security Committee of American Bar Association (Intl. Law) and Vice-Chair at the International Technology Law Association South America Membership Committee; Member of Octopus Cybercrime Community (Council of Europe); Member of EPA’s Policy and Scientific Committee – EPA’S Think Tank; EuroPrivacy Board Invited Member (Data Protection); President of Sao Paulo Lawyers Institute Standing Information and Technology Studies Commission; Coordinator of Study Commission of Digital Law of the Superior Council of Law at State Federation of Commerce (FECOMERCIO); Coordinator and co-author of the book “Manual of Electronic Law and Internet”.
Judge at the MIT Inclusive Innovation Challenge (2018). Computational Law course at MIT (2018). Postgraduate Diploma in Economics for Competition Law at King’s College London (2015/2016). Economic Law course from the Superior School of the Brazilian Bar Association, Brasília chapter (2012). Graduated from the Centro Universitário de Brasília – UniCEUB. Admitted to the Brazilian Bar Association – OAB in the same year. Camila advises clients in matters involving digital law, new technologies, data privacy and protection. As a competition/antitrust lawyer, focuses her practice on merger filings, high profile cartels defense and other anticompetitive behaviors. Camila also concentrates her practice in compliance and anti-bribery issues, advising clients on the implementation and review of compliance programs and policies. Camila has hands-on experience in several industry segments, such as transportation, health care and agribusiness, among others.
Dr. Tahir Hameed
Dr. Tahir Hameed has been associated with SolBridge International School of Business in South Korea since 2012. He teaches courses related to information systems and technology management at the masters and bachelors levels. Prior to joining SolBridge, Dr. Hameed obtained his Ph.D. in Information Technology Management from the Korea Advanced Institute of Science and Technology (KAIST), and obtained his Masters in Computer Science from Lahore University of Management Sciences (LUMS). His research interests include the areas of information technology standards, innovation, IT policy, information systems adoption, and knowledge management. He has published extensively in prestigious journals such as Telecommunications Policy, Technological Forecasting and Social Change, World Development, and Journal of Knowledge Management. He has presented several papers at leading conferences including IEEE conference on Industrial Engineering and Engineering Management and Australasian Conference on Information Systems. Dr. Hameed’s current research focus is in the areas of health informatics, knowledge management systems, educational information technology, and technology commercialization. He can be reached at email@example.com.
Article Contributions Welcomed
IEEE Internet Policy Newsletter Editorial Board
Dr. Ali Kashif Bashir, Interim Editor-in- Chief
Dr. Syed Hassan Ahmed
Dr. Mudassar Ahmad
Dr. Onur Alparslan
Dr. Muhammad Bilal
Dr. Syed Ahmad Chan Bukhari
Dr. Ankur Chattopadhyay
Dr. Junaid Chaudhry
Dr. Waleed Ejaz
Dr. Yasir Faheem
Dr. Prasun Ghosal
Dr. Tahir Hameed
Dr. Y. Sinan Hanay
Dr. Shagufta Henna
Dr. Fatima Hussain
Dr. Rasheed Hussain
Dr. Saman Iftikhar
Dr. Stephan Jones
Dr. Mohammad Saud Khan
Dr. Jay Ramesh Merja
Dr. Mubashir Husain Rehmani
Dr. Hafiz Maher Ali Zeeshan
About: This newsletter features technical, policy, social, governmental, but not political commentary related to the internet. Its contents reflect the viewpoints of the authors and do not necessarily reflect the positions and views of IEEE. It is published by the IEEE Internet Initiative to enhance knowledge and promote discussion of the issues addressed.