On May 29, a few days after the General Data Protection Regulation (GDPR) entered into force, the Brazilian House of Representatives unanimously approved Bill of Law 4060/2012, which provides for a general personal data protection law in Brazil.
The approved wording incorporates provisions of Bill of Law 5276/2016, with relevant amendments, which in turn was strongly influenced by GDPR and broadly discussed among representatives of the Government, companies and civil society.
The purpose of this Bill is to ensure that citizens have more control over their personal data, thus requiring organizations – whether Government entities or private companies – to comply with obligations involving transparency and security when processing personal data. In summary, this Bill establishes core principles relating to processing of personal data, data subjects rights, lawfulness of processing, rules for international transfer of personal data, civil liability due to data breaches or any other form of improper use.
Finally, this Bill creates the Autoridade Nacional de Proteção de Dados (Brazilian Data Protection Authority), an autarchy linked to the Ministry of Justice, which shall be competent to, among other attributions, supervise and impose sanctions in case data processing fails to comply with the law, including a fine of up to 4% of the companys turnover.
Within the current scenario of an economy based on data, in which personal data are considered the "new oil", approval of a general data protection law brings more legal certainty vis-à-vis recent cases of data breaches and improper use of personal data by Brazilian companies and Government entities.
Bill 4060/2012 was then submitted to the Senate and attached to Senate Bill of Law 330/2013 – which also provides for a general personal data protection law. Such Bill 330 also moved forward in the last few days and was approved by the Economic Affairs Commission, with amendments, and is now in the Plenarys agenda.
Even though there is still no fixed date to vote the above mentioned Bills, depending on the type of amendment proposed by the Senate, the bill of law will have to return to the House of Representatives. Companies shall be aware. Once the law is enacted, a vacatio legis period shall start for adjustment purposes – Bill of Law 4060/2012 establishes an 18 months period and Senate Bill of Law 330/2013 establishes a period of 365 days.
For additional information on personal data protection Bills of Law, please contact our Technology, Media and Telecommunications professionals at Azevedo Sette Advogados.