Friday, August 17, 2018
Eight Years Later, Brazil Enacts General Data Privacy Law
On August 14, following passage by the Federal Senate a month earlier and years of false starts, President Michel Temer signed into law Brazil’s General Data Privacy Law, a comprehensive data protection bill which will come into effect in early 2020. Aligning closely with the EU’s General Data Protection Regulation, the law lays the foundation for the pursuit of an adequacy decision from the EU. Key provisions include requirements for data protection officers; documentation and registration of the legal basis for processing; strict requirements for consent; data breach notification; requirements for privacy by design and privacy impact assessments; restrictions on cross-border data transfers; and fines for violations of up to 2% of gross sales. The cross-border restrictions even go beyond the requirements found in the GDPR, by applying to any processing conducted solely outside Brazil that affects or targets Brazilian citizens. President Temer exercised his right to carry out line-item vetoes by rejecting several provisions of the bill passed by the Senate, including one calling for creation of an independent supervisory authority. However, Temer attributed the rejection to procedural defects and pledged to send Congress a separate bill establishing a national DPA that would remedy the problem.