DTA Bulletin: At last, Brazil has its own General Data Protection Regulation!

On Wednesday (August 16, 2018), the Federal Law no. 13.709/2018, also known as the Brazilian General Data Protection Regulation (“LGPD”), was published, providing a regulation for the protection and processing of personal data. For your convenience, the full text (in Portuguese) of the LGPD can be found here. The LGPD partially alters and serves as a complement to the Brazilian Internet Bill of Rights (Federal Law no. 12.965/2014), with a wider scope that also reaches the offline processing of personal data and offers a more complete regulation for companies that were already taking the due measures to comply with the demands of the Brazilian Internet Bill of Rights. Furthermore, the LGPD covers the entire chain of personal data processing agents, providing clarifications to questions that remained unanswered when the regulation of the online processing of personal data was provided solely by the Brazilian Internet Bill of Rights, which usually attributed the responsibility for the referred processing activities to the connection and application providers, without any explicit reference to intermediary agents. The LGPD also extends the extra-territorial reach, with provisions that may impact multinationals or even foreign companies that, while not established in Brazil, possess activity in the country and/or collect personal data within the Brazilian territory. It is important to note that the new regulation shall only be enforceable after a period of 18 months, counted from its publication. During this period, our recommendation is that companies carefully review their internal procedures and legal documentation that are, in any way, related to the processing of personal data (e.g. privacy policies), implementing the necessary alterations to comply with the LGPD to avoid the harsh penalties provided therein, which may reach up to 2% of the company gross income of the previous fiscal year, excluding taxes and limited to 50 million Reais per violation. Although the timeframe mentioned above seems extensive, certain businesses will require substantial alterations and/or the implementation of measures that demand significant in-advance preparations (e.g. obtaining the consent of the data owners). Therefore, we suggest that the companies analyze the potential impact of the LGPD on its activities as soon as possible. In case you have any inquiries regarding the impacts and application of the LGPD, we are at your disposal for any assistance you may need!

Dias Teixeira Sociedade de Advogados