In August 2018, President Michel Temer sanctioned Law 13709/2018, which, by amending the already existing Law 12965 / 2014 – known as the Brazilian Civil Rights Framework for the Internet – provided greater guarantees of citizens’ control over the management of their personal information by companies, completely modifying the way in which private personal data are treated by the market.
In addition to the principles, guarantees, rights and duties already provided for in the Civil Rights Framework for those using the World Wide Web, the new General Data Protection Regulation requires, in addition to the express consent for the collection and use of personal data of the general public, that companies enable users to view, correct and delete this data – transferring to the people the management on their private data, such as number of documents, address, purchase history and consumption habits.
The General Data Protection Regulation shall begin to produce effects in February 2020, which means that the countdown has already begun to allow Brazilian companies and foreign companies in Brazil in this sector to adapt to this new reality. This is a period of a little more than a year, within which structural and negotiating changes shall be carried out by companies that, currently, deal with such data. Companies shall also be aware of the sanctions provided for in the legislation – as a warning with a deadline for resolving errors and fines of up to 2% of the revenue (with a limit of up to R$ 50 million) -, which may also be applied in case of non-compliance with the provisions of the new law.
“Data processing”, under the new General Data Protection Regulation, is defined as any operation carried out with personal data, such as those relating to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, disposal, evaluation or control of information, modification, communication, transfer, diffusion or extraction.
Also created bylaw were the roles of Controller and Data Operator, which must be integrated with the staff or contracted self-employed by the companies to respond directly to the inspection of the data processing promoted by the contracting company.
It is still being discussed how the inspectionof compliance to the terms of the law shall be carried out. This was because, to begin with, it was provided for the creation, within the Executive Branch, the National Data Protection Authority and the National Council for the Protection of Personal Data and Privacy, bodies which, linked to the Ministry of Justice, would have the function of regulatory bodies to inspect the rules of the new law, in addition to applying sanctions. However, the creation of the entities, after consultation with the Ministries, Central Bank and controlling bodies, was vetoed by the President for merely formal matters – which, after adjustments, shall result in the approval for creation of these new bodies.
The repercussions after entry into force of the General Data Protection Regulation within the European Union, in addition to the Facebook users’ data leak scandal, collected by the company Cambrigde Analytica and used in the last elections in the United States, accelerated the mobilization of the National Congress and resulted in the approval of the new legal text by the Legislative Branch and, later, by the Presidency of Brazil.
According to Raphael Zaroni, partner at law firm Zaroni Advogados: “Brazil already has a series of sparse laws that, when indirectly treating the right to personal data protection, creates legal uncertainty for companies and citizens holding such data – in view of the multiplicity of interpretations resulting from this decentralization in the treatment of the subject. With the new General Data Protection Regulation, the provisions that shall be adopted and the final results that shall be presented by companies that handle personal data are made clearer, giving more effectiveness (finally) to the protection of the citizens’ privacy with respect to their personal data”.