In February 2015, the Brazilian government issued a draft of Brazil’s first comprehensive privacy law, the Preliminary Draft Bill for the Protection of Personal Data (the “Draft Bill”). The Draft Bill builds on and codifies certain concepts relating to the treatment of personal data already present in Brazilian constitutional, statutory and case law.
The Draft Bill proposes — for the first time — much needed definitions of “consent”, “personal data”, “sensitive personal data”, and other key terms, and a framework of individuals’ rights regarding the use of their data (e.g., rights of access, correction, objection, etc.), as well as exceptions to such rights. It also requires that processing of personal data terminate when the original purpose for which the data was collected is achieved or if the data is no longer necessary. Licensors and licensees (or as more commonly known under EU privacy law — “controllers” and “processors”) of personal data will be jointly liable for damage caused by the processing of personal data. The Draft Bill also introduces rules relating to intra-company and international data transfers, and only permits the processing of data transferred to Brazil from other jurisdictions, where the relevant consent requirements (if any) of the country of origin are satisfied. It remains to be seen how companies will comply with this unusual requirement in practice (if the Draft Bill is adopted in its current form). There are also provisions that would require companies processing personal data, among other obligations, to adopt appropriate information security measures, to immediately notify competent authorities of data breaches, and to appoint a dedicated privacy officer, depending on the size of the relevant entity and the volume of personal data it processes.
The Draft Bill introduces a range of administrative sanctions, including fines, publication of the relevant violations, and suspension or prohibition of data processing operations for up to ten years. Individuals will also be able to claim damages for material and moral damages caused by the processing of their personal information.
The consultation on the law and comment period was recently extended until April 30, 2015.