Brazil: GDPR Overview and Consequences in Brazil

05/16/2018

Digital Law

On May 25th, 2018, the European Union’s General Data Protection Regulation (GDPR) shall enter into force. Such regulation, which was published in 2016 in order to ensure a two-year adaptation period, states a wide range of data subject’s rights and aims to provide more legal certainty with regard to data processing. However, the effects of the GDPR may not be restricted to the European community: some of its provisions, such as the increased territorial scope and the international transfer of data, also underline the need for potential compliance with such regulation by those Brazilian entities whose function involves personal data processing at a global level.

One of GDPR’s most important provisions concerns its increased territorial scope. Pursuant to the regulation, it must be enforceable on those entities that, even though placed outside the European Union, perform activities related to the processing of personal data of subjects placed on its territory, when such processing relates to the offering of goods or services, irrespective of whether a payment is required, or to the monitoring of their behavior, as far as this behavior takes place within the European Union. Therefore, the GDPR may affect Brazilian companies that develop this kind of activity, which is increasingly common considering the growing importance of personal data for the economy and the society as a whole.

GDPR also regulates the international transfer of data, restricting its performance to countries that present a high level of personal data protection – Brazil does not fit in this category. In addition, compliance with such regulation is strongly encouraged due to the severe penalties imposed in case of infringement of its provisions, which encompasses restrictions to personal data processing and fines up to € 20,000,000.00, or up to 4% of the company’s total worldwide annual turnover, whichever is higher.

Although Brazil presents some relevant legislation ensuring personal data protection, especially in the consumer area, there is no specific legislation regulating this matter. In order to settle such legislative omission, there are currently some bills of law in discussion about this issue, among which we highlight Bill of Law No. 5,276/2016, Bill of Law No. 4,060/2012, and Senate Bill of Law No. 330/2013. The substitute of the latter, presented on May 3rd, 2018, resembles some of the GDPR provisions, such as the enlargement of the legal basis for personal data processing beyond the consent of the subject.

In view of the growing concern about personal data protection and the lack of specific regulation for the subject in Brazil, the compliance with GDPR provisions needs to be carefully reviewed by the companies that handle personal data in their work routine, so to anticipate the trend towards upcoming regulations in our country.