Is there any provision in your country’s law for privacy and data protection?
The Brazilian Federal Constitution grants protection to the intimacy, private life, honour and image of the individual as a fundamental right. It also establishes that one’s mail, data and telephone communications are inviolable, except by a court order and within the context of criminal investigations, and provides for a remedy named habeas data, which can be used to rectify and to give access to information included in public records or databases. In the infraconstitutional sphere, historically, Brazil has adopted a sectorial regulation on privacy, data protection and cybersecurity matters.
On 15 August 2018, however, the Brazilian Data Protection Law (LGPD) has passed, regulating the use of personal data in Brazil by private and public entities in all economic sectors, both in the digital and physical environment. Inspired in the European Data Protection Regulation (GDPR), the LGPD is intended to radically change the Brazilian data protection system, and will become effective on 15 February 2020.
Because the LGPD did not revoke any pre-existent sector-specific laws, specific obligations may continue to apply to organisations based in such laws, in addition to the requirements imposed by the LGPD.
Last verified on Thursday 6th December 2018
Is privacy or personal data protection a fundamental right in your country?
Yes, article 5, items X and XII, of the Brazilian Federal Constitution grants protection to privacy and data protection as fundamental right of the individual.
Last verified on Thursday 6th December 2018
Has your country adopted a general legal framework for the protection of personal data?
Yes. As previously mentioned in answer 1, the LGPD comprehensively regulates the use of personal data in Brazil. The LGPD is applicable to any processing operation performed by an individual or legal entity, whether public or private, regardless of the means, the country where it is headquartered or the country where the data is located, provided that:
In addition to the LGPD, other sectorial laws on privacy and data protection may apply in specific circumstances, including, but not limited, to the following:
Last verified on Thursday 6th December 2018
Has your country adopted a general legal framework on cybersecurity matters?
With the enactment of the LGPD, organisations (ie, both controllers and processors) will be required to adopt security measures, both technical and organisational, suitable to protect personal data from unauthorised access and accidental or illegal destruction, loss, change, communication, or any other form of inappropriate or illegal processing. Other cybersecurity requirements imposed by sectorial laws may also apply.
Last verified on Thursday 6th December 2018
How does the law of your jurisdiction define personal data? Can the definition extend to data relating to businesses?
The LGPD defines personal data as any information related to an identified or identifiable individual. Accordingly, it applies to data related to individuals, and not legal entities.
Last verified on Thursday 6th December 2018
Does your country’s data protection legal framework distinguish between sensitive and non-sensitive data?
The LGPD defines sensitive data as "personal data relating to racial or ethnic origin, religious beliefs, public opinions, membership in unions or organisations of a religious, philosophical or political nature, health or medical history, sexual orientation, and genetic or biometric records when associated with an individual". Under the LGPD, the processing of sensitive data shall be justified under specific lawful basis applicable to sensitive data, which are more stringent than those applicable to personal data.
Last verified on Thursday 6th December 2018
Identify the basic principles in force in your country for the processing of personal data. Is there a general limitation for the processing of personal data?
The LGPD defines the following 10 principles that any organisation processing personal data shall observed:
In question 13, we elaborate on the limitations and restrictions concerning data processing under the LGPD.
Last verified on Thursday 6th December 2018
Do special data protection rules apply to certain industries, such as financial services, healthcare and telecommunications? Is the processing of personal data on the internet specifically provided for?
Yes. In addition to the rules imposed by the LGPD, there are certain sectorial laws on privacy and data protection, as detailed below:
Last verified on Thursday 6th December 2018
Are there specific rules for the processing of personal data of minors?
Yes. The Child and Adolescent Act (Law No. 8,069/1990) stipulates that the offer, exchange, delivery, transmission, distribution, publication or disclosure of photographs, videos or other materials containing explicit sex scenes or child pornography is a criminal activity, which will be subject to a penalty of up to eight years of imprisonment. The LGPD adds additional protection to child’s personal data. Among other provisions, it sets forth that information should be provided in a simple, clear and accessible manner to the child and the processing agent shall use reasonable efforts to verify that the consent was given by the minor’s legal representative.
Last verified on Thursday 6th December 2018
What are the sanctions and remedies for non-compliance with data protection and cybersecurity laws? Is there criminal liability for non-compliance with the data protection and cybersecurity laws?
Generally, violation of privacy rights gives rise to compensation for moral and direct damage. Non-compliance with the provisions of the LGPD may result in warning, mandatory disclosure of the data incident, deletion or blocking of personal data, and fines up to 2 per cent of the company’s economic group gross revenues in Brazil in the preceding fiscal year, excluding taxes, but limited to a total of 50 million reais per violation.
The Consumer Code imposes criminal liability (imprisonment from six months to one year) for certain conducts that may qualify as crime against consumers, although imposing criminal liability for violation of cybersecurity and data protection is extremely rare. Generally, the Data Protection Officer (see item 19) or other legal representatives have no criminal liability for violation of data protection and cybersecurity laws.
Last verified on Thursday 6th December 2018
Does your jurisdiction have an independent authority (or authorities) with responsibility for regulating data protection and cybersecurity? What are the enforcement powers of the authorities?
The bill of law creating the LGPD provided for the creation of an independent data protection agency responsible for supervising and enforcing data protection laws in Brazil. However, owing to a flaw in the legislative process, the president vetoed the creation of such agency. Under Brazil Federal Constitution, the creation of independent regulatory agencies and public functions can only be made by means of a bill submitted to Congress by the President, which did not happen on the bill ultimately approved. Nevertheless, it is expected that a new agency is created before the LGPD come into force in February 2020.
Investigations may be initiated by the Public Prosecutor’s Office, consumer protection authorities and the police. Administrative proceedings may be either civil or criminal, and may lead to the filling of civil or criminal public lawsuits, as the case may be.
Last verified on Thursday 6th December 2018
Is notification or registration required before collecting, processing and transferring personal data?
No, there is no specific requirement regarding notification or registration of databases or personal data before processing, collecting and transferring such information. Specific restrictions may apply to international transfer of data, as detailed in question 17.
Last verified on Thursday 6th December 2018
What are the main obligations applicable to data controllers to process personal data?
The LGPD defines two categories of data handlers: the controllers and processors (jointly referred to as processing agents). Controllers are the “natural persons or legal entities, public or private, which is responsible for the decisions concerning the processing of personal data”. Processors are the “natural persons or legal entities, public or private, which performs the processing of personal data on behalf of the controller. Generally, processing agents shall observe the data processing principles set forth in the LGPD and adopt technical and organisational measures to protect personal data from data incidents.
According to the LGPD, Controllers must comply with a significant number of new requirements, which include:
Data controllers shall make available to the data subject an easily accessible and detailed privacy notice with information regarding the data processing activities that are carried out. Such privacy notice shall contain clear, adequate and ostensive information, including, but not limited to:
Last verified on Thursday 6th December 2018
Is there a specific regime applicable to the processing of personal data on behalf of third parties?
Processors may process personal data in accordance with the Controller’s lawful instructions. This means saying that the processors shall ensure that whichever processing instructions are received comply with applicable laws. Processors shall also process data in accordance with the LGPD. If processors fail to comply with applicable law or to controllers’ lawful instructions, they may be considered co-controllers for the purposes of pursuing liability. Therefore, data transfer agreement between controller and processor shall adequately allocate liabilities in case of any violation of law or breach of contractual duties.
Last verified on Thursday 6th December 2018
Is the informed consent of the data subjects required before processing personal data? Are there lawful ways to process personal data without consent?
The consent of the data subjects is just one of the lawful basis available under the LGPD. The LGPD establishes 10 lawful basis that may justify the processing personal data, as listed below:
The LGDP also establishes specific lawful bases for processing sensitive data, which include:
Last verified on Thursday 6th December 2018
What types of rights are granted in the law to data subjects over their information?
The LGPD establishes some rights to data subjects over their own information:
Last verified on Thursday 6th December 2018
What is the general regime for the transfer of personal data abroad? Is there a general restriction on the transfer of personal data out of your country? Is the notification of, and approval of the transfer by, the competent authority necessary?
The LGPD allows international data transfers:
Last verified on Thursday 6th December 2018
What data security requirements are imposed in relation to the processing of personal data?
As previously mentioned in answer 4, controllers and processors are required to adopt security measures, both technical and organisational, suitable to protect personal data from unauthorised access and accidental or illegal destruction, loss, change, communication, or any other form of inappropriate or illegal processing. Such measures shall be adopted since the creation of any new technology or product, which will require organisations to implement a privacy by design approach.
Other sectorial laws, such as those requirements imposed on financial institutions by Resolution 4,658/2018 of the Brazilian Central Bank, may impose specific cybersecurity requirements on organisations. Likewise, the Consumer Protection Code also provides that companies shall take all reasonable measures to offer safe and free-of-defect products and services. Therefore, if the organisation does not implement appropriate security measures (normally based in industry-standards or best practices) a product or service may be deemed defective and trigger liabilities under such statute as well.
Last verified on Thursday 6th December 2018
Is there any legal requirement in your jurisdiction for a data processor to have a data protection officer (DPO)? What are the main roles or responsibilities of the DPO? Can the DPO incur criminal liability for acts and omissions?
The LGPD requires controllers to appoint a Data Protection Officer (DPO), who shall be responsible for:
The data protection authority may establish complementary rules regarding the definition and roles of the DPO, and even discharge certain controllers from this obligation. Generally, the DPO does not have criminal liability for his or her acts and omissions.
Last verified on Thursday 6th December 2018
Does your jurisdiction require notification to affected individuals or the authority in the event of data security breach?
The LGPD provides that data security breaches resulting in material risk or harm to individuals must be reported to the data protection authority within a reasonable time and, where required by such authority, to the affected data subjects. Some specific information are required to be included in the notification to the authority:
Last verified on Thursday 6th December 2018
Is there any national law, regulation or guidance on the use of cookies in general or the use of tracking technologies?
No. The use of cookies and/or other tracking technologies are generally regulated by the LGPD.
Last verified on Thursday 6th December 2018
Is there any national law, regulation or guidance regarding financial technology companies, data protection and cybersecurity?
Brazil does not have any federal law, regulation or guidance specifically applicable to fintechs on data protection and cybersecurity matters. However, they might be subject to specific rules applicable to financial institutions and payment services providers. There are specific privacy and data protection rules applicable to banks, brokerage firms, credit card companies and other institutions involved in financial services under the Banking Secrecy Act, which provides for the confidentiality of financial transactions and limiting how information may be shared. Companies dealing with such information shall implement robust structures to ensure that information secrecy is preserved.
In addition, financial and payment institutions shall comply with specific requirements imposed by Brazilian Central Bank, including, but not limited to those set forth in (i) Resolution No. 4,658, which determines that financial institutions shall implement and maintain a cybersecurity policy, an incident plan and observe certain requirements for hiring data processing, storage and cloud service providers; (ii) Resolution 4,474, which requires financial institutions to adopt procedures and technologies in the digitalisation of documents and in the maintenance of scanned documents; (iii) Resolution No. 4,480/2016, which regulates the opening and closing of bank accounts by electronic means. Financial institutions may become associate self-regulatory associations, such as Brazilian Financial and Capital Markets Association (ANBIMA) and, by doing so, must comply with self-regulatory rules, including those related to cybersecurity.
If any fintech would dedicate to matters for which a licence from the Central Bank is required, then all the laws and regulations above shall apply. All fintechs must comply with the LGPD, regardless of being licensed by the Central Bank.
Last verified on Thursday 6th December 2018
What requirements are imposed in your jurisdiction regarding "privacy by design", "privacy by default" and privacy impact assessment?
The LGPD requires controllers and processors to adopt security measures since the creation of any new technology or product, which require those organisations to implement a privacy by design approach.
Although there is no express privacy by default requirement in the LGPD, a privacy by default approach will be recommended to comply with the data protection principles set forth in the LGPD.
The data protection authority will establish the circumstances where a privacy impact assessment (PIA) will be required. The PIA is likely to be required in the processing of sensitive data and when relying in the legitimate interest as the lawful basis for processing personal data. The LGPD expressly set forth that the PIA shall contain:
Last verified on Thursday 6th December 2018
What requirements are imposed in your jurisdiction on the sending of unsolicited electronic commercial communications?
Marketing campaigns by email are likely to be deemed legitimate under the opt-in or ‘soft opt-in’ system, but shall always allow the data subject to opt out from receiving such messages. The telecommunications regulators determined that mobile carriers are only allowed to send promotional messages to their users who have expressly accepted receiving them.
Last verified on Thursday 6th December 2018
Do any specific requirements apply in your country to cloud computing?
Brazil has not enacted a specific law to regulate cloud services. Notwithstanding, there are several rules that may affect the provision of cloud services, such as those related to the storage of digital information, cross-border data transfers, outsourcing of IT infrastructure, cybersecurity, among others. The LGPD applies irrespective of the means used for processing personal data. Specifically for financial institutions, the Brazilian Central Bank issued Resolution No. 4,658 that sets forth specific requirement for hiring cloud service providers.
Last verified on Thursday 6th December 2018
Does your country provide for protection of personal data under the control of government agencies?
Data protection laws shall be complied by both private entities and the government.
The LGPD specifically establishes some exceptions where it does not apply, such as the data processing activities performed exclusively for public safety, national defence, state security and activities related to investigations and suppressing criminal offences.
Last verified on Thursday 6th December 2018
Does your country allow the right to access data under the control of government agencies?
Yes, such right is available under the LGPD, the Information Access Act (Law No. 12,527/2011), and the constitutional right of habeas data. According to the LGPD, access to the information shall be provided, electronically or in hard copy (at the discretion of the data subject), within 15 days of the request.
Last verified on Thursday 6th December 2018
Does your country provide for self-regulation?
The LGPD encourages the promotion of best practices and codes of conduct by different industries.
Last verified on Thursday 6th December 2018