Brazil’s Congress passes law to hold companies accountable for clients’ personal data

New law is expected to improve consumer privacy protection; companies may be fined up to US$13 million in case of breach

São Paulo |
Companies will be accountable for the information they keep on clients and how they use it
Companies will be accountable for the information they keep on clients and how they use it - Paulo Pinto/Fotos Públicas

Brazil is about to take a big step toward protecting consumer data, as lawmakers passed a bill establishing the conditions in which consumer data can be collected and used both by private companies and the government. In case of consumer privacy violation, companies and agencies may be fined up to R$50 million – nearly US$13 million.

Brazil's Senate passed the bill unanimously last week, after the Chamber of Deputies passed it in late May. Now the bill will be sent to president Michel Temer for a signature.

The bill proposes the establishment of the National Data Protection Authority, which will be responsible for formulating supplementary rules and enforcing the law.

The authority will have the power, for example, to require companies to provide privacy impact assessment reports. These reports will have to include how data is processed, the data security measures they adopt, and the actions taken to reduce privacy breach risks. The agency will also be able to conduct audits to examine whether companies are properly handling consumer data.

It will also be able to impose sanctions when it finds irregular activities, including fining companies up to 2 percent of the their billing, limited to R$50 million, blocking or eliminating data that are processed incorrectly, and suspending or banning database use or processing activities.

Another strong point is that the bill creates the National Council of Data Protection, composed of 23 representatives of government, civil society, companies, and scientific and technological institutions. The body will propose strategic guidelines and advise the national authority on data privacy and protection matters.

The bill establishes personal data is any information about a person that is “identified” or “identifiable.”  That means it also regulates data that does not reveal who it would be related to on its won (an address, for example), but, when processed with other data, could indicate who it belongs to (the person's address combined with their age, for example).

Sensitive data

A special category called “sensitive” data was created, encompassing race, political opinion, religious belief, health conditions, and genetic characteristics. The use of these records will be more limited, as they could lead to discrimination and prejudice.

“There is a lot of information about us that people don’t know, but machines and computers do, and based on that information they draw conclusions about us and may decide whether or not we are eligible for a promotion, to get a health insurance plan, or, in some countries’ case, get a visa,” said lawyer and expert on personal data protection Danilo Doneda, a professor at the Rio de Janeiro State University and the Brasília Institute of Public Law.

Doneda explains that the bill sets forth provisions to fight this potential bias. According to the expert, if personal data processing by computer algorithms results in decisions that a citizen considers discriminatory, such as a loan rejection, they can request their case to be reviewed by a human being. “Automated decisions can be challenged, they can be reviewed by humans to correct discrimination that may ultimately be considered abusive,” he points out.

There are also different parameters for processing children’s information, such as requiring parent consent and prohibiting applications (such as social media apps and electronic games) from requiring children to register and provide their personal information in order to use them.

Brazil and abroad

The bill encompasses processing operations conducted in Brazil as well as data collected in the country, even if processed abroad. The rules also apply to companies or entities that offer goods and services to or process information about people based in Brazil. It also establishes that companies will have to guarantee data security, preventing unauthorized access and any kind of data leak. In case of security incidents that may result in damages, the company will have to report the breach to the people who have their information leaked and to the appropriate agency.

For example, while Facebook collects records about Brazilian people and processes their data in US-based servers, it would still have to abide by Brazilian rules. The international transfer of data is allowed, as long as the destination country has an equivalent level of personal data protection or if the company responsible for processing the data can guarantee the same conditions required by law, providing agreements or corporate rules to prove it.

Danilo Doneda says the bill addresses much more than just privacy protection, and it’s also about guaranteeing the exercise of democratic rights. “Data protection emerged in Europe, not as a matter of protecting privacy, but because of [concerns about] social control. The first laws [in this sense] came about because of a social rejection of totalitarian regimes that used personal data to keep records of citizens. That has produced ‘antibodies’ in the European social system,” he argues.


Edited by: Juca Guimarães | Translated by Aline Scátola