Brazil’s new General Data Protection Law is sanctioned by the President
On August 14th, the Brazilian President Michel Temer sanctioned the Brazilian General Data Protection Law (“LGPD”), which will become effective as from February 2020.
Clearly reminiscent of the General Data Protection Regulation (GDPR), in force in the European Union since May 2018, the LGPD establishes a broad data protection regime in Brazil and imposes specific rules for the collection, use, processing and storage of personal data, both electronic and physical.
As per the new Law, personal data is “any information that may allow the exact and precise identification of a certain person”, which should be interpreted as any data such as name, address, e-mail, age, marital status, and financial situation, obtained from any type of support or means (paper, electronic, computer, sound, image or other). Sensitive data is also covered by the LGPD, encompassing information relating to social and ethnic origin, genetic, sexual orientation and political opinion.
Amongst the several aspects encompassed by the LGPD, the main elements covered thereby include:
It is to note that the Brazilian President vetoed several sections of the LGPD, such as the establishment of a regulatory board - the National Data Protection Authority (NDPA) -, and justified his veto by reference to a formal legal obstacle allowing the establishment of new regulatory bodies only through Executive Power initiative (and not by means of Parliament-approved law).
In what concerns the punishments established by the LGPD due to non-compliance with its requirements, it is to note the fines amounting to 2% of gross sales (of the company or a group of companies) or a maximum sum of R $ 50,000,000.00 (fifty million BRL) per infringement, approximately USD 12.9 million.