By Renato Opice Blum and Camila Rioja.
The Brazilian House of Representatives approved the data protection draft bill (PL 53/2018) Tuesday night (May 29th). The draft bill will now be forwarded to the Senate for analysis and possible approval. It is worth mentioning, as regards jurisdiction, that all companies — despite their location — that treat or aim at Brazilian data (i.e. generated within the country) will be subject to its provisions. Another important provision is granted by Article 33 (I): cross-border data transfer will be made easier among countries that meet adequate data protection standards.
In accordance to the draft bill provisions, data collection and use will require, among other hypothesis, consent from users, and further use of such information by companies (e.g. in researches) is allowed upon express consent. Several industries will be affected by such provisions, including banks and the government. The draft bill also provides for the joint liability of companies involved in breaches (e.g. economic groups/conglomerates), and penalties provided reach as high as 2% of the companies’ or conglomerate gross revenues (limited to a BRL 50 million cap, roughly USD 15 million).
It’s worth mentioning that another draft bill concerning data privacy is under discussion in the Senate (PLS 330/2013). Both projects were facing delays in the processing mainly due to the Brazilian political scenario, but were pushed forwarded by two main events: the Cambridge Analytica scandal and the European General Data Protection Regulation (GDPR) that came into force May 25th, 2018.
Stay tuned for more information on the further developments of the data protection legislative scenario in Brazil. For the full Portuguese version of the draft bill (PL 53/2018), click here.