Brazil’s new data protection legislation, explained

. Jul 13, 2018
personal data protection act Brazil's data protection act was inspired by European legislation
personal data protection act

Brazil’s data protection act was inspired by European legislation

In a 2016 book titled L’Homme Nu (literally “The Naked Man”), French authors Marc Dugain and Christophe Labbé discuss how tech giants own our data – and essentially our lives. Being able to sell our private data to the highest bidder is, in the authors’ opinion, the real danger of the century. Not terrorism, not by a long shot.

Recent scandals have shed light on this danger and exposed parts of a very secretive industry: how companies profit from our information. Remember the Cambridge Analytica scandal? The controversial British company used the data of 87 million people (Brazilians included) with electoral intentions – pushing campaigns such as Brexit and Donald Trump’s U.S. presidential bid. Since the scandal broke, the firm folded, but its directors have another company waiting to take its business.

Countries have tried to tame this use of personal data. On May 25, the European Union enacted the General Data Protection Regulation (GDPR), a privacy legal framework designed to make sure users know and understand how and for what purpose companies collect their data. The GDPR doesn’t allow companies to use personal data without explicit consent from users. Remember receiving a boatload of notifications about privacy policy updates? Well, you can thank GDPR for that.

</span></p> <p><span style="font-weight: 400;">Brazil has just passed a similar legislation, based on the European framework. We break down what changes in the country:</span></p> <h3>The need for consent</h3> <p><span style="font-weight: 400;">The law will come into effect in 2020, giving companies 18 months to adapt to the new rules. After that point, personal data can only be collected with explicit consent &#8211; otherwise, the company will be infringing on the law. Companies will also have to inform if the information will be shared with other entities. If that&#8217;s the case, they will need another consent form. </span></p> <p><span style="font-weight: 400;">This goes for public and private entities, based in Brazil or abroad. It means that both Google and Facebook, for example, will have to comply with Brazil&#8217;s General Personal Data Protection Act if they want to maintain their Brazilian operations. </span></p> <p><span style="font-weight: 400;">Users can revoke consent at any given moment, after which data can no longer be collected. Exceptions to the law are cases of public security, national defense, or journalistic investigations.</span></p> <h3>No generic terms of consent</h3> <p><span style="font-weight: 400;">Companies cannot use deceiving small-print forms or generic terms anymore. Terms of consent must be highlighted from the rest &#8211; and the text has to be clear and specific. Consent based on broad terms will be automatically voided.</span></p> <h3>Data collected must be coherent with apps</h3> <p><span style="font-weight: 400;">Remember those </span><a href=""><span style="font-weight: 400;">personality quizzes</span></a><span style="font-weight: 400;"> on Facebook that ended up collecting your political preferences, socioeconomic data, and consumer behavior? Those will no longer be legal. Companies can only collect information that is relevant to the service they provide. For instance, a car-sharing app can access your location, or a video-call app can access your camera and microphone. But the rule will be to collect as little information as possible.</span></p> <h3>Medical information cannot be sold to third parties</h3> <p><span style="font-weight: 400;">Information collected by healthcare services are now considered to be </span><a href=""><span style="font-weight: 400;">&#8220;sensitive personal data.&#8221;</span></a><span style="font-weight: 400;"> According to the law approved by Congress, medical information cannot be used for &#8220;economic gain.&#8221; Entities conducting studies on public healthcare issues can still access databases as long as their use is strictly for research purposes.</span></p> <h3>Ethnicity, religion, sexual preferences</h3> <p><span style="font-weight: 400;">The bill also deems as sensitive personal data “any data relative to someone’s religious, political or sexual preferences, philosophical convictions, nationality, ethnicity, participation in social or political movements, health, genetic or biometric information.”</span></p> <h3>Data of minors</h3> <p><span style="font-weight: 400;">Starting in 2020, any data from minors can only be collected with the explicit consent of their parents or legal guardian. No company can condition the participation of minors in games or apps to the supply of their personal data.</span></p> <h3>Compliance officer</h3> <p><span style="font-weight: 400;">Companies &#8211; and state institutions &#8211; must publicly inform who is the person responsible for the treatment of users&#8217; personal data. The </span><a href=""><span style="font-weight: 400;">Data Protection Officer</span></a><span style="font-weight: 400;"> &#8211; who will act as a form of &#8220;compliance officer&#8221; &#8211; must oversee all data treatment policies within an organization and make sure they are in line with legislation. </span></p> <p><span style="font-weight: 400;">The European Union also created this position &#8211; which will create over 28,000 jobs across the bloc. In Brazil, estimates suggest the market for such professionals will also be in the tens of thousands, due to the market&#8217;s size. Brazil accounts for almost 100 million Facebook users alone, for instance.</span></p> <h3>Checks and balances</h3> <p><span style="font-weight: 400;">If there&#8217;s a security breach, authorities must be immediately informed. Companies cannot mimic Uber, which disclosed a hacker attack that leaked personal data from millions of users one year after it happened. Companies which suffer leaks can face fines of up to BRL 50 million per infraction and could be barred from continuing to collect users&#8217; data.</span></p> <p><span style="font-weight: 400;">According to Brazil&#8217;s General Personal Data Protection Act, data cannot be used to the detriment of users. So, if a bank rejects someone&#8217;s credit based on data it has collected, it is possible to appeal and even command an audit to verify if the decision was based on discriminatory information, such as gender, ethnicity, religion, or sexual orientation.

The Brazilian Report

We are an in-depth content platform about Brazil, made by Brazilians and destined to foreign audiences.

Our content is protected by copyright. Want to republish The Brazilian Report? Email us at