On May 29 the Lower House of the Brazilian Congress approved bill 4060/2012. If the proposed legislation passes the Senate, Brazil would be one of the first countries in Latin America to have a general data protection law in line with modern regulations in the digital era.
A data protection law for Brazil
The bill is the product of two years of work by the Special Commission for the Treatment and Protection of Personal Data. It complies with many of the provisions in the General Data Protection Regulation in the European Union, which has been an influence in the Brazilian legislative debate. The Special Commission held eleven public hearings that incorporated the input and comments from different stakeholders, including civil society. This has led to a comprehensive approach that includes fundamental protections for users’ data, such as:
- the obligation for the public and the private sectors to require user consent to process and store personal data;
- the inclusion of user rights such as the rights to access, erase, and rectify data;
- important sanctions for companies that violate the law (2% of their last year’s turnover); and
- the necessity for third countries to have an adequate protection level for the international transfer of data, among many other positive provisions.
To implement these objectives and enforce the law, the bill also creates the Data Protection Authority and a National Council for the Protection of Personal Data.
A data protection law like this is imperative for Brazil. Privacy concerns driven by the Snowden revelations in 2013 have only deepened with the recent Cambridge Analytica scandal. The upcoming federal elections highlight the importance of addressing the issues surrounding the collection and use of personal data for targeted political advertising.
What’s next? Review in the Senate
Now that it has passed in the Lower House, the bill will be considered in the Senate. There is another pending bill on data protection in the Senate, bill No. 330/2013, introduced by Antonio Valarades and under revision by Senator Ricardo Ferraço. That is a worrisome draft bill, since it carves out broad exceptions for the processing of personal data by the public sector, makes it impossible to request the deletion of data, lacks a specific regime for sensitive data, and does not contain sufficient sanctions for companies when they violate the law, among other issues.
The Brazilian Coalition for Digital Rights has an open letter that details the problems with bill No. 330/2013. At the same time, the Brazilian Institute of Consumer Defense (IDEC) has published a technical note advocating for approval of bill 4060/2012, which explains why it would be an important step towards comprehensive data protection in Brazil and a very good example for the Latin American region.