Lobo de Rizzo Advogados
What law(s) specifically govern personal data / information?
Law No. 13.709/2018 (“Brazilian General Data Protection Law” or “LGPD”)
What are the key data protection principles in this jurisdiction?:
Purpose: processing shall be done for legitimate, specific and explicit purposes informed to data subjects, with no subsequent processing not related to the referred purposes being allowed;
Suitability: compatibility of the processing with the purposes communicated to the data subject, in accordance with the context of the processing;
Necessity: limitation of the processing to the minimum necessary to achieve its purposes, and the data must be limited to what is relevant, proportional and non-excessive in relation to the purposes for which such data is being processed;
Free access: facilitated and free of charge consultation by data subjects about the form and duration of the processing, as well as about the integrity of their personal data;
Quality of the data: guarantee of the accuracy, clarity, relevancy and updating of the data, in accordance with the need for achieving the purpose for which the data is being processed;
Transparency: guarantee of clear, precise and easily accessible information by data subjects about the processing of their personal data and the respective processing agents, subject to commercial and industrial secrecy;
Security: adoption of technical and administrative measures which are appropriate to protect the personal data from unauthorized access, accidental or unlawful destruction, loss, alteration, communication or dissemination;
Prevention: adoption of measures for the prevention of damages arising from the processing of personal data;
Non-discrimination: prohibition of the processing for unlawful or abusive discriminatory purposes; and
Accountability: ability by processing agents to demonstrate the adoption of measures which are efficient and capable of proving the compliance with the data protection rules, including the efficacy of such measures.
What is the supervisory authority / regulator in charge of data protection?
The National Data Protection Authority (“ANPD”).
Is there a requirement to register with a supervisory authority / regulator?
Currently, no registration is required.
Is there a requirement to notify the supervisory authority / regulator?
Notification of the ANPD will be required in the event of (i) risk or material damage to data subjects; or (ii) changes in the guarantees presented to the data subject for the international transfer of data in the form of (a) specific contractual clauses for a given transfer; (b) standard contractual clauses; (c) global corporate rules; or (d) regularly issued stamps, certificates and codes of conduct.
Is it possible to register with / notify the supervisory authority / regulator online?
The ANPD provides a link for the filing of data breach notifications: https://www.gov.br/anpd/pt-br/assuntos/incidente-de-seguranca
The ANPD provides a link for the submission of documents online: https://www.gov.br/secretariageral/pt-br/sei-peticionamento-eletronico
What are the key data subject rights under the data protection laws of this jurisdiction?
The personal data subject has the right to obtain the following from the controller, regarding at any time and upon of request:
- Confirmation of the existence of the processing;
- access to the data;
- Correction of incomplete, inaccurate or out-of-date data;
- Anonymization, blocking or deletion of unnecessary or excessive data or data processed without compliance with the provisions of the LGPD;
- Portability of the data to another service or product provider, upon request and subject to commercial and industrial secrecy, and to the ANPD’s further regulations;
- Deletion of personal data processed with the consent of the data subject, except in the situations provided for in the LGPD;
- Information about the names of public and private entities with which the controller has shared data;
- Information about the possibility of denying consent and the consequences thereof; and
- Withdrawal of consent.
Is there a requirement to appoint a data protection officer (or equivalent)?
The LGPD expressly states that a controller must appoint a data protection officer (DPO), regardless of the volume, type or relevance of data processing activities.
The DPO will be responsible for:
- Receiving complaints by data subjects, providing clarifications and taking measures in respect of such complaints;
- Receiving notifications from the ANPD;
- Providing guidance to employees and agents hired by the company in connection with data protection best practices; and
- Performing other duties assigned by the controller or provided for in applicable regulations.
The ANPD has released a guidance (linked here and only available in Portuguese) with the following non-binding guidelines that data controllers should consider when appointing a DPO:
- The DPO may be a company or an individual (internal or external to the organization);
- A data protection team may support the DPO;
- The DPO should have autonomy to freely carry out their duties;
- The DPO should be appointed by a formal act (e.g. signed agreement or corporate document);
- Data controllers may determine professional qualification requirements for their DPOs;
- A single DPO may act on behalf of different entities, provided it is capable of acting effectively.
While regulation is pending, there is no need to communicate or register the identity and contact details of the DPO before the ANPD.
In addition, the ANPD issued Resolution CD/ANPD No. 2 determining that small processing agents (e.g. micro-enterprises, small businesses, startups etc.) are not required to appoint a DPO, though it is still considered a good practice by the ANPD. The resolution also provides guidelines and best prectices for small data processing agents to assist them in implementing technical and administrative measures for the protection of personal data.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
The LGPD does not include any explicit provisions on the measures for the mitigation of the risks and does not establish when a data protection impact assessment (“DPIA”) is required.
The ANPD may require data controllers to conduct and provide a DPIA for personal data processing activities that could generate risks to the civil liberties and fundamental rights of data subjects, especially when the processing activity is based on legitimate interest or involves sensitive data.
According to the LGPD, the DPIA must include at least:
- A description of the types of data processed;
- The methodology used for collection and to guarantee the security of the information; and
- The description of the mechanisms used to mitigate the risks related to the processing of the personal data involved.
The ANPD is empowered to enact further regulations about which processing operations will require a DPIA.
Does this jurisdiction have any specific data breach notification requirements?
According to LGPD, controllers must notify the ANPD and the data subject of security incidents that may result in material risks or damages to data subjects. Notice must be provided within a "reasonable" time after which the ANPD may order the controller to alert the media, and/or take other steps to mitigate the effects of the incident.
The data breach notices must contain, at least, the following:
- A description of the nature of the personal data affected;
- The categories of data subjects affected;
- The technical and security measures adopted;
- The risks related to the incident;
- The reasons for any delayed communication, as the case may be; and
- The measures adopted to revert or mitigate the effects of the damage caused by the incident.
The ANPD has published the following guidelines on data breach notification on its official website:
- Controllers should be cautious and notify if there is any doubt about the relevance of the risks and damages involved. Any proven underestimation of risks and damages may be considered violation of LGPD.
- While the regulation is pending, it is recommend that the notification be made within two working days from the date of the discovery of the data breach.
What restrictions apply to the international transfer of personal data / information?
International transfers of personal data are permitted in specific situations, such as:
- Where the receiving countries or international organizations to which the data is transferred to provide a level of protection of personal data similar to the LGPD;
- When the controller ensures the compliance with the principles, the rights of data subjects and the regime of data protection provided in the LGPD, in the form of: (a) specific contractual clauses for a given transfer; (b) standard contractual clauses; (c) global corporate rules; or (d) seals, accreditations and codes of conduct regularly issued;
- When the transfer is necessary for international cooperation with public intelligence, investigative and prosecutorial agencies, in accordance with the instruments of international law;
- When the transfer is necessary for the protection of the life or physical safety of the data subject or of a third party;
- When the ANPD authorizes the transfer;
- When the transfer results from a commitment undertaken through international cooperation;
- When the transfer is necessary for the execution of a public policy or legal provision of a public service;
- When the data subject has given their specific consent for the transfer, with prior information about the international nature of the operation, with clear separation from consents given from other purposes; - or -
- Whenever the transfer is required for the following purposes: (a) for compliance with a statutory or regulatory obligation; (b) whenever necessary for the performance of agreements or preliminary procedures to which the data subject is a party, at their request; and (c) for the regular exercise of rights in lawsuits, administrative or arbitration proceedings, according to Law No. 9.307/96 (Arbitration Law).
The level of data protection in the foreign country or international organization referred to in item 1 shall be evaluated by the ANPD, which shall take into consideration:
- The general and sectorial legislation in force in the receiving country or international organization;
- The nature of the data; the compliance with the general principles of personal data protection and data subjects’ rights as provided in the LGPD;
- The adoption of security measures provided in applicable regulations;
- The existence of judicial and institutional guarantees for respecting the rights of personal data protection; - and -
- Other specific circumstances relating to the transfer.
Also, the contents of standard contractual clauses, the verification of specific contractual clauses for a particular transfer, global corporate rules and seals, accreditations, as well as codes of conduct referred to in item (ii) will be issued by the ANPD.
Changes to the guarantees presented for compliance with the general principles of protection and of the data subject’s rights referred to in item (ii) shall be communicated to the ANPD.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
The LGPD applies to any processing operation carried out by a natural person or a legal entity of a public or private nature, irrespective of the means, the country of headquarters or data location, provided that:
- The processing is carried out in the national territory;
- The purpose of the processing is to offer goods or services or the processing of data of individuals located in the national territory; or
- The personal data being processed was collected in the national territory.
The LGPD does not apply to the processing of personal data that:
- Has their origin outside the national territory; and
- Are not the object of communication, shared use with Brazilian processing agents or the object of international transfer of data with another country that is not the country of origin, provided that the country of origin offers a level of data protection similar to the LGPD.
What rules specifically deal with marketing?
The LGPD does not address communications and marketing specifically. However, it is expected that the ANPD will provide further guidance on various specific situations, including clear directions and requirements for communications and direct marketing.
Besides general rules provided for in LGPD, marketing is regulated in Brazil mainly by the Brazilian Consumer Code (“Law No. 8,078/1990” or “CDC”) and certain legislation related to specific products, as in the case of health-related products.
Advertising is also subject to the ethical standards provided by the Brazilian Advertis-ing Self-Regulation Council (Conselho Nacional de Autorregulamentação Public-itária, “CONAR”), a non-governmental agency composed primarily of advertising agencies, media vehicles, advertisers, consumers and representative associations.
Although CONAR rules are of a private nature, and thus non-mandatory for non-members of CONAR, courts and governmental authorities are used to follow them in applying consumer law to advertisement and marketing activities.
Do different rules apply to business-to-business and business-to-consumer marketing?
B2B contracts are generally not subject to the CDC.
However, it is worth noting that, according to the CDC, a company could be considered a consumer if it acquires the product or service as an end user, if the company is in a situation of vulnerability vis-à-vis the supplier of the products or services.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
With regard to electronic marketing, in the absence of specific mandatory rules, certain trade associations, companies, internet service providers, consumer protection and other associations have adopted a joint self-regulation e-mail marketing code, whose standards are regarded as the best practice in the Brazilian marketplace, although they are also not mandatory. The code considers as "ethically correct" e-mail marketing practices that rely on opt-in and soft opt-in (when it is possible to show the existence of a commercial or social relationship between the sender and receiver, even without the opt-in), provided that the e-mails always contain an opt-out mechanism. Although prior to the LGPD the code was regarded as reflecting the existing best practices, with the LGPD it is very likely that companies should rely on consent (opt-in) or legitimate interest (soft opt-in) to justify their marketing activities. It is expected that the ANPD will issue specific guidelines on direct marketing in future.
Finally, it is worth mentioning that some Brazilian states, such as São Paulo (Law No. 13,226/2008), have local laws that creates a registration list for blocking telemarketing calls with the purpose of preventing unsolicited marketing calls.
What rules specifically deal with cookies?
There are no specific regulations regarding the use of cookies in Brazil. However, to the extent that the use of cookies comprises the processing of personal data of internet users, it will be subject to the rules applicable to the processing of such type of information, including data subject's consent or the use of another legal basis.
The LGPD and the Brazilian Civil Rights Framework for the Internet (“MCI”) provide that the individual whose data is being collected must be given clear and comprehensive information about the collection, use, storage, processing and protection of their personal data, which includes information collected through cookies, beacons and other tracking technologies.
The ANPD has released a non-binding guidance on cookies. Controllers are advised to implement a easy-to-view cookie notice allowing users to reject unnecessary cookies, as well as first and second-level cookie banners (providing more detailed information on the different types of cookies and enabling users to manage cookies). Displaying notices, policies and banners only in a foreign language is not recommended. Special attention should be given to assessing the lawfulness of processing personal data obtained from cookies. The ANPD also stressed accountability requirements related to cookies, such as managing and documenting consent, as well as carrying out a legitimate interest assessment as needed.
What are the consequences of non compliance with data protections laws (including marketing laws)?
The non-compliance with LGPD may result in the following penalties, to be imposed by the ANPD:
- Warning, with indication of a time period for the adoption of corrective measures;
- Fine of up to 2% of the turnover of the private legal entity, group or conglomerate in Brazil in the latest fiscal year, excluding taxes, up to BRL 50,000,000 per violation;
- Daily fine, subject to the maximum amount referred to in item (ii) in the aggregate;
- Disclosure of the infraction to the public after the due process of law;
- Prohibition of processing the personal data to which the infraction relates, until remediation thereof; and
- Deletion of the personal data affected by the violation.
In case of repetition of non-compliance with LGPD, more severe penalties may be applied, such as:
(i) partial suspension of the use of the database for up to 6 months; (ii) suspension of personal data processing activity for the same period; and (iii) partial or total prohibition of data processing activities.
In addition, the ANPD issued Resolution CD/ANPD No. 1 on Inspection and Enforcement Administrative Procedures. The resolution covers the inspection process and provides rules and procedures the ANPD must follow during the administrative process, including application of sanctions
Under the MCI, violations to the rules on the processing of records, personal data or communications, may subject service providers to a fine of up to 10% of the turnover of the corporate group in Brazil in its latest fiscal year, taxes excluded, taking into account the economic status of the offender and the proportionality between the seriousness of the offense and the intensity of the sanction.
In respect of a foreign company, the subsidiary, branch, office or establishment located in the country will be held jointly liable for the payment of the fine de-scribed above.Nevertheless, the MCI rules are rarely enforced on companies.
It is worth mentioning that neither LGPD’s nor MCI's fines replace the application of administrative, civil or criminal sanctions defined in other laws, such as those under the CDC.
The undue disclosure of consumers’ personal data is considered a violation to consumers’ rights and may be subject to the payment of a fine. Fines related to consumers’ rights violations varies from less than BRL 5,000 up to BRL 22 million.
Ordinance 45/2015 provides for a formula for the calculation of the fine, which take into account (a) the gross turnover of the company; (b) the economic size of the company; (c) the nature of the violation, and (iv) the benefits arising from the violation: fine = company size + (gross revenue / 12 x 0,01) x (nature of the violation) x (benefit).
The CDC also imposes criminal liability (between 6 to 12 months’ imprisonment or the payment of a fine) for certain conducts that may qualify as a criminal offence, such as preventing or hindering consumer access to their information or refusing to correct inaccurate consumer information (Articles 72 and 73 CDC), although the imposition of criminal liability for violation of cybersecurity and data protection laws is very rare.
The Bank Secrecy Law (Complementary Law 105/2001) punishes with one to four years’ imprisonment and a fine for breach of the secrecy of the financial operations of, and the financial services provided to its users.
Only individuals can be prosecuted for criminal offenses in Brazil (with the only exception of crimes against the environment).
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
CDC provides that the defense of consumers’ interests must be facilitated. Accordingly, courts usually apply Brazilian law to any disputes arising from B2C relationship. In addition, the choice of foreign law for the resolution of disputes resulting from services provided in Brazil is regarded invalid.
MCI establishes that clauses of standard form contracts shall be deemed null and void unless consumer is offered the possibility of choosing Brazilian courts to resolve disputes arising from services provided in Brazil.
In a civil lawsuit, the court may reverse the burden of proof in favour of the data subject or consumer if the court finds the allegation likely to be true, the consumer has a lack of resources to bear the burden of proof or when the production of evidence by the data subject would be excessively burdensome.
What upcoming data protection developments should multinational organisations be aware of?
The ANPD released its regulatory agenda for the biennium 2023/2024, establishing high-priority topics over the next two years, among which are (a) the regulation of dosimetry and application of administrative sanctions; (b) communication of incidents and specification of the notification deadline; (c) international transfer of personal data; (d) processing of personal data of children and adolescents and biometric data (sensitive personal data); (e) regulations on artificial intelligence, DPIA and DPO; and (f) regulation of criteria for recognizing and disclosing rules on good practices and governance.