Privacy & Information Security Law Blog

On January 28, 2015, the Brazilian government issued the Preliminary Draft Bill for the Protection of Personal Data (Anteprojeto de Lei para a Proteção de Dados Pessoais) on a website specifically created for public debate on the draft bill. The text of the bill (in Portuguese) is available on the website. (http://participacao.mj.gov.br/)

The draft bill applies to individuals and companies that process personal data via automated means, provided that the (1) processing occurs in Brazil or (2) personal data was collected in Brazil. The draft bill would impose data protection obligations and requirements on businesses processing personal data in Brazil, including a:

• Requirement to obtain free, express, specific and informed consent to process personal data, with limited exceptions. For example, consent is not required if the personal data is processed to (1) comply with a legal obligation or (2) implement pre-contractual procedures or obligations related to an agreement in which the data subject is a party.
• Prohibition on processing sensitive personal data, except in limited circumstances. For example, sensitive personal data may be processed with the specific consent of the data subject after the data subject has been informed of the risks associated with processing the sensitive personal data. Sensitive personal data includes, among other information, racial and ethnic origins, religious, philosophical or moral beliefs, political opinions, health and sexual orientation information, and genetic data.
• Obligation to immediately report data breaches to the competent authority.
• Requirement to allow data subjects access to their personal data and correct it if it is incomplete, inaccurate or out-of-date, with limited exceptions.
• Restriction from transferring personal data to countries that do not provide similar levels of data protection.
• Obligation to adopt information security measures that are proportional to the personal data processed and protect the information from unauthorized access, destruction, loss, alteration, communication or dissemination.

The draft bill contains penalties for violations, including fines and the suspension or prohibition of processing personal data for up to 10 years. Participation in the discussion is open to the public and comments on the draft bill may be submitted on the website. All comments must be in Portuguese and targeted to specific articles of the draft bill. The deadline for comment submission is February 27, 2015.