On 14 August 2018 President Michel Temer sanctioned the new Brazilian General Data Protection Law (LGPD), which regulates the processing of personal data by individuals, private entities and public authorities.
The LGPD reproduces some of the central points of the European General Data Protection Regulation (GDPR), which became effective on 25 May 2018, and which imposes significant compliance obligations on companies that process data or offer services to individuals in Europe. In common with the European legislation, the LGPD establishes the principle of extraterritoriality, that is, the Law also applies to companies based outside Brazil that treat data collected in Brazil or provide services intended for Brazilians.
The Bill of Law that was the starting point for the LGPD was widely discussed for about eight years in various sectors of Brazilian society (including public agencies, data specialists and companies) and its approval is a major step forward for the country in terms of data protection. The new Law is expected to foster business and bring greater legal certainty to relationships involving the processing of personal data.
Aiming at creating an environment offering enhanced protection for consumer data, the new legislation creates requirements and obligations, with which organisations and individuals involved in processing data will have to comply. These requirements include, for example, the need for free, specific and revocable consent from the data subject; easier access to information about data treatment; a right for the data subject to demand the correction or deletion of data; and specific rules on international data transfers.
The Bill of Law submitted for approval to the Presidency was subject to certain vetoes, justified by public interest arguments and the possible unconstitutionality of certain articles. Sections that prohibited the sharing of...