The privacy and commercial use of personal data have been trending topics since recent incidents involving data breach, leakage and cyber attacks. On August 14, 2018, the Brazilian Data Protection Law was enacted (Law No. 13,709/2018) and will be in force in February 2020. Based on the European Union General Data Protection Regulation (“GDPR”), the Brazilian law seeks to protect the privacy of citizens.
The law evidences that the collection/acquisition of data will have to be explicitly allowed by the individual. In addition, the consent is not only for providing the data but also for its use. The individual will have the right to revoke his consent by written request at any time. Furthermore, the data subject will have the right to request unnecessary, excessive or improper data, accordingly to the law, to be anonymized, blocked or eliminated at any time.
The controller – responsible for decisions related to processing personal data – will be obligated to inform the data subject explicitly which data are being collected and its purpose, having to communicate previously if there are any changes of utility. Additionally, the national authority (to be created) can request a report containing the description of the collected data, the methodology used for its acquisition and its security and analysis of the running processing mechanism to protect and mitigate risk of incidents. Violations to the obligations disposed by the privacy law can be severely fined up to 50 million reais (R$ 50,000,000.00).