The 14th of August, 2018 is the deadline for President Michel Temer to sanction the Brazilian General Data Protection Law ("LGPD"), which regulates the processing of personal data by individuals, private entities and public authorities.
The LGPD reproduces some of the central points of the General Data Protection Regulation (GDPR), t European regulation that became effective on May 25th, and which requires quite significant compliance measures by companies that process data or offer services to individuals in Europe. Similarly to the European legislation, the LGPD establishes the principle of extraterritoriality, that is, the Law also applies to companies based outside Brazil that treat data collected in the national territory or provide services intended for Brazilians.
Aiming at creating a more protective environment for consumer data, the new legislation bears relevant requirements and obligations, which definitely deserve the attention of data processing agents. These requirements include, for example, the need for free, specific and revocable consent of the data subject; facilitated access to information about the treatment; data subject right to demand correction or deletion of the data; and specific rules for international transfers.
Once the Law is approved, the agents of data treatment will have 18 months to adapt to the new rules.
See the final draft of the Bill of Law (content in Portuguese).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
