Law and the regulatory authority
Summarise the legislative framework for the protection of personal information (PI). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments or laws of other jurisdictions on privacy or data protection?
The Brazilian Federal Constitution grants protection to the intimacy, private life, honour and image of the individual as a fundamental right (section 5, X of the Brazilian Federal Constitution). In the legal sphere, historically, Brazil has adopted a sectorial regulation on privacy, data protection and cybersecurity matters.
More recently, the Brazilian Congress passed a general data protection law (Law No. 13,709/2018 (LGPD), which has significantly transformed the data protection system in Brazil. The LGPD is inspired by the EU’s data protection framework, particularly the General Data Protection Regulation (GDPR). On 8 July 2019, the president sanctioned Law No. 13,853/2019, which created the National Data Protection Authority (ANPD) and amended certain provisions of the LGPD.
The LGPD entered into force in September 2020. It establishes detailed rules for the collection, use, processing and storage of personal data and will affect all sectors of the economy, including the relationship between customers and suppliers of products and services, employees and employers, transnational and national commercial relations, as well as other relations in which personal data is collected in the digital environment or outside the digital environment.
In light of the covid-19 pandemic, the Brazilian Congress passed Law No. 14,010/2020 that, among other things, postponed the enforceability of the administrative sanctions provided for by the LGPD to August 2021. Since then, the administrative sanctions have officially been in force.
Data protection authority
Which authority is responsible for overseeing the data protection law? What is the extent of its investigative powers?
The ANPD is the government agency with technical autonomy but connected to the Cabinet of the Presidency, responsible for overseeing, issuing guidelines and enforcing the LGPD. Law No. 13,853/2019 expressly provides that ANPD has exclusive jurisdiction in relation to LGPD and, concerning the protection of personal data, such jurisdiction shall prevail over other public entities or organisations. Additionally, Decree No. 10,474/2020 regulates the governance structure of the ANPD and sets forth the responsibilities of the board of directors and other bodies that are part of the ANPD. In January 2021, the ANPD issued its regulatory agenda, which addresses actions considered to be the top priorities for LGPD regulation until the end of 2022.
Cooperation with other data protection authorities
Are there legal obligations on the data protection authority to cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?
The LGPD provides that the ANPD shall cooperate with other government bodies in relation to data protection matters but shall remain the central body concerning the interpretation of the LGPD. In addition, the ANPD has jurisdiction to promote cooperation actions with data protection authorities of other countries or international agencies.
Breaches of data protection law
Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?
Breaches of data protection law may lead to administrative investigations handled by the ANPD, which shall grant the right to present a defence and an appeal, and may result in administrative sanctions. Breaches to data protection law do not normally lead to criminal penalties or liability. The sanctions that may be applied by the ANPD are the following:
- warnings, which will include a deadline for the adoption of corrective measures;
- a one-time fine of up to 2 per cent of the net turnover of the infringing entity’s conglomerate in Brazil in its preceding fiscal year, excluding taxes, up to 50 million reais per violation;
- a daily fine, which is also subject to the limits set before;
- disclosures of the violation after it is verified, and its occurrence confirmed;
- the blocking of personal data corresponding to the violation until the controller’s processing operations are brought into compliance;
- elimination of personal data corresponding to the violation;
- the partial suspension of the database to which the infraction refers for six months, extendable for another six months;
- the suspension of the data processing activity to which the infraction refers for six months, extendable for another six months; and
- a partial or complete prohibition of any data processing activities.
Exempt sectors and institutions
Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?
Law No. 13,709/2018 (LGPD) does not apply to the processing of personal data performed exclusively:
- by individuals for private and non-economic purposes;
- for journalistic, artistic or academic purposes;
- processing activities carried out exclusively for public security, national defence or state security;
- for public and state security or national defence purposes; and
- for investigation and prosecution of criminal offences.
Processing operations involving personal data originated in other countries or for other countries that only pass through the national territory without any other processing operation carried out in Brazil are also not subject to the LGPD. Except for the foregoing, the LGPD covers all sectors and types of organisations. It has not revoked other sector-specific legislation that shall continue to apply.
Interception of communications and surveillance laws
Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals?
The LGPD mainly covers matters related to electronic marketing or monitoring and the surveillance of individuals. But other laws also address these issues.
The Civil Rights Framework for Internet in Brazil is Law No. 12,965/14 (the Internet Act), which outlines that the storage and availability of the connection and access logs to Internet applications, as well as of personal data and the contents of private communications, must observe intimacy, private life, honour and image of the parties directly or indirectly involved. The content of private communications may only be provided by a court order, as provided by law.
The confidentiality of telephone and computer communications is protected under the Wiretap Act (Law No. 9,296/96) and the Telecommunications Act (Law No. 9,472/97). The Wiretap Act provides that the access to and interception of telephone and telematics communications may only occur under the authority of a valid court order in criminal investigation proceedings. The Telecommunications Act provides that clients’ information can only be used for the purpose of delivering services and that telecom bills can only be revealed upon the express consent of the user or by a valid court order.
On electronic marketing, Brazil has the Self-Regulation Code for Email Marketing Practice 2009 (the Email Code) that representative entities of marketing companies, internet service providers and consumers have signed. The Email Code permits electronic marketing with opt-in and soft opt-in (when there is any evidence of a previous commercial relationship between the sender and recipient). For these cases, senders do not need express consent from recipients but must provide an option to opt out. Although before the LGPD, the Email Code is consistent with the LGPD, as organisations may rely on consent (opt-in) or legitimate interest (soft opt-in) to justify the sending of electronic communications.
Concerning the monitoring and surveillance of individuals, labour precedents establish some rules on the monitoring of employees. Generally, court decisions uphold that the monitoring of computer systems made available to employees is allowed. Therefore, IT resources made available for the exercise of the employees’ functions may be subject to surveillance. The surveillance of employees’ personal devices may be possible (eg, in the event a professional email account is installed in the employee’s mobile phone or computer) to the extent that it focuses only on the company’s information. Employees’ personal email shall not be monitored or accessed by the employer, and employees shall be informed in advance by their employer about all monitoring activities performed.
Are there any further laws or regulations that provide specific data protection rules for related areas?
Data processing on the internet
The Internet Act establishes rules applicable to internet services and applications. Under the Internet Act, access logs to the internet and internet applications shall be retained for a period of 12 and six months, respectively.
Generally, court decisions sustain that the monitoring of computer systems made available to employees is allowed. Therefore, IT resources made available for the exercise of the employees’ functions may be subject to surveillance. The surveillance of employees’ personal devices may be possible (eg, in the event a professional email account is installed in the employee’s mobile phone or computer) to the extent that it focuses only on the company’s information. Employees’ personal email shall not be monitored or accessed by the employer, and employees shall be informed in advance by their employer about all monitoring activities performed.
The Medical Ethical Conduct Code (Federal Council of Medicine, Resolution No. 2,217/18) provides for certain rules on the protection of patients’ information and medical records. Except for limited exceptions, the patient’s data may only be disclosed to third parties with his or her written consent. Also, the Federal Council of Medicine governs the use of computer systems for storage, handling and retention of such data, authorising the electronic storage of documentation instead of paper. Electronic Medical Chart Law (Law No. 13,787/2018) provides for the digitalisation and use of computerised systems for storing and handling patient records. The Ministry of Health and the National Health Surveillance Agency (ANVISA) provide for specific rules applicable to data processing activities in clinical trials. Recently, Resolution No. 2.314/2022, issued by the Federal Council of Medicine, and Resolution No. 696/2022, issued by the Federal Council of Nusing, established new rules for telemedicine and tele-nursing, which include the protection of personal data in line with the obligations provided by the LGPD.
Pursuant to Bank Secrecy Act (Complementary Law No. 105/01), financial institutions, such as banks, credit card administrators and the stock exchange must maintain strict confidentiality of financial transactions and financial information of their clients. Resolution Nos. 4,480 and 4,474, of 2016, issued by the National Monetary Council have regulated, respectively, the opening and closing of bank accounts by electronic means and the digitalisation of documents, providing for specific cybersecurity rules to ensure privacy in those situations. Resolution No. 4,893/2021, recently issued by the National Monetary Council, replaces Resolution No. 4,658/2018 and determines that financial institutions shall implement and maintain a cybersecurity policy, an incident plan and observe certain requirements for engaging data processing, storage and cloud service providers. Similar to Resolution No. 4,893/2021, Circular 3,909/2018 establishes the same cybersecurity rules for payment institutions. Finally, Joint Resolution No. 1/2020 issued by the National Monetary Council and the Central Bank sets forth the rules for the standardised sharing of data and services by means of opening and integrating platforms and infrastructures of information systems (ie, open banking).
Concession of credit
The Good Payer’s Database Act (Law No. 12.414/11) regulates the creation and consultation by third parties of a central database containing credit scoring and payment history information of natural or legal persons for the purposes of building a credit history. Any legal entity or individual may consult such database to support its credit risk analysis, and decisions on the granting of credit, payment in instalments or other commercial and business transactions that involve financial risk to the consultant of such database. Decree No. 9.936/2019 regulates the Good Payor’s Database Act, establishing complementary rules for the creation of a central database for the purposes of building credit history, including the obligations and responsibilities of the parties involved, data subject’s rights, transparency requirements and notification requirements in the case of a data breach.
The Information Access Act (Law No. 12,527/11) governs the use and processing of data by the public administration and establishes rules and procedures by which individuals may request details of the information collected by the public administration.
What categories and types of PI are covered by the law?
The LGPD defines ‘personal data’ as information related to an identified or identifiable natural person, and any processing of such personal data carried out by any form, whether in the digital media or physical environment.
Is the reach of the law limited to PI owners and processors physically established or operating in your jurisdiction, or does the law have extraterritorial effect?
No. The LGPD has significant extraterritorial reach, applying to any processing activity carried out within the Brazilian territory and out of the Brazilian territory, regardless of where the processing agents are domiciled or the data are located, as long as:
- the purpose of the processing activity is to offer or provide goods or services in Brazilian territory;
- the purpose of the processing activity is to process personal data of individuals located in Brazilian territory; and
- the personal data is collected in Brazilian territory.
Covered uses of PI
Is all processing or use of PI covered? Is a distinction made between those who control or own PI and those who provide PI processing services to owners? Do owners’, controllers’ and processors’ duties differ?
The definition of ‘processing’ established in the LGPD encompasses almost any activity performed with personal data. In both statutes ‘processing’ is defined as any operation performed with personal data, such as those that concern the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, evaluation or information control, modification, communication, transfer, dissemination or extraction. In practical terms, any processing operation with personal data shall be subject to the LGPD.
Also under the LGPD, processing agents may be defined as controllers or processors. The controller is the natural or legal person, whether public or private, who is responsible for decisions concerning the processing of personal data. The processor is a natural or legal person, whether public or private, who performs the processing of personal data on behalf of the controller and only under the controller’s instructions.
The controller has more obligations than the processor, but both must follow some duties equally. There is neither a definition nor a distinction of requirements to those that own PI.
For example, controllers and processors must:
- abide by data processing principles provided in the LGPD; and
- adopt technical and organisational measures to protect personal data from data incidents.
For example, controllers must:
- appoint a data protection officer (DPO);
- make easily accessible information to the data subject on how personal data is processed;
- justify and document the data processing in one of the 10 lawful bases outlined in the LGPD, which include, but are not limited to:
- the consent of the data subject;
- compliance with a legal obligation;
- performance of a contract;
- legitimate interest; and
- sensitive data;
- justify and document the lawful bases for transfer of data out of the country, when applicable;
- comply with the data subject’s rights;
- perform privacy impact assessments, when required;
- comply with the specific requirements for obtaining the consent and processing children’s personal data; and
- notify the data protection authority in the event of an incident, such as unauthorised disclosure or use of personal data.
Both controllers and processors may be jointly and severally liable for the processing data in activities in which they are involved.
Law stated date
Give the date on which the information above is accurate.
24 May 2021.