A new law on the protection of personal data will dramatically change storing and processing of personal data in Brazil.
The law was sanctioned in August 2018, and public agencies as well as private corporations were given 24 months to adapt to this new reality. The new act will come into effect in August 2020.
In an event organized by the NBCC Legal committee on February 25, the new law was debated and the different aspects of it discussed in detail, with a special focus on the implications of the law on the dynamics in labor relations. The event took place in the offices of NBCC associate BMA Advogados, and the main speakers were José Eduardo Pieri and Luiz Marcelo Góis.
The new law defines the situations in which different personal information can be collected and used. The intention is to protect the privacy of the individual and the new law defines sensitive personal data as those referring to race or ethnic origin, religion, political views, memberships in trade unions or other organizations, data on health and sex life as well as genetic data. The law requires specific consent for the collection and processing of such data, as well as the processing of data for children and minors. The idea is to protect the personal data to avoid that it is used in ways that could potentially bring harm to the individual. Before Law 13.709. 2018 was sanctioned, the topic of data processing was covered in several different laws, like the Brazilian Constituton, the Civil Code and the Consumer´s Code.
In his address, Mr. Pieri focused on the how the new law is «business-friendly», and how Brazil following in the footsteps of the European Union, makes collaboration and cross-border operations between European and Brazilian corporations easier.
The new law could potentially stimulate new investments and create a more business-friendly environment in Brazil.
«The new law gives directions on when you are legally allowed to access and use personal data. Data on employees can as an example be used if anonymous, as well as in the investigation of fraud cases», he said. The law does not apply if national security is in question, nor for journalistic purposes.
Several dilemas were addressed by the speakers at the NBCC event, and several discrepancies between how personal data is processed today and the directions given in the new law, were brought to the center of the debate by the participants.
As an example, NBCC Legal Coordinator Alexandre Calmon asked how data can be used in due diligence in a merger and acquisition process.
No regulatory body is yet in place and it is not clear how the sanctions and penalties will be applied. In the corporate sphere, data controllers need to be appointed, and this is an innovation. The law also separates controllers and operators of data, and defines their different responsibilities.
The penalties range from a simple warning to fines, public disclosure of the violation after due diligence, suspension of access to data on different levels, all with great consequences to a corporation.