By Leonardo Neri

On May 29, 2018, the Chamber of Deputies approved Bill (“PL”) No. 53/2018, better known as the General Personal Data Protection Law, resulting from the merger of two other previous bills, PL 4,060/2012 and PL 5,276/2016. Bill No. 53/2018 is currently awaiting approval by the Senate and, subsequently, sanction by the President of the Republic, for it to come into force.

The Bill provides for the creation of a National Council for the Protection of Personal Data and Privacy, which will be responsible, among other functions, for broadly debating the topic, with freedom to create proposals and studies to illustrate to society the impacts of the norm on people's daily lives.

The project presents principles and concepts that must be followed by all private and public bodies that maintain, collect, store, sell or otherwise process personal data acquired within the national territory.

Currently, in Brazil, existing regulations on the matter are subject to the Internet Civil Rights Framework, the Access to Information Law and the Consumer Protection Code and, in general, are superficial and sparse to regulate a subject that has been taking on such specificity and magnitude around the world.

The relevance of this new measure for Brazil is due to a number of reasons: firstly, it will apply even if the data processing occurs outside Brazil – if the entity that does so has headquarters, a branch or representation in the country, or if there is a mass offering of personal data to holders who are within the limits of our territory -; secondly, due to the fact that such scope may impact business between Brazilian companies and those in the European Union, for example, which recently enacted its own legislation, in light of the New General Data Protection Regulation (GDPR).

Therefore, without specific legislation, Brazil will become more commercially isolated and may face serious difficulties in carrying out commercial transactions or even in sharing security data with other countries that already have more advanced standards on the subject. In order to gain access to the global market, it is prudent for the country to have a movement towards standardization in terms of data protection, since no nation with modern legislation will send data to Brazil if there is no adequate standardization.

In practice, the main change involves consumers who must expressly inform companies which data they authorize to be stored and how it can be used. Companies that fail to comply with the rules may be fined R$41,000,000 of their annual revenue, up to a limit of R$1,400,000,000, and have their database suspended for six months, with an extension expected until the offender regularizes their situation.

In general terms, Bill No. 53/2018 aims to maximize the control that data subjects have over their personal data, as well as to become effective through the application of sanctions that actually impact companies' budgets.