By Leonardo Neri and Attílio Freitas

Data leaks. Influences on elections of global potential. Uncertainties about the real scope and effects on the social fabric. Testimonies to the American Congress – widely disclosed, analyzed in detail. Headquarters of companies micro-targeting being searched by British police. Echoes of the Cold War. The Cambridge Analytical scandal.

With the shift in importance that has occurred in relation to personal data in the economic environment, being treated properly as assets – reaching the British The Economist to call them “The world's most valuable resource[1]" –, it is natural that the law follows the greater relevance given to this legal asset and evolves and updates the regulations applicable to it. Given this scenario, it is fortunate that timing of entry into force of the New General Data Protection Regulation (General Data Protection Regulation – “GDPR”). Specifically, the GDPR replaced European Directive 95/46/EC, as of May 25, 2018.

The GDPR, in general terms, aims to maximize the control that data subjects have over their data, as well as to become effective through the application of fines that actually impact companies' budgets. Let's talk about sanctions first: failure to comply with GDPR rules will result in penalties that could reach 20 (twenty) million euros or 4% (four percent) of the company's global revenue – whichever is greater. As for the increase in data subject control, this will be done through provisions that foresee the collection and capture of data only through unequivocal consent and for specific purposes, as well as through articles that establish that data subjects may request a copy of all data held about them, request the correction of information, and also request the deletion of data.

The relevance of this topic for Brazil is due to a number of reasons: firstly, its application will apply even if the data processing occurs outside the European Union (“EU”) – if the entity that does so has its headquarters, branch or representation in the EU, or if there is a mass offering of personal data to holders who are located within the EU; secondly, due to the fact that such scope may impact business between Brazilian companies and the EU; finally, because there is a law to be passed in the National Congress that is very similar to the GDPR regulations – in other words, paying attention to this topic now may mean being one step ahead of the requirements of the legislation (and the competition).

Currently, in Brazil, existing regulations on the matter are subject to the Internet Civil Rights Framework, the Access to Information Law and the Consumer Protection Code and, in general, are too superficial and scattered to regulate a subject that has become so specific and important worldwide.

Seeking to address precisely these issues, Bill No. 53/2018 (“PL”), better known as the General Personal Data Protection Law, was approved in the Chamber of Deputies and, subsequently, in the Federal Senate; the result of the merger of two other previous bills, PL 4,060/2012 and PL 5,276/2016.

The PL provides for the creation of a National Council for the Protection of Personal Data and Privacy, which will be responsible, among other functions, for broadly debating the topic, with freedom to create proposals and studies to illustrate to society the impacts of the standard on people's daily lives.

In general terms, Bill No. 53/2018 aims to maximize the control that data subjects have over their personal data, as well as to become effective through the application of sanctions that actually impact companies' budgets. Furthermore, the Bill presents principles and concepts that must be followed by all private and public bodies that maintain, collect, store, sell or otherwise process personal data acquired within the national territory.

The relevance of this new measure for Brazil is due to a number of reasons: firstly, it will apply even if the data processing occurs outside Brazil – if the entity that does so has headquarters, a branch or representation in the country, or if there is a mass offering to holders of personal data who are located within the limits of our territory -; secondly, due to the fact that such scope may impact business between Brazilian companies and those of the European Union, for example, with the recently enacted GDPR.

In practice, the main change involves consumers who must expressly inform companies which data they authorize to be stored and how it may be used. Companies that fail to comply with the rules may be fined R$41,000,000 of their annual revenue, up to a limit of R$1,000,000,000, and may have their database suspended for six months, with an extension expected until the offender regularizes their situation. Thus, while we await the sanctioning of the Bill by the President of the Republic, for it to come into effect, since it has been approved by Congress – Brazil, by creating specific legislation, will reduce its commercial isolation and will be able to minimize the problems in carrying out commercial transactions or even in sharing security data with other countries that already have more advanced standards on the subject. In order to be accessible to the global market, it is prudent for the country to have a movement towards standardization in terms of data protection, since no nation with modern legislation will send data to Brazil if there were no adequate standards, such as those recently approved.

[1] Cf. https://www.economist.com/news/leaders/21721656-data-economy-demands-new-approach-antitrust-rules-worlds-most-valuable-resource, visited on 04/27/2018.