Update 27 August 2020: The Brazilian General Data Protection Law entered into force on 27 August 2020, although there is some debate that the law will not be effective until sanctioned by the Brazilian President.
[This was first posted on 30 July 2020.] Brazil’s General Data Protection Law – “GDPL” may enter into force on 27 August 2020 if a federal law is not enacted by 26 August, confirming an alternative 03 May 2021 effective date. Importantly, the GDPL applies to financial services firms located outside of Brazil that process personal data of data subjects located in Brazil.
- The GDPL applies even where the data subject sends their own personal data to the foreign firm, and even where the foreign firm’s services are not widely offered to the Brazilian public or are provided only at the request of the Brazilian resident.
- The GDPL requires firms to appoint a Data Protection Officer to act as a liaison between the foreign firm and Brazil’s Data Protection Authority (“DPA”) and to notify the DPA and data subjects of breaches, among other requirements.
- Privacy disclosures, consents, and waivers, along with firms’ policies and procedures may need to be revised to comply with various other provisions of the GDPL.
As soon as the law enters into force, data subjects will have a private right of action against firms that violate the GDPL, and Brazil’s consumer authorities will have the power to bring separate actions. Beginning 01 August 2021, Brazil’s DPA will have concurrent power to levy penalties for violations of the GDPL, which could amount to millions of US dollars per occurrence. Firms should review the requirements and evaluate their next steps and action items.