Brazil’s General Data Protection Law isn’t quite GDPR

A new law in Brazil which is similar to Europe’s GDPR has been sanctioned by Brazil’s President. However, he vetoed several sections.

The new legislation, the General Data Protection Law, was sanctioned by the Brazilian President, Michel Temer, last week. The legislation will become enforceable in 18 months.

The law is similar to GDPR, but not identical; GDPR spreads over 80 pages, GDPL, 30 pages.

Similarities with GDPR include:

  • Cross-border jurisdiction, meaning data related to Brazilian citizens is subject to the law wherever the data processor is based; related to the above, regulations on transfer of data internationally;
  • A risk approach, like GDPR the Brazilian legislation talks about lawfulness, fairness, accountability, non-discrimination, purpose limitation, data minimisation and transparency on the use of personal data;
  • The Brazilian legislation includes a right to be forgotten and the right to access data;
  • Requirement to notify data breaches;
  • Requirement to appoint data protection officers, under certain conditions.

It is slightly different in other respects:

  • The Brazilian legislation provides for 10 legal bases to process data, unlike GDPR’s six legal bases;
  • Slightly lower maximum fines;
  • Imposes even shorter deadlines to notify breaches

However, Mr Temer vetoed a requirement for a National Data Protection Authority (ANPD) and the establishment of the National Council for the Protection of Personal Data and Privacy.

The President said that the vetoes were required because under Brazilian law Congress cannot create agencies. He said that the executive will create agencies similar to those proposed.

The inaugural Data Protection World Forum (DPWF) was held on November 20th & 21st 2018 at the ExCeL London and welcomed over 3,000 delegates seeking the very latest insight on data protection and privacy.

Pre-registration for DPWF 2019 will be opening in the coming weeks.