Data Protection in Brazil

The current legal framework for data protection in Brazil is complex, varying from more flexible rules to rigid ones, with more than 40 regulations in force that address the subject directly or indirectly. This scenario is challenging for businesses and users, as although most of these rules are sectorial, they cannot be interpreted in an isolated manner. For instance, how to dissociate health and financial services from services offered through the Internet? In this sense, a general personal data protection law (“General Law”), such as the Bills currently being discussed in Brazilian Congress (especially Bill 5,276/2016 and Bill 330/2013), may establish a more fluid and harmonious scenario, in line with economic, technological and innovation development objectives, while guaranteeing individual rights. The General Law will come into in effect in 2018 and there will be little time to adapt. Companies need to comply with the current rules and understand that anticipating to the future regulation is an investment and a competitive advantage.

What is Personal Data?

Based on the laws currently in effect in Brazil and also on international regulation, personal data may be considered all data that can identify a person directly or indirectly, such as name, Identity Card (RG), Taxpayer's CPF, addresses, cookies or information about a person, even if such information does not identify the person, such as medical data, financial, location, cultural data, or even that which can subject someone to certain practices, such as targeted advertising and directed content, or profiling and prediction methodologies. The concept of what is personal data defines when the law and its rules are applied.

Should I worry about Personal Data Protection?

Regardless of the sector you operate in, if there is collection, storage, processing, use and/or sharing of personal data, then there is a need to comply with the laws related to personal data protection. For example, the Brazilian Law, currently in force an effect, know as “Marco Civil of Internet”, which applies to any and all services rendered over the Internet, sets clear rules and very rigid limitations on the collection and use of personal data.

If your company practices one of the activities listed below, be aware that there is a need to adapt to the laws related to the protection of personal data:

  • My company collect data from clients to send advertising and promote the business through e-mail marketing and targeted advertisements.YES
  • My company collect data through apps to offer products and services.YES
  • My company keeps employee data to process salary payments and help HR. YES
  • The service provided by my company analyzes clients’ behavior to suggest, to them, content based on their interest. YES
  • My company outsources the collection and storage of personal data to cut costs. YES

The New European General Data Protection Regulation (GDPR) and its impacts on Brazilian companies

The General Data Protection Regulation (GDPR) is the new regulation for the protection of personal data in the European Union, that will come into force on May 25, 2018. Although it is a European regulatory framework, any Brazilian company may be subject to it, as the limits of its jurisdiction have been drastically increased to also include those responsible for the processing of personal data, even far beyond the borders of the European Union."

Why regulate the use of Personal Data

Regulating the use of personal data in Brazil, by means of a General Law such as the one currently under discussion, may bring legal certainty to a landscape considered today boggy and barren, with distinct concepts and conflicting rules that impact the limits of sectorial norms. A single unified law of personal data protection may bring harmony and a sense of balance which will foster innovation, economic and technological development in a data-driven society.

What are the objectives

Right to Privacy

Guaranteeing the right to privacy and the protection of the citizen personal data by allowing better control over their data through transparent and safe practices.

Clear rules for companies

Establishing clear rules on the collection, storage, processing and sharing of personal data by companies.

Promote development

Fostering the economic and technological development in a data-driven society.

Consumers' Right

Guaranteeing the free initiative, free competition and consumer protection.

Strengthen Confidence

Increasing confidence in a society upon collecting and using personal data.

Legal Certainty

Increasing legal reassurance as a whole in using and processing personal data.

What are the advantages

Unify rules

Single and harmonic rules on the use of personal data regardless of the sector in the economy.

Greater flexibility

Authorizing more flexible ways for the processing of personal data, such as legitimate interests, which consider a data-driven society in the Big Data era.

Cost Reduction

Reducing operational costs caused by systemic processing incompatibility made by different agents in addition to the fostering of a higher quality of the data in circulation within the ecosystem as a whole.

Adapting the rules to Brazil

Making Brazil able to process data originated from countries that require an adequate level of data protection, which can fundamentally foster information technology sectors.


Individuals may transfer their data from one service to another, thus increasing market competitiveness.

Sectorial Impacts

Being in compliance with sectorial data protection regulations and a General Law may constitute a significant impact to companies of different sizes, especially regarding operational costs. At the same time, there will be a large number of new opportunities, especially for companies succeeding in the adaptation procedures as well as for those that already employ universal personal data protection principles.


The financial sector, nowadays, is mainly subject to the rules of banking secrecy (Complementary Law 105/01), the Consumer Protection Code (Law 8,078/90) and the Credit Report Law (Law 12,414 / 2011). It is also under the supervision of the Central Bank of Brazil and the Securities Commission (CVM). Despite being a highly regulated sector, the rules still allow for wide liberality in the use of personal data. The Fintechs boom in the Brazilian market has taken advantage of this liberty to apply Big Data, Artificial Intelligence and machine learning to its business models. Therefore, this sector will be subject to large operational impacts when the General Law enters into force. However, it will be provided with much more solid legal certainty than the current one, mainly regarding the sharing of data and automated decisions, such as those related to the granting of credit and the creation of predictive models. Click here and learn more


Despite the inherent sensitivity of health data, this sector is lacking proper personal data protection rules, limited to regulations on sharing data between the private and public sector, consent to data collection to include them into databases and electronic medical records, and confidentiality. Areas such as precision and diagnostic medicine are, among those, the ones that are most heavily benefited from Big Data technologies, but at the same time they may be highly impacted by the new rules and limitations imposed by a General Law. Preparing in advance, especially by tailoring your procedures based on risk assessments, can be a great competitive advantage. Also, areas such as E-Health and Telemedicine can widely benefit from a preventive approach. Click here and learn more

Marketing and Advertising

The digital advertising and marketing industry is perhaps one of the most impacted by personal data protection laws, as their business models are based on the analysis of preferences, online consumer behavior and the creation of predictive models. They are today subject to strict rules on consent and limitations upon the use of personal data stated in the “Marco Civil of Internet”. Therefore, it may be one of the sectors that most benefits from a General Law, as it will establish more fluid and harmonic rules that will bring fewer barriers to legitim and proportional practices of profiling, rendering of targeted content, and use of data for new purposes. Click here and learn more


Today, in Brazil, an employee has no expectations of privacy in the workplace. The use of corporate devices can be monitored, but it is recommended that the employee be informed of this practice. However, this does not mean the absence of privacy. There are limits, such as the prohibition of monitoring private accounts, including personal e-mail and social networks. Regarding the use of employee data, there are no rules that limit, for instance, an employer from collecting information from social networks to aggregate to HR databases, or any express prohibition on the practices of sharing such data with interested entities, such as curriculum companies. This is one of the sectors part of the current legislative gap that will be filled by a General Law, which will facilitate activities such as labor outsourcing to other countries due to procedures related to international data transfer. Click here and learn more

Other Sectors

All sectors dealing with personal data are and will be affected, whether online or offline. The education sector, consumer goods, daily services with no distinction. However, perhaps the most impacted are the developers and suppliers of information technology, who end up acting in all sectors. Nevertheless, they may be the most likely to adapt to new rules, as they are already used to international information security standards and privacy protection. Click here and learn more

Data is currently an important part of the modern economy. Through data-intensive technologies, it was possible to create innovative products and business models, also advance in research fields such as artificial intelligence and machine learning.

On the other hand, companies are poorly prepared to deal with information security issues, protection of their intangible assets and protection of personal data. This scenario creates unsafety for users and greatly affects competition.

New regulations must be carefully designed so that they do not become a burden to the point of rendering lawful and legitimate business models unfeasible. Current economic activities should be taken into account, and the time of adaptation, that is, the period between the approval of the law and its entry into full force and effect, should be sufficient for companies’ adaptation.

Why and how should companies be prepared

Protection of personal data and information security should, and can, be seen not as a cost, but as a competitive advantage, a market differential. In a time of major information leaks and scandals over data misuse, adapting to clear, transparent and harmonic rules can restore or increase the consumer confidence in companies and the market.


Adaptation time

Companies may have between three months to one year to prepare themselves when the General Law comes into full force and effect, which may be extremely short time due to the amount of changes that will be needed.


The earlier companies get prepared, the better they will be when the new law comes into full force and effect.

Competitive advantage

While the rest of the market will be rushing to adapt, anyone who anticipates the changes may already offer their services and products more adequately and efficiently.


Protecting the privacy and personal data of consumers and employees is paramount to build an image of trust. The capacity to transmit security, anticipate risks and manage occasional problems may affect companies’ reputation.


Getting ready in advance

Comply with the current rules, anticipate the regulatory demands, and getting prepared based on existing data protection principles and rules and on those that will not change, in addition to adopting the best practices of countries that influence the future Brazilian law. This will be a competitive advantage when everyone else is still striving for adaptation.

Perform Privacy Impact Assessment - PIA

Privacy Impact Assessment (PIA) is a methodology used to identify risks to privacy and the protection of personal data by means of data mapping and analysis of the company processes, in order to adapt them to the best practices and regulatory obligations.

Privacy program

Based on the results of the PIA, establishing and implementing a privacy program that should consider designing and implementing solutions and processes to address the identified risks and areas of non-compliance and conduct awareness and training actions.


Periodically conducting new privacy assessments and ensuring that new risks are identified and addressed in a timely manner

Incident response

In a crisis, companies are judged by their stakeholders not just by the incident itself, but by their response to the situation. Simulating potential data protection issues improves companies' ability to respond effectively to a crisis by protecting their reputation.

Participate in the discussions

Actively participating in discussions and debates on protection of personal data in Brazil. The bills are still under discussion and there is still room for proposal adjustments based on what went good and what went wrong in the domestic and international market.

The risks of of not complying with the laws

A General Law is likely to determine, similar to what already happened in almost 100 countries around the world, the creation of an independent and autonomous Personal Data Protection Authority, which may function as a regulatory agency authorized to oversee compliance with the law in all sectors, being able to carry out investigations and to impose administrative penalties.


There is no definition yet for the amounts of penalties, but sanctions will be applied by the Personal Data Protection Authority which may be separately or cumulatively, according to the peculiarities of the case and the gravity and nature of the infractions, the nature of the personal rights affected, the existence of recidivism, the economic situation of the offender as well as the damages caused.


In cases where it is necessary to inform to data subjects about information security incidents, the Personal Data Protection Authority may determine the publishing of the events, in a recall-like manner, as a means of prevention and punishment to those responsible for the data incident.


The Personal Data Protection Authority may determine the cancellation and deletion of data by those responsible for its treatment as a form of punishment. Thus, it could no longer be used.


In more serious cases, the Personal Data Protection Authority can administratively determine the suspension of all personal data operations regarding collection, processing and suspension, which in many cases may mean the suspension of almost all operations of the company.


Regardless of any administrative penalty, perhaps the hardest damage to a company is reputational, affecting its credibility to the market and society and loss of confidence. Once trust is lost, the cost and time to recover from such can be a lot greater than any secondary damage.