On Tuesday, July 10, the plenary of the Senate approved, on an emergency basis, Bill of Law nº 53, regarding the Protection of Personal Data.
The proposed legislation addresses the treatment of digitally processed information, from personal registration data up to pictures and texts disclosed in social media. It provides a series of rights to data owners, who become entitled to request access to personal information, as well as to ask if the referred information has been shared with other entities, and the reasons for such disclosure. The Bill also allows data owners to request the amendment of incomplete data, the deletion of unnecessary or excessive registries, as well as the transfer of the information to other servers.
It is also worth noting that Bill of Law nº 53 introduces the obligation, for companies, to obtain previous consent for the treatment and disclosure of personal data. This authorization must be requested in a clear and objective manner, and if the reason for the use of such data alters, a new consent must be obtained. There are, however, some exceptions to this rule, regarding the treatment of data in order to comply with fiscal and social security related obligations, as well as data associated with the protection of life and health.
In given situations, Public Authorities also have the possibility to treat personal data without previous consent, such as in the execution of public policies. In order to act in this manner, the organ must inform the reason for processing such data, as well as the procedures involved in its treatment.
The subject addressed by Bill of Law nº 53 is already highly regulated in other countries, such as those that are members of the European Union, which recently adopted Regulation 2016/679, regarding the protection of individuals on the treatment of personal data, with requirements that must be incorporated to the national legislation of each member state.
Bill of Law nº 53 considers “personal data” information regarding one person, who has either already been identified or is potentially identifiable. Furthermore, it provides a category of “sensitive data”, regarding subjects such as race, religion, political opinions, health conditions and genetic traces, and establishes stricter rules for its treatment, considering the harmful potential of such disclosure. Likewise, it institutes conditions for the international transfer of data, requiring that the country of destination or the company responsible for its processing present a level of protection compatible with the one it establishes.
Bill of Law nº 53 also suggests the creation of an organ called the National Authority of Data Protection, which would be responsible for monitoring the application of the law.
A number of entities openly support the proposed legislation, such as the Brazilian Association of Radio and TV Stations (Abert), as well as the Brazilian Association of Information and Communication Technology (Brasscom) and the Coalition “Rights in the Network”, which gathers entities that defend the rights of internet users.
Bill of Law nº 53 does not apply, however, to the processing of information regarding activities associated to national and public security, which shall be addressed in specific legislation.
Among the penalties provided in Bill of Law nº 53 are a fee of up to 2% of the infringing company’s income, limited to R$ 50 million, as well as the deletion of data that has been treated irregularly and the suspension or prohibition of activities related to database treatments.
The Bill currently awaits presidential approval.