New Brazil data protection bill caps momentous three months that will transform global law

29 August 2018 7:34pm

17 August 2018. By Mike Swift and Rodrigo Russo.

The past three months have arguably been the most momentous period in the history of privacy law, capped on Tuesday when Brazil’s president signed into law a comprehensive data protection measure that will guide one of the world’s five largest Internet markets.

A month after Europe’s General Data Protection Regulation that went into effect in May, the California state legislature passed what is arguably the most significant privacy law in US history. And one month later at the end of July, a government commission in India submitted a draft comprehensive data protection bill that is expected to go to the Parliament in coming months.

Taken together, those four pieces of legislation cover four of the five biggest blocs of Internet users on the planet, leaving out only China.

The California and Brazil laws don’t take effect until 2020. But like the GDPR, they will introduce sweeping and detailed rules on how companies collect and process personal data, and introduce for the first time the risk of major financial penalties for violations. Both the Brazil and California laws, like the GDPR and the proposed Indian law, regulate the collection and sharing of personal data, as well as set disclosure rules when companies suffer a data breach.

While the California Consumer Privacy Act is technically a state law that applies to the roughly 40 million residents of the most populous US state, it has national significance because the law applies to any company that collects or processes the personal data of a California resident. Functionally, it will be very difficult for a US company to differentiate between digital data it collects about consumers in California and those in a different state.

“From a statutory standpoint, in our view it’s the most significant US privacy development ever,” Purvi G. Patel, a partner with the firm Morrison & Foerster, said in a recent briefing on the California law.

— New regulators —

One thing the new data protection laws don’t necessarily create — at least initially — are entirely new regulatory agencies. That could change, however.

The California law will be enforced by the state’s attorney general and the existing California Department of Justice, which expects to create 57 new full-time positions to enforce it. One of the key provisions of Brazil’s bill — the General Data Protection Law, or LGPD in the acronym in Portuguese for Lei Geral de Proteção de Dados — was the creation of an independent data protection authority. But that aspect of the law was vetoed this week by Brazil’s president, Michel Temer.

Temer said that the Congress can’t establish agencies that will be part of the executive branch of government. He promised, however, to create the oversight authority via presidential decree or by submitting a draft bill to Congress. As approved by lawmakers, the data protection authority would have had three officers with four-year terms, and decisions would be reached by a majority of votes.

In Europe, the GDPR transformed the existing Article 29 Working Party, an advisory group of country-level data protection authorities, into the new European Data Protection Board. The EDPB has new powers that will ensure that the data protection law is applied consistently across the EU.

The Indian proposal would create a new national Data Protection Authority, and empower that authority to levy substantial penalties for violations.

The new comprehensive data protection laws in California and Brazil may prove to be a significant step toward an international agreement to secure data flows with the EU, similar to the agreement between the EU and Japan consummated in July.

The new California law could also secure EU approval for commercial data transfers, a key European Commission official said last month.

And with this week’s approval of the Brazil LGPD, it is understood that European data protection officials expect to launch a dialogue with the Brazilian authorities on data protection adequacy and other cross-border topics once Brazil’s legal framework is fully adopted.

— Definition of personal data —

In general, the new California and Brazil laws have a wide definition for what constitutes regulated personal data, a fact that is certain to cause headaches for thousands of companies.

Under the Brazilian LGPD, personal data is defined as any information related to an identifiable individual. The bill also defines sensitive personal data, which is any personal information about ethnic or racial origins, religious conviction, political opinion, affiliation to unions or religions, political or philosophical organizations; data related to health or sex life; and genetic or biometric data.

The Indian draft proposal would base the definition of personal data on the standard of “identifiability” of a person, granting exemptions to anonymized data. The proposed law would define “sensitive personal data” as including passwords, financial data, health data, sexual orientation, biometric data, genetic data, transgender status, caste or tribe, and religious or political beliefs. It would include increased protections for those types of personal data.

The California bill also sets an exceptionally broad definition of personal information. It includes 11 specific categories of personal information, including unique identifiers such as Social Security or driver's license numbers, Internet browsing history, job or professional information, educational history, commercial records such as personal property, location data, biometric identifiers such as fingerprints or facial scans, and “audio, electronic, visual, thermal, olfactory, or similar information” that can identify a person.

The California law is somewhat different in that it establishes five key rights: a person's right to know what personal information is being collected about them; a right to have that information deleted; a right to block the sale of that information to a third party; a right to be free from discrimination in how that information is used; and a right to sue over violations.

— Financial Penalties —

Breaches of the GDPR can lead to fines of up to 4 percent of a company’s annual global turnover, or 20 million euros (US $22.9 million), whichever amount is greater. The European regulation adopted a tiered approach to fines, with smaller penalties depending on the gravity of the conduct.

The new laws in Brazil and California, and the proposal in India, also include significant financial penalties

In Brazil, enforcers could impose heavy financial sanctions on companies operating in the country. The fines could reach up to 2 percent of the revenue of the company, group or conglomerate in Brazil, with a hard cap of 50 million reais (US $12.9 million) per infraction. Daily fines could also be imposed, but they must be considered within the 50 million reais cap.

Under the proposed Indian law, penalties could reach up to 2 percent of annual gross worldwide revenue for violations of data breach rules, and up to 4 percent of worldwide revenue for many violations of data privacy rules.

The California law allows the state attorney general to order a civil penalty of up to $7,500 for each violation, with no total dollar cap. That penalty theoretically could reach several billion dollars for a violation that affected even 1 percent of the state’s population.

There is significant variation between the new laws in one of the most controversial aspects of the GDPR — the “right to be forgotten” in search results.

While the Indian proposal lacks a full “right to be forgotten” as codified in the GDPR, it would allow an individual “the right to restrict or prevent continuing disclosure of personal data by a data fiduciary” in cases where that information “has served the purpose for which it was made or is no longer necessary.”

No such right of erasure exists in the new California law. The Brazilian law does provide a right of erasure from databases. This right must be exercised through a direct request by the individual to the company, and procedures for doing so are not set out in the law.

- With assistance from Vesela Gladicheva in London.

Andrea Jelinek