Client Alert

Brazil creates a national data protection authority and a national policy for the security of information at the federal administration

The last few days of Brazilian President Michel Temer’s term at the office brought relevant news with regard to privacy and data protection matters. On Dec. 27, Temer enacted Provisional Measure # 869/2018, which creates the National Protection Data Authority (NPDA), a regulatory body for data treatment activities. On Dec. 26, the President also enacted Decree # 9.637/2018, which establishes a National Policy for the Security of Information to be adopted by the federal administration, aiming to secure the integrity, confidentiality and authenticity of the information at the federal level.

In August 2018, Brazil had passed the Brazilian General Data Protection Act (Federal Law # 13,709/2018), which will enter into force in August 2020. Largely influenced by European GDPR this legislation represented an important step establishing a legal framework for data privacy in the country. Now, in addition to the provisions of the law, the newly created NDPA, which will be directly linked to the Presidency, will have responsibilities such as:

(i) issuing regulations and proceedings about personal data and privacy protection;

(ii) requesting information, at any given time, from data controllers and operators;

(iii) creating simplified tools, by electronic means, for the filing of complaints in cases of non- compliance in data treatment operations;

(iv) inspecting and imposing sanctions in case of data mismanagement;

(v) disseminating into the society the knowledge about the rules and policies related to data protection as well as the security measures;

(vi) promoting studies about national and international practices in personal data and privacy protection;

(vii) promoting public consultations about matters related to data protection.

As for Decree # 9.637/2018, the National Policy for the Security of Information involves the creation of the National Information Security Strategy and the National Plans, that will contain details of the measures to be taken and the agenda to be pursued. The decree also creates a Managing Committee to advise the President’s Institutional Security Cabinet in the issues related to security of information and grants to federal governmental bodies the power to create their own policies and complementary rules on the matter.

Previously, the Freedom of Information Act had already established the State’s duty to promote the security of information. Likewise, the Brazilian General Data Protection Act also created duties to the public administration regarding information protection. Some of them are the need to provide clear and updated information regarding the data processed and the need to appoint a Data Protection Officer (DPO) for data treatment operations.

These new developments, therefore, come in a moment when the country is intensively debating the importance of cybersecurity and privacy issues. It shows that the culture of data protection might spread, not only into the private sector, but also among governmental bodies.

In the past few years, our team have worked in some of the leading cases regarding data privacy and security of information in Brazil, with successful results. For more information regarding the matter, email us at

Go Back