Brazilian Data Protection Bill on the way to enactment: a legal framework for data privacy including the creation of a regulatory federal agency

July 13, 2018

Brazilian Data Protection Bill on the way to enactment: a legal framework for data privacy including the creation of a regulatory federal agency

On July 10, Brazilian Senate passed the General Data Protection Bill, which will now be forwarded to the President for sanction or veto. It is a step establishing a legal framework for data privacy in Brazil. After the bill matures into legislation, companies will have an 18-month window to comply.


Influenced by European GDPR, the bill establishes specific definitions about consent and other key concepts such as sensitive personal data and treatment operations.

It also provides duties and liabilities for both data controllers (legal entities or individuals responsible for taking decisions regarding the treatment of personal data) and data operators (legal entities or individuals that conduct the treatment of personal data on behalf of the controllers). Controllers will be obliged to appoint a Data Protection Officer (DPO), which will be responsible, among other attributions, for accepting claims from data owners and receiving communications from the regulatory agency.

The bill also establishes the rights of data owners, such as the rights to access and to rectify, among others, as well as the rules and requirements concerning data treatment by private and public entities, such as the duty to communicate data breach events to the regulatory agency.



The bill creates a governmental body, the National Data Protection Authority (“NDPA”), a regulatory federal agency that will have responsibilities such as:

(i) issuing regulations and proceedings about personal data and privacy protection upon prior public consultation and regulatory impact assessment;
(ii) setting the guidelines of the National Policy on Personal Data and Privacy Protection;
(iii) inspecting and imposing sanctions in case of data mismanagement;
(iv) receiving claims from data owners against data controllers;
(v) promoting studies about national and international practices in personal data and privacy protection;
(vi) performing audits on the data treatment activities conducted by private companies and public authorities

However, the creation of the NDPA might face legal challenges. The Brazilian Constitution (section 61, paragraph 1st, I, e) provides that only the President may sponsor a bill that creates or abolishes Government bodies. Furthermore, the Brazilian Supreme Court has ruled several times that this initiative fault is incorrigible (the further presidential consent with the Bill unconstitutionally presented by the Congress does not validate it).

Therefore, there are some uncertainties regarding the legal validity of the NDPA that should be addressed soon.


Data controllers and data operators are subject to sanctions for non-compliance that can reach 2% of the annual revenue limited to BRL 50 million (approx. USD 13 million) and the obligation to cease the data treatment operation.


In the past years companies have been litigating against public authorities over the limitations to share sensitive data with the government without proof of minimum safety practices. Courts have been receptive to balance the arguments in these lawsuits, limiting the data that should be shared with authorities, based on the Brazilian Civil Rights Framework for the Internet and the Federal Constitution.

The new legal framework might change the dynamic between private companies and public authorities, bringing burdensome requirements to sectors such as IT, pharma, and finance. The fact that federal agency guidelines and decisions can be challenged before courts can create a new wave of litigation. The NDPA might become a defendant very often, similar to other agencies with complex activities such as the Brazilian FDA (ANVISA), Brazilian Patent Office (BRPTO) and the antitrust authority (CADE).

As regulations regarding data treatment activities are yet to be developed, one can expect that acts from NDPA, especially sanctions, will likely be challenged before courts. Again, the judiciary will establish the final tone for data privacy in the country.


The bill will be reviewed by the President and can be (i) fully approved; (ii) approved with partial vetoes; or (iii) fully vetoed, which is highly unlikely.

After enacted, the new legislation will only come into force after a period of 18 months. Companies will have this timeline to implement the changes. In addition, following the creation of the NDPA should be of paramount importance in terms of policy and compliance strategy for the coming years.

In the past few years, our team have worked in some of the leading cases regarding data privacy in Brazil, with successful results. For more information regarding data privacy in Brazil or to receive an English version of the bill, email us at