Brazilian president Michel Temer has signed a data protection bill into law yesterday (14).
The new rules, which will be enforced in 18 months, aim to protect data about individuals and businesses online and prevent the commercial use of information such as names, telephone numbers and addresses without consent of the user in question.
Applicable to any public or private organization collecting and processing data in Brazil, the new regulations foresee that organizations would need to inform users when information is collected and delete it after the relationship between the parties has ended - or if the user has not requested to be contacted afterwards.
Organizations failing to comply will get progressive penalties from getting officially notified to paying fines that range from 2 percent of the company's earnings to a maximum of 50 million reais ($12.8 million).
When occurrences such as data leaks take place, the new rules mandate that users will need to be informed immediately and the party holding the data will be held responsible for any damage relating to the leak.
But there were several items of the original text that were vetoed by the president. The creation of a new government body, dubbed National Data Protection Authority, dedicated to subjects relating to data protection including monitoring, law enforcement and sanctions was a key feature of the Bill and rejected by the president.
However, Brazilian science and technology minister Gilberto Kassab stated that the idea is to address the lack of an agency to handle data protection matters and said a new Bill specifically focused on that should be created soon.
Other items vetoed by Temer included the protection of data of citizens requesting access to government information. Under this particular item of the original text, such citizen information would not be shared between government agencies or private sector organizations.
The suspension of the database relating to a possible data breach would also be suspended until the issue was addressed, according to the original bill. This was also among the items turned down by the president.
The data protection debate in Brazil dates back from 2010 but gained new momentum since the enforcement of the EU's General Data Protection Regulation (GDPR) and the scandal around data being harvested and manipulated by Facebook to influence the course of US elections.