November 14, 2018

Deliverability 101: Brazil’s new privacy legislation is similar to the GDPR.

In August 2018, the Brazilian parliament passed Law No. 13,709, a new privacy law known as the Brazilian General Data Protection Law (GDPL), updating and amending the existing “Brazilian Internet Law” of 2014.

This is another example of major global economies updating outdated privacy legislation to provide more consumer-favored legislation, similar to the GDPR. There are several striking similarities between the Brazilian GDPL, GDPR, and the OECD Privacy Framework, so please bear with us as we drop some legalese on you.

Brazil’s new privacy regulation covers many of the same items we’ve seen in other major privacy laws in recent years, including items classifying data into categories such as personal data, sensitive data, and anonymized data. These are further defined within the legislation as follows:

  • Personal data: Information regarding an identified or identifiable natural person;
  • Sensitive personal data: Personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data, when related to a natural person;
  • Anonymized data: Data related to a data subject who cannot be identified, considering the use of reasonable and available technical means at the time of the processing

Article 6 of the GDPL covers a wide range of items aligning with the OECD Privacy Framework, specifically those calling for accountability, accuracy, limitations, purpose and notice of data being collected as well as open access, ability to update and correct information collected on the data subject. The law also notes acceptable security measures need to be implemented and requires assurances that data will not be used in a nondiscriminatory or unlawful manner.

There are several other similarities between the GDPR and the GDPL when it comes to processing sensitive data, data related to minors, data subject rights, and when data should be deleted. There are also similarities regarding data portability, access and correction of data, and the international transfer of consumer data controllers will need to incorporate into their agreements and contracts with data processors.

While there are several similarities to the GDPR and the GDPL, the penalties and enforcement structures are substantially different, as the regional Information Commissioner’s Offices (ICOs) in the EU and the addition of ePrivacy add another level of complexity to the equation. However, in our opinion, if you already managed your internal processes for GDPR, you will need to only make minor changes to be in compliance with the GDPL when it is enforced in February 2020. We advise you to speak with appropriate legal council to see how this new law may impact your business and practices.

*The information contained in this presentation is provided for general informational purposes only and should not be construed as legal advice from 250ok Inc. or the individual author.*

Author: Matthew Vernhout

Matthew Vernhout is a digital messaging industry veteran and Certified International Privacy Professional (CIPP) with more than a decade of experience in email marketing. Matt is 250ok’s Director of Privacy, and he is currently the Vice Chair of the eec, after serving for several years as the Chair of their Advocacy Subcommittee.

You may also like...

The Year in Email 2019

It’s hard to believe we are nearing the end of yet another exciting year in email, and 2019 proved to be one of the most momentous and active years to date. Over the past year, the number of new technologies, mergers and acquisitions, mailbox provider (MBP) announcements, news, and highlights is evidence of the versatility […]

[Infographic] Global Privacy Relationship Status: It’s Complicated

I recently gave a presentation on global privacy regulations to a post-graduate marketing class and one of the things I noticed while preparing was that even within a single country, privacy is complicated. On a global scale, it is really complicated. For example, Canada has one federal private sector privacy law, three similar provincial laws, […]

The Year in Email 2018

*Update: This article was featured on email influencer Jordie van Rijn’s emailmonday blog! To see it in action, plus a great round-up of other articles and thought leadership looking forward to the future of email, click here.* The Black Friday emails are deleted, marketers’ email lists are checked twice, we pretty much know which senders […]

Ready to get started?