Protection of Personal Data in Brazil: Internal Antinomies and International Aspects

Abstract

A new era of personal data protection regulations has been emerging worldwide. The European GDPR (Regulation No. 679/2016) is the main example. To cope with the new landscape and foster the international flow of data many countries are amending their regulations, using the GDPR as a landmark. In this context, Brazil enacted its first General Data Protection Law - BGDPL (Law No. 13.709/2018) on August 14th, 2018. Brazilian firms, internet activists and scholars were all eagerly waiting for this regulation, since it was supposed to be enacted in 2014, alongside with the Brazilian Civil Framework of the Internet - BCFI (Law No. 12.965/2014) and a new Copyrights Act, to adapt the Brazilian legal system to fit the needs of the 21st century. However, the legislative process for approval of these new acts did not develop as expected, resulting in some contradictions between them. The purpose of this paper is to draw a comparison between the new Brazilian General Data Protection Law and the Brazilian Civil Framework of the Internet, putting in evidence some of these contradictions. It is argued that if not properly addressed, these contradictions can jeopardize the new act and cause severe practical problems. Since the BGDPL is strongly based on the European GDPR, a comparison will be also draw between them. The specific points of contradiction that will be addressed in this paper are the ones dealing with the data subject’s informed consent and with fines and penalties. The focus is on the interpretation of these legal texts with the support of the legal literature. In the end, the authors propose a way of harmonizing the Brazilian regulations – therefore contributing for a better data protection environment in the country – as much as assuring its compatibility with the GDPR and the international standards.