New Privacy Protection Laws in Brazil and India
Brazil has recently passed a new privacy protection law. The Brazilian General Data Protection Act (GDPA) significantly increases the protection provided to personal information by imposing various rules and obligations on businesses and companies that make use of such information. This new law will enter into force in February 2020, and will apply to anyone collecting and making use of the personal information of Brazilian residents. Thus, it may also apply to Israeli companies doing business in Brazil.
This new law grants individuals with certain rights regarding their personal data, including, among others, the right to erasure, the right to receive the personal data, and the right to data portability. One of the key elements of the GDPA requires companies to update their privacy policies and terms of use in order to reflect and comply with the GDPA provisions. In addition, under this law, companies must appoint a data protection officer.
The GDPA imposes a fine of up to 2% of the company’s turnover in the preceding fiscal year, in case of an infringement of a GDPA provision. Fines under the GDPA are limited to a maximum of BRL 50,000,000 per each infringement.
Brazil is not the only country taking steps following the global trend of privacy legislation. India has recently released its first draft of personal data legislation – the Personal Data Protection Bill, 2018. This bill outlines requirements and limitations similar to those in the GDPA regarding the collection and processing of personal data. It also imposes fines and sets out data subjects’ rights. The bill will likewise apply to foreign entities that have a business connection to India, or that carry on any activity involving profiling or individuals in India.
This new legislation is similar in many ways to the provisions of the European Union’s General Data Protection Regulation (GDPR), which came into effect in May 2018. Since the GDPR is considered the current pinnacle in terms of efforts to implement stringent personal data protection, jurisdictions outside of the European Union are now striving to keep up.
Therefore, it would be wise for businesses and companies that make use of personal data, anywhere in the world, to ensure that their operations and activities are consistent with applicable legislation, primarily that of the jurisdiction in which the relevant data subjects reside. Even if the applicable legislation is relatively lenient, this state of affairs is bound to change sooner rather than later – to the benefit of data subjects. Failure to prepare oneself to the shifting environment of privacy and data protection is likely to have extremely negative consequences.