Introduction to Privacy Law in Brazil

Since the late 2000s, the government of Brazil has been working on two essential pieces of privacy legislation. The first is known as the Civil Internet Bill, which established an Internet Bill of Rights, including data protection requirements and the preservation of net neutrality. The second is known as the Data Protection Bill/Personal Data Protection Bill. This was touted as a comprehensive, European-style data protection framework which would govern the processing of all personal data.

The Data Protection Bill would replace the current sector-specific privacy framework. As the fifth largest country in the world, the number of internet and smartphone users in Brazil is increasing at a rapid rate. Such new privacy legislation would have a significant impact on organizations presenting digital products or services to Brazilian consumers.

Progress on the Data Protection Bill

At the end of January 2015, the Brazilian government issued the Preliminary Draft Bill for the Protection of Personal Data on a website specifically created to encourage public debate on the draft bill.

The draft bill applies to individuals and companies involved with the processing of personal data via automated means, provided that:

  1. Processing occurs in Brazil
  2. Personal data was collected in Brazil

The draft bill would impose data protection obligations and requirements on businesses processing personal data in Brazil, including:

  • A requirement to obtain free, express, specific and informed consent to process personal data, with limited exceptions. For instance, consent is not required if the personal data is processed to: a) Comply with a legal obligation, or b) Implement pre-contractual procedures or obligations related to an agreement in which the data subject is a party.
  • Prohibition on processing sensitive personal data, except in limited circumstances. For instance, sensitive personal data may be processed with the specific consent of the data subject after the data subject has been informed of the risks associated with processing the sensitive personal data. Among other information, sensitive personal data includes: racial and ethnic origins, religious, philosophical or moral beliefs, political opinions, health and sexual orientation information, and genetic data.
  • Obligation to immediately report data breaches to the competent authority.
  • Requirement to allow data subjects access to their personal data and correct it if it is incomplete, inaccurate, or out of date, with limited exceptions.
  • Restriction from transferring personal data to countries that do not provide similar levels of data protection.
  • Obligation to adopt information security measures that are proportional to the personal data processed and protect the information from unauthorized access, destruction, loss, alteration, communication or dissemination.

Brazil’s Civil Internet Bill

The Civil Internet Bill, signed into law in April 2014 and in force in June of that year, does much more than establish online privacy protections. It safeguards online freedom of expression, protects users’ privacy and ensures equal access to Brazil’s online population. Its provisions have important implications for businesses providing online services to Brazilian users, including ISPs, search engines, social media websites and other websites hosting user-generated content, as well as online retailers and other services which engage in the collection of personal information.

Before the Civil Internet Bill, Brazil did not have any standalone privacy legislation. Under the Internet Bill, collection and use of users’ private information is restricted and such information cannot be shared or disclosed by ISPs or other companies operating online, unless they have express consent from users, or they are required to do so by law.

This not only applies to users’ personal information, but also to information regarding online log in details, contents of private communications (such as emails and instant messaging conversations) and IP addresses.  ISPs are obliged to put appropriate measures in place to ensure that those privacy requirements are met and online companies will also have to ask permission from users regarding the collection and storage of private information and in what circumstances it can be shared.

Despite staunch opposition from telecom giants, the Internet Bill upholds the principle of net neutrality, meaning that all data transmissions must be treated equally by network operators, regardless of content, origin, destination, service, terminal or application. The aim of this provision is to prevent operators from charging higher rates for accessing content that uses greater bandwidth, such as video streaming or video communication services.


This article takes a look at two pieces of Brazil’s privacy legislation: the Civil Internet Bill, passed in mid-2014 and the Personal Data Protection Bill, which is currently in its draft stages.

CIPP Exam Preparation                                      

In preparation for the Certification Foundation Course (Foundations) exam, a privacy professional should be comfortable with topics related to this post, including:

  • Modern history of privacy (I.A.)
  • Modern privacy principles (I.D.)
  • Countries with comprehensive and sectoral data protection laws (II.A.b.i. – II.A.b.ii.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>