After 24 months on vacatio legis, the European Union’s new General Data Protection Regulation (GDPR) comes into force on May 25, 2018. The GDPR replaces Directive No. 94/46 and aims, in accordance to its Article 1, to establish rules on data protection, particularly of personal information and the transfer of such information in order to protect the fundamental rights of data subjects.
One of the most significant differences between the current EU Directive dealing with data protection and the GDPR is territorial scope. The GDPR is applicable to all companies established in the EU that process personal data about individual EU residents in the context of their European operations regardless of where the processing takes place (i.e., not just regulating processing activities taking place in the EU). It is also extended to apply to businesses established outside the EU that collect personal data from EU residents in the context of offering goods or services to such individuals in the EU or that monitor the behavior of individuals in the EU.
The nature of the processing activities caught by the GDPR is very widely defined and in particular includes simply storing the personal data.
Moreover, the personal data type does not matter. The GDPR applies to any data that identifies or makes an individual identifiable —from sensitive data such as that pertaining to health, sexual orientation or politics—to basic information such as name, address, photos or access rights.
In general terms, according to the GDPR, the data should be collected in a legal, fair and transparent way, and handled for a specific, legitimate and clear purpose, being stored only for the time necessary to accomplish the specified purpose. In addition, the processing of this data must be done in a way that guarantees its safety by the controller responsible for processing.
All Brazilian companies that collect personal data from EU citizens and, in particular, those companies with established operations in the EU should consider whether their operations fall within the scope of the GDPR and, if so, the steps that need to be taken to achieve compliance with its requirements given that the potential sanctions for non-compliance include high fines, which can reach up to EUR 20 million or 4 percent of the company’s revenue—whichever is the higher.
In Brazil, there is no specific law regulating data protection. There are only legal provisions in sparse laws, notably the Federal Constitution, Civil Code, Consumer Protection Code and Civil Internet Framework, among other legislation. However, it is worth mentioning that the GDPR-inspired Project of Law No. 5.276/2016 is before the Chamber of Deputies. In any event, as noted above, the GDPR will enter in force on May 25, 2018, and Brazilian companies should pay attention to their obligations and its sanctions and scope.