The Brazilian Senate approved on July 10, 2018, Bill No. 53, which rules the protection of personal data and defines the circumstances in which these data can be collected and treated by both companies and the Public Authorities.
With this measure, Brazil joins several countries in the world, which already have legislation on the subject. The text disciplines the way information is collected and handled, especially in digital media such as personal registration data or even texts and photos published on social networks.
The PLC 53 considers personal data the information related to a person who is “identified” or “identifiable”. That is, the bill also regulates the cases where the data alone, does not reveal to whom it would be related to (an address, for example) but that, processed along with other data, could indicate who the person is (address combined with age, for example).
A special category, called “sensitive” data, has been created, covering race records, political opinions, beliefs, health status and genetic characteristics. The use of this data is more restricted since it carries risks of discrimination and other damages to the person. There are also differentiated parameters for processing information from children, such as requiring parental consent and prohibiting the provision of records to participation in applications (such as social networks and electronic games).
The bill covers treatment operations carried out in Brazil or from data collection done in the country. The standard also applies to companies or entities that offer goods and services or treat information of people who live in Brazil. International data transfer (as in the example above) is also permitted when the country of destination has a level of protection compatible with the Brazilian law or when the company responsible for the treatment proves that they guarantee the same conditions required by the instruments such as contracts or corporate standards.
Treatment for personal, journalistic and artistic purposes was not included in the obligations. Information processing is also not covered in national security, public safety, and law enforcement activities. The text indicates that these topics should be dealt with a specific law. The Public Power also gained the possibility of processing data without the consent of the people, in certain situations, as in the execution of public policies. For this, the website must inform in which hypothesis the processing of data is realized, its purpose and what are the adopted procedures.
You can find the official publication (in Portuguese) here