[co-author: Julio Cesar, Oliveira Alves]
The Brazilian Senate is discussing Bill No. 4530/2023 ("PL 4530/23") which would amend laws impacting data protection compliance in Brazil. PL 4530/23 would amend Law No. 13.709/2014, otherwise known as the Brazilian Data Protection Law (Lei Geral de Proteção de Dados, or "LGPD"), to increase the level of fines that can be applied in the event of LGPD violations. It also would amend Law No. 8.079/1990 ("Consumer Defense Code") to prohibit the collection of personal data without informing consumers about the purpose and type of processing of their personal data.
If the text of PL 4530/23 is approved, the fine for LGPD violations will increase from up to 2% of a company's revenue to up to 20%, and the maximum fine amount will go up from R$ 50,000,000 (fifty million Brazilian Reais) to R$ 100,000,000 (one hundred million Brazilian Reais) per violation.
PL 4530/23’s text would also provide consumers more control over their data. It proposes to include a provision in the Consumer Defense Code that commercial and service establishments may not require data subjects to provide their personal data or sensitive personal data without first clarifying to the data subjects, in a clear and adequate manner, the purpose and type of processing that will be implemented with respect to such personal data. Also with regards to amending the Consumer Defense Code, PL 4530/23 would make it compulsory to display notices, in an easy-to-read size and in a location where it can be easily seen, including the words "IT IS FORBIDDEN TO DEMAND PERSONAL DATA, SENSITIVE OR NOT, without clearly and adequately informing the consumer about the type of processing that will be carried out on them".
It is likely that PL 4530/23 will be amended by members of the Senate and House of Representatives before being presented to Brazil's President for approval. Regardless of any changes to the original text, PL 4530/23 should maintain its objective, i.e. increase transparency in data processing, send a message to businesses that personal data processing must be taken seriously, and, finally, prevent abuses in the use and marketing of sensitive personal data. Meanwhile, companies that process personal data should assess their data processing practices to ensure compliance not only with LGPD but also with industry-specific data protection regulations.