The collection and processing of personal data is regulated by the Brazilian General Data Protection Law – LGPD (n. 13.709/18). But it is also important to note that such law is embedded in a set of rules that address, at least in some respect, issues relating to privacy and protection of personal data, as the following:
- General Telecommunications Law (Federal Law n. 9,472 of 1997) Criminal Identification Law (Federal Law n. 12,037 of 2009) Freedom of Information Act (Federal Law n. 12,527 of 2011)
- Civil Rights Framework for the Internet (Federal Law n. 12,965 of 2014).
Most rules are found in specific legislation, particularly the Data Protection Act No. 152 FZ dated 27 July 2006 (DPA) and various regulatory acts adopted to implement the DPA as well as other laws, including the Information, Information Technologies and Information Protection Act No. 149 FZ dated 27 July 2006 establishing basic rules as to the information in general and its protection. In addition, the Russian Labour Code contains provisions on the protection of employees’ personal data (Part XIV). Other laws may also contain data protection provisions, which implement the data protection rules in relation to specific areas of state services or industries.
A draft Personal Data Protection Bill was released in 2018 and is expected to be tabled in Parliament soon. Until then, the Information Technology (Amendment) Act, 2008, provides limited protection. In addition, the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, and the Aadhaar and Other Laws (Amendment) Act, 2019 address questions regarding personal data specifically in the context of Aadhaar, India’s unique ID. Sectoral directions and regulations, such as those issued by the Reserve Bank of India, also impact personal data. Further draft policies and laws that address aspects of data protection include the draft National e-Commerce Policy, 2019, and the DNA Technology (Use and Application) Regulation Bill, 2019.
These mainly include the following categories:
National-level laws and decisions:
Criminal Law (1997) Amendment V (2005), VII (2009), and IX (2015)
Law of the People’s Republic of China on the Protection of Consumer Rights and Interests (1994) with Amendment in 2013
Decision of the Standing Committee of the National People’s Congress on Strengthening Information Protection on Networks (2012)
Cybersecurity Law of the People’s Republic of China (2017)
General Rules of the Civil Law of the People’s Republic of China (2017)
E-Commerce Law of the People’s Republic of China (2019)
Measures on Security Assessment of the Cross-border Transfer of Personal Information (Draft for comments, 2019)
Data Security Administrative Measures (Draft for comments, 2019)
The Electronic Communications and Transactions Act, 25 of 2002.
The Protection of Personal Information Act 4 of 2013. This Act has been signed into law, but it has not yet come into effect.