Mark L. Krotoski, Stephanie A. “Tess” Blair, Barbara Murphy Melby, Gregory T. Parks, Dr. Axel Spies, and W. Reece Hirsch of Morgan, Lewis, and Bockius write:
The Bill’s provisions on international data transfers are most relevant to foreign companies that do business in Brazil.
The Brazilian government has issued a Bill for the Protection of Personal Data (Bill) for public consultation. The Bill follows the European Union (EU) concept of “adequate data protection” in the receiving country and the provisions of the Brazilian Civil Rights Framework for the Internet (in Portuguese, Marco Civil da Internet, officially Law No 12.965), the law that governs Internet use in Brazil. Compared to the Marco Civil, the Bill is more specific and covers all forms of the processing of personal data—not only via the Internet. According to Article 28 of the Bill, a data transfer from Brazil to countries without adequate data protection (which likely includes the United States) is legal only if one of the following five exceptions applies:
Read more on National Law Review.