The European Union is a supranational body, formed by 28 Member States, and has the competence to regulate certain activities throughout the Union, provided by its utmost relevant ordinance, the Treaties. Although its main initial aim was to promote cooperation, after the destructions caused by World War II, and the creation of a single market, the EU has now developed into a political union, with its own extensive body of case law, which deals with issues as complex as guaranteeing fundamental rights in the digital era. This is where the General Data Protection Regulation (GDPR) comes to life.
But, what difference does this make for me, as a Brazilian citizen? Maybe none, at an initial glance, but as Brazilian lawyers, we should be aware of how the GDPR can impact businesses throughout our country and, even, national legislation.
This was, perhaps, the most impacting change implemented by the new GDPR: the increased territorial scope in Article 3(2). According to such provision, the GDPR applies to any controller or processor not established in the EU when processing personal data from anyone who is in the EU. This means that, regardless of a person being an EU citizen or resident, if he/she is in the EU, they are subject to the protection afforded by the rules. This opens up a wide landscape for Brazilian businesses to fall within the scope of EU legislation. So, if a Brazilian controller is offering a service or good, even if no payment is required from the data subjects, he will most definitely need to adapt to the new EU rules when processing personal data. Unless you make sure no person in the EU whatsoever will have their personal data collected whilst browsing your website, for instance, then the GDPR will apply to you.
The cross-border flow of personal data will definitely raise more complex issues. Rulings such as the one in the Schrems Case, judged under the former data protection rules, demonstrate the wide range of the EU’s safeguard on fundamental rights, such as the protection of personal data, where non-EU legislation (USA) was declared as incompatible with EU Law. This, however, can be a topic of more in-depth analysis for an upcoming post…