It is up to the States to legislate, concurrently, on matters of consumer law. However, it was not until 2019, that the first State Consumer Defense Code in Brazil was sanctioned and approved. The Law no. 16,559 seeks to regulate and specify the consumer law within the State of Pernambuco.

The aforementioned State Code was published in the Official Gazette of the State on January 16th, 2019, and will come into force within 90 days – after which period the commercial establishments that operate in the State of Pernambuco will have to conform to the new obligations.

The new Code has more than 200 articles and applies to consumer relations in which the supply of the product or the provision of the service occurs in the State of Pernambuco, even if products or services are purchased by electronic means.

The State Code has a very practical application and intends to regulate certain sectors of the economy. There are specific provisions regarding the delivery period, how to carry out sales promotion, means of payment available, among others.

Sanctions due to infractions of such legislation can be quite strict. In financial terms, fines can vary from BRL 600,00 to BRL 9,000,000.00. In addition, the discontinuity of manufacturing, temporary suspension of activities, cancellation of business license or administrative intervention, and other similar sanctions, are also foreseen.

This is the first State Consumer Defense Code in Brazil and, therefore, it may raise doubts about the constitutionality or validity of some of its provisions and their applicability.

On January 21st, 2019, the French data protection authority fined Google €50 million, arguing that the company violated transparency requirements and failed to obtain valid consent from millions of users.

The fine was imposed on the basis of new guidelines on data protection in Europe, established by the General Data Protection Regulation (GDPR).

According to the French authority, Google users do not have easy access on how and where their personal information, collected by the company in the use of applications and websites, are used. To have this information, the user would need to run between five and six clicks, being redirected to different webpages, which, according to the French Authority, would not bring the transparency required by GDPR.

In addition, the French data protection authority considered that, in many cases, the text box to authorize the use of personal data was automatically filled in, misleading the users as far as adequate consent is concerned.

This is the fourth and largest fine imposed to date under the GDPR since it came into force, in May, 2018.

As of January 1st 2019, with the beginning of President Jair Bolsonaro’s term, there have been signs indicating that the National Secretariat of Consumers (“SENACON”) and the Department for Defense of the Consumers (“DPDC”), two relevant organizations of the National System for Defense of the Consumers, will go through a restructuring process in the scope of their competence and in their action policies towards the protection and defense of the consumer.

In his first interview as SENACON’s National Secretariat, Luciano Timm made clear he will focus on new forms of digital services. According to Timm, the right to privacy and the assurance that consumers will have full access to information are two of his main concerns, especially considering that the digital services involve several issues such as access to information, data protection, connectivity and social media.

Furthermore, Timm stated his intention to amplify the use of the platform Consumidor.gov.br, in order to expedite conflict resolution even before it reaches the judiciary. The National Secretariat believes in the cooperation between companies, consumers and the judiciary and in the dissemination throughout social media with the purpose of triplicating the adherence to the platform as a mean to achieve conflict resolution.

It is also a goal of SENACON to implement an in-depth dialogue between the Secretariat and Consumer Protection Agencies (PROCONs), seeking to enhance the National Consumer Defense System.

Finally, President Jair Bolsonaro also signed the Decree n. 9662/2019, which altered the structure of both SENACON and DPDC. Although the basic structure of both organizations has been maintained and despite the fact that no substantial change was made in relation to the previous decree, the new regulation seems to seek a more direct and independent operation from SENACON.

Even though it is just the beginning of the new management, the first signs demonstrate the new government’s intention to promote a stronger administrative action, seeking alternative dispute resolution, as a more effective way to solve conflicts without the intervention of the Judiciary.

On December 27th, 2018, the Union Official Gazette published the Decree n. 9367/18 that instituted the National Information Security Policy (“PNSI”), which establishes guidelines, within the scope of the Federal Public Administration, to cybersecurity, physical security and the protection of organizational data, ensuring the availability, integrity, confidentiality and authenticity of information at the national level.

Among the principles attributed to PNSI it is possible to highlight the comprehensive and systemic view of information security, the country’s responsibility to coordinate efforts, and the strategies and guidelines regarding information security.

The Decree also refers to the competencies of the Ministry of Defense, the Ministry of Transparency, Supervision and Control and the bodies of the Federal Public Administration related to information security.

Finally, the rule also amended the Decree n. 2295/97, which regulates the Bidding Law (Law n. 8666/93). The modification included “the acquisition of equipment and the hiring of specialized technical service of intelligence areas, information security, cyber security, communications security and cyber defense” as one of the hypothesis of bidding exemption for the cases that could jeopardize national security.