The Data Protection Law was largely inspired in the European General Data Protection Regulation (GDPR)'s model, but it has some tropical particularities…
After 8 years in the National Congress, Brazil now relies on a specific law for the protection of personal data (Law No. 13,709 of August 14th, 2018 - the "Data Protection Law"). The Data Protection Law was largely inspired by the European General Data Protection Regulation (GDPR), but it has some tropical peculiarities.
Despite Law No. 12,965/2014 (Brazilian Civil Rights Framework for the Internet), Brazil did not have rules specifically regarding personal data protection, but only punctual (e.g. credit protection) or self-restrained rules imposed by companies in their own privacy policies.
In this sense, following the recent polemics involving Facebook and the use of personal data to analyze and influence individual behavior patterns, the National Congress expedited rulemaking process and finally passed Law No. 13,709/2018. The Data Protection Law was subject to 5 presidential vetoes and it was amended in key aspects by the Provisional Measures No. 869, of 2018, approved on May 29, 2019. It will come into force within 18 months.
The guiding principle of Brazil's Data Protection Law is the data subject's consent to any "processing operation"1, especially in case of sensitive data (e.g. health). This consent cannot be generic or camouflaged in broad or imprecise clauses. Consent must also be expressed in writing or any other means which demonstrate the willingness of the data subject, but it is being up to the controller to prove that the consent was given. If there is a change in the purpose of data use that is incompatible with the original consent, the controller must inform the data subject, who can revoke the consent previously given at any time. For
personal data to be shared with other controllers, there must be an expressed consent of the data subject as well.
There are more legal authorizations for data processing under the Data Protection Law (10) than under the GDPR (7). Among the most relevant processing situations allowed for the private sector are the following:
a) for compliance with a legal or regulatory obligation;
b) for carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data;
c) for the regular exercise of rights in judicial, administrative or arbitration procedures;
d) when necessary to fulfill the legitimate interests of the controller or a third party, except when the data subject's fundamental rights and liberties which require personal data protection prevail.
Whenever there is sensitive personal data involved, consent must be given in a specific and distinct way for the processing purposes indicated. On the other hand, if data processing is indispensable in the abovementioned hypothesis, sensitive personal data may be used without the consent of the holder.
The Data Protection Law guarantees several rights to the data subject, especially concerning those related to obtaining information, such as (i) confirmation of the existence of the processing; (ii) access to the data; (iii) correction of incomplete, inaccurate or out-of-date data; (iv) anonymization, blocking or deletion of unnecessary or excessive data or data processed in noncompliance with the provisions of the Data Protection Law; (v) portability of the data to another service or product provider; (vi) deletion of personal data processed with the consent of the data subject; (vii) information about public and private entities with which the controller has shared data; (viii) information about the possibility of denying consent and the consequences of such denial; and (ix) revocation of consent.
The National Data Protection Authority, which was created by the Data Protection Law, will regulate several aspects. Indeed, there are some controversial rules which need to be clarified. For instance, Article 4, paragraph 2 of the Data
Protection Law reads as follows:
"Processing of the data referred to in item III of the lead sentence of this article will only be allowed by private legal entities in procedures under the supervision of an official agency, which shall observe the limitation imposed in Paragraph 3 of this article."
Among other situations, item III refers to processing of data exclusively for the purposes of "d) investigation activities and prosecution of criminal offenses". Here is a Catch 22: what will happen to internal investigations for compliance related matters with such a wide limitation?
More worryingly, what about the future of an effective compliance program if the companies cannot satisfactorily do their own investigations and cooperate with the enforcement watchdogs? If the effectiveness of internal investigations is undermined, you can expect a decrease in the level of enforcement in anti-corruption and antitrust. Of course, there will be arguments supporting other interpretations but courts may take time to solve the conundrum.
The fine amounts follow a similar pattern to the ones established in both the Brazilian Competition Law (Law No. 12,529/2011) and the Brazilian Anti-Corruption Law (Law No. 12,846/2013), so that fines can be substantial to those who violate the legislation:
(i) Warning, with an indication of the time period for adopting corrective measures;
(ii) Simple fine of up to two per cent (2%) of a private legal entity's, group or conglomerate revenues in Brazil, for the prior financial year, excluding taxes, up to a total maximum of fifty million reals (R$ 50,000,000.00) per infraction;
(iii) Daily fine, subject to the total maximum referred to in Item II;
(iv) Publicizing of the infraction once it has been duly ascertained and its occurrence has been confirmed;
(v) Blocking of the personal data to which the infraction refers to until its regularization; and
(vi) Deletion of the personal data to which the infraction refers to.
Special liabilities are created to the "controller"2, "processor"3 and "officer"4 for the personal data processing, who may answer to the use of data that violates the legislation and results in damage to data subjects. These agents must supervise safety matters and implement good practices for data governance.
As in Brazilian Anti-Corruption Law, the Data Protection Law considers the existence of a governance program and the preventive practices expected of these agents as attenuating factor in the penalties imposition.
Nonetheless, caution is advised in implementing these changes, given that the new rules will only come into force within 18 months and a new regulation is likely to be issued to address dubious issues of the Data Protection Act.
1 Processing operation is "any operation carried out with personal data, such as collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of the information, modification, communication, transfer, dissemination or extraction". 2 "Natural person or legal entity, of public or private law, that has competence to make the decisions regarding the processing of personal data". 3 "Natural person or legal entity, of public or private law, that processes personal data in the name of the controller". 4 "Natural person, appointed by the controller, who acts as a communication channel between the controller and the data subjects and the national authority".
Disclaimer – The views expressed in this article are the personal views of the author and are purely informative in nature.