DLA Piper Intelligence

Data Protection
Laws of the World

Law

Brazil
Brazil

Currently, Brazil does not have a single statute establishing data protection framework. There are two bills of laws, namely, No. 330/2013 and No. 5.276/2016, under analysis before Congress that, when enacted, will specifically and broadly regulate such subject matter locally.

According to the developments of both future regulations, Bill of Law No. 5.2726/16 (“Bill of Law”), dated of May 13, 2016, is likely to be enacted in the near future, since the Presidency declared it with a status of urgency under the terms of Section 64 of Brazilian Federal Constitution, thus, Bill of Law No. 330/13 should be disregarded.

In the absence of specific law, Federal Law No. 12.965/2014 (“Brazilian Internet Act”), and its recently enacted regulating Decree No. 8.771/16 (“Decree”), dated of May 11, 2016, has brought some provisions on security and processing of personal data, as should be pointed out in the following.

For instance, the Brazilian Internet Act which establishes general principles, rights and obligations for the use of the Internet, has some relevant provisions concerning the storage, use, treatment, and disclosure of data collected on-line. Also, its regulating Decree has brought first legal definition of personal data on its Section 14.

Besides the above scenario, most aspects of data privacy are still regulated by general principles and provisions on data protection and privacy in the Federal Constitution, in the Brazilian Civil Code and in laws and regulations that address particular types of relationships (e.g. Consumer Protection Code[1] and labor laws), particular sectors (eg financial institutions, health industry, telecommunications etc), and particular professional activities (eg medicine and law). Additionally, there are laws on the treatment and safeguarding of documents and information handled by governmental entities and bodies that have privacy implications.

The Federal Constitution provides that:

  • the intimacy, private life, honour and image of persons are inviolable;

  • the confidentiality of correspondence and electronic communication is protected; and

  • everyone is ensured access to information, although the confidentiality of the source shall be safeguarded whenever necessary for the exercise of a professional activity.

Discussion of privacy and data protection legislation has increased recently and highly expected that Brazil shall enact its first data protection statute in the near future.

 

[1]    Due to a broad interpretation established in case law, practically every internet user is considered a "consumer" for the purposes of the consumer protection.

Last modified 25 Jan 2017
Law
Brazil

Currently, Brazil does not have a single statute establishing data protection framework. There are two bills of laws, namely, No. 330/2013 and No. 5.276/2016, under analysis before Congress that, when enacted, will specifically and broadly regulate such subject matter locally.

According to the developments of both future regulations, Bill of Law No. 5.2726/16 (“Bill of Law”), dated of May 13, 2016, is likely to be enacted in the near future, since the Presidency declared it with a status of urgency under the terms of Section 64 of Brazilian Federal Constitution, thus, Bill of Law No. 330/13 should be disregarded.

In the absence of specific law, Federal Law No. 12.965/2014 (“Brazilian Internet Act”), and its recently enacted regulating Decree No. 8.771/16 (“Decree”), dated of May 11, 2016, has brought some provisions on security and processing of personal data, as should be pointed out in the following.

For instance, the Brazilian Internet Act which establishes general principles, rights and obligations for the use of the Internet, has some relevant provisions concerning the storage, use, treatment, and disclosure of data collected on-line. Also, its regulating Decree has brought first legal definition of personal data on its Section 14.

Besides the above scenario, most aspects of data privacy are still regulated by general principles and provisions on data protection and privacy in the Federal Constitution, in the Brazilian Civil Code and in laws and regulations that address particular types of relationships (e.g. Consumer Protection Code[1] and labor laws), particular sectors (eg financial institutions, health industry, telecommunications etc), and particular professional activities (eg medicine and law). Additionally, there are laws on the treatment and safeguarding of documents and information handled by governmental entities and bodies that have privacy implications.

The Federal Constitution provides that:

  • the intimacy, private life, honour and image of persons are inviolable;

  • the confidentiality of correspondence and electronic communication is protected; and

  • everyone is ensured access to information, although the confidentiality of the source shall be safeguarded whenever necessary for the exercise of a professional activity.

Discussion of privacy and data protection legislation has increased recently and highly expected that Brazil shall enact its first data protection statute in the near future.

 

[1]    Due to a broad interpretation established in case law, practically every internet user is considered a "consumer" for the purposes of the consumer protection.

Last modified 25 Jan 2017
Definitions

Definition of personal data

Recently enacted Decree has established the definition of personal data as any “data related to identified or identifiable natural person, including identifying numbers, electronic identifiers or locational data, when these are related to a person”.

Even though Decree is related to the Internet Civil Framework, and such laws are not specifically aimed at data protection (for this purpose, Bill of Law under discussion), the above legal definition of personal data is in accordance with the current prevailing interpretations of legal scholars and the Courts on the matter. Moreover, the current text of Bill of Law reflects the above legal definition of personal data in a broader manner. Thus, the Decree currently fills a gap until the specific law is enacted.

Definition of sensitive personal data

There is no legal definition of "sensitive data" or the equivalent in due force in Brazil. However, Bill of Law defines sensitive data as “personal data on racial or ethnic origin, religious beliefs, political opinions, membership of unions or organizations of religious, philosophical or political character, data related to health or sexual preference and genetic or biometric data”.

Last modified 25 Jan 2017
Authority

The Decree granted legal authority to the Brazilian Internet Committee (“CGI.br”) to define security standards and incident response, making the competent authority to regulate internet security procedures and turning the guidelines on the matter established by the Committee in 2015 into legally enforceable. It was also granted regulatory and oversight competence to the National Telecommunication Agency (ANATEL), the National Consumer Secretariat and the Brazilian System to Defend Competition, each within the scope of their regulatory field, to investigate and take actions, if necessary, with regards to the data protection on internet ambience.

Furthermore, Bill of Law designates the creation of a Competent Office in charge of the implementation and supervision of the Law, and of the National Counsel of Personal Data Protection and Privacy, compound by fifteen represents of relevant offices, such as CGI.br, Prosecutor’s Office and Congress.

Last modified 25 Jan 2017
Registration

There is no requirement to register databases.

Last modified 25 Jan 2017
Data Protection Officers

There is no requirement to appoint a data protection officer in the current legal scenario. However, when Bill of Law is enacted, parties holding and processing personal data will be obliged to name an individual and/or an entity to act, accordingly to the following definitions, as responsible, operator and designated.:

  • Responsible - natural or legal person, public or private, who is responsible for the decisions related to the processing of personal data. Such agent will be responsible for informing the data owner about the hypothesis of data treatment, guarantee the transparency on the data treatment, and report in case of any security incident. Also, the Responsible has the burden of proof regarding the proper collection of consent from the data owner to its data treatment;

  • Operator – performs the treatment based on the instructions provided by the Responsible; and

  • Designated – which will receive complaints and reports from the data owners, provide information and adopt providences, receive communications of the competent agencies, guide employees on data protection practices, among others.

Last modified 25 Jan 2017
Collection & Processing

The Brazilian Internet Act establishes that the free, informed and express consent of Internet user is required for the collection, use, storage, transfer and treatment of personal data on-line. Any such data shall be used only for the purposes that are

  • justified by the collection
  • not forbidden in law
  • set forth in the services agreement or terms of use of Internet applications.

In other sectors, in general, there is no formal requirement to obtain prior written consent to collect personal data submitted by the subject. However, the use, treatment and protection of such data are still subject to some restrictions.

Specific statutes and case law establishes that the scope of collection, treatment and use of personal data must be restricted to the purpose for which the data was originally collected. There is also a common understanding that certain sensitive data (e.g. religion, sexual orientation, criminal background etc) should not be collected and used for any discriminatory purpose; if a company collects and uses such sensitive data it should obtain the person’s consent.

In particular, the Brazilian Consumer Protection Code establishes that a consumer should be notified in writing of the opening of a consumer file, form, registry or database containing personal data regarding a consumer if the consumer did not request that it be opened. Consumers are entitled to have access to personal data and databases about themselves and to demand immediate correction whenever they find that the data or files are incorrect. Other limitations apply. For example, negative information (such as relating to debts, breach of agreements etc.) may not be retained for more than five years.

Bill of Law also set forth that personal data treatment shall only occur upon prior free, informed and unequivocal consent from its owner, observing some principles as good faith, purpose of use, necessity, quality, transparency, security, among others.

Last modified 25 Jan 2017
Transfer

Brazilian law does not expressly restrict cross border data transfer. However, some general principles may imply restrictions on the cross border transfer of personal data in certain cases (eg clinical trial data and medical records). In the absence of specific legislation, geographic transfer should be permitted upon informed consent from the parties involved.

In case Bill of Law is enacted in its current text, international transfer of data will be allowed if the country guarantees to individuals a sufficient level of protection similar to Brazilian legislation. Such protection level will be assessed by the Competent Office, concerning the general legislation of the country, type of data and possible security measures.

Last modified 25 Jan 2017
Security

In view of applicable general principles, data processors in Brazil are required to take reasonable technical, physical and organizational measures to protect the security of personal data, but, generally, there are no specific requirements, restrictions or details on how security should be implemented.

The Brazilian Internet Act now establishes that service providers, networks and applications providers should keep access records (such as IP addresses, logins etc) confidential, in a secured and controlled environment.

Decree established guidelines on safety standards, as follows:

  • Strict control on data access by defining the liability of persons who will have the possibility of access and exclusive access privileges to certain users;

  • Prospective of authentication mechanisms for records access, using, for example, dual authentication systems to ensure individualization of the controller records;

  • Creation of detailed inventory of access to connection records and access to applications containing the time, duration, the identity of the employee or the responsible person for the access designated by the company and the accessed file; and

  • Use of solutions of records management thru techniques which ensures the inviolability of data, such as encryption or equivalent protective measures.

CGI.br shall be responsible to promote studies and recommend procedures, rules, technical and operational standards according to the specificities and the size of the connection and application providers.

If such records are not kept for a reasonable period of time, which is determined according to the nature of the business, the service provider, network or applications provider may face prosecution. The data retention period may be extended upon request of public authorities and the obligation of keeping such records cannot be assigned or transferred to third parties.

Last modified 25 Jan 2017
Breach Notification

Security breach notification is not mandatory, yet recommended as set forth by CGI.br guidelines. Furthermore, Bill of Law will establish the mandatory breach notification to the Competent Office in case of security incidents  as well as immediate communication to the affected data owners in case  personal security is affected or any harm may occur from such incident

Additionally, Federal Law No. 12,737/2012 (“Hacking Law”) set forth that the owner of the personal data or the breached device may – although not obligated to do so – notify public authorities in order to conduct enquiries, so as to identify and prosecute the individual responsible for the crime of hacking and/or invasion of protected device established therein.

Last modified 25 Jan 2017
Enforcement

The Decree granted legal authority to CGI.br, ANATEL, the National Consumer Secretariat and the Brazilian System to Defend Competition, each within the scope of their regulatory field, to investigate and take actions, if necessary, with regards to the data protection on internet matters.

Nonetheless, enforcement can occur through administrative procedures, individual civil suits or class actions, which can be initiated by the data subject, by public authorities (eg State Attorney's Office, Consumer Protection Office and the regulator for the relevant industry) or by associations that defend collective interests.

Such public authorities may impose fines and, where relevant, revoke licenses or permits. Civil damages can be significant, because infringements of privacy rights may entitle the defendant to moral damages. Most case law on privacy and data protection involves violations of consumer rights.

The Brazilian Internet Act also establishes that the infringement of privacy and/or intimacy rights on the Internet is subject to a fine of up to 10% of the aggregate turnover of the economic group of the undertaking in the country. Any offices or subsidiaries of foreign companies established in Brazil are jointly liable for the payment of the fine.

It is worth mentioning the existence of habeas data, a remedy provided for in the Federal Constitution, which can be used to gain access to personal data contained in records or databases of governmental bodies or entities having a public character, and for the correction of the applicant's data contained in such records and databases.

Last modified 25 Jan 2017
Electronic Marketing

There is no federal law specifically addressing electronic marketing.

On January 9, 2012, the State of Rio de Janeiro enacted State Law 6,161/2012, which provides penalties for the offering of products and services by so-called collective buying websites within territorial limits of the same State. Under this law, information on offers and promotions may be sent only to clients previously registered through the website who have expressly consented to receive such information via email.

There is also a bill currently under discussion in the Senate which intends to amend the Brazilian Consumer Protection Code to establish as an abusive practice the unsolicited offer of products and/or services through electronic means or telephone.

In spite of the lack of a specific statute, the general provisions on privacy and intimacy rights, as well as consumer protection rights still apply; thus, a sender should immediately cease sending any sort of electronic marketing if so requested by the consumer.

Last modified 25 Jan 2017
Online Privacy

The Brazilian Internet act has several provisions concerning the storage, use, treatment and disclosure of data collected on the Internet. Also, the established rights of privacy, intimacy and consumer rights apply equally to electronic media, such as mobile devices and the Internet.

So, violations of these rights may be subject to civil enforcement. It is generally understood that the gathering and exploitation of personal data from a user through cookies without consent are contrary to the Brazilian Internet Act, and to privacy and intimacy rights, if the data subject is identifiable (ie the information is directly linked to a particular user, IP address, device or other particular identifier etc). The same rationale applies to location data, which is considered a more sensitive type of personal data.

Therefore, cookies, location data and equivalent online data collection methods are permitted if either:

  • The data subject's free and informed consent is obtained, or

  • It is not possible to recognize or identify the data subject (if data cannot be linked to a given subject it does not affect privacy and intimacy rights)

Finally, it is also worth mentioning that Hacking Law 12,737/2012 criminalises the installation or exploiting of software, devices and/or vulnerabilities within an electronic device in order to obtain illicit advantage. So data collectors should be cautious as to the nature and extent of the cookies and other applications operating in the data subject’s system.

Last modified 25 Jan 2017
Contacts
Diego Mattos Osegueda
Diego Mattos Osegueda
Associado
T +55 21 2217-2046
Last modified 25 Jan 2017