By the middle of August last year, the Brazilian Congress took an important step on a data protection law. After many years of debates and different drafts, it finally enacted the General Data Protection Law (Law n. 13709/18). Clearly inspired by provisions in the EU General Data Protection Regulation, but innovating in certain matters, the Brazilian legislation establishes harmonized rules to be enforced against the public sector and private entities, big and small, regardless of their activities and/or sectors. The country has taken, therefore, a significant decision toward having a single approach when it comes to data protection principles, rights and obligations. Moreover, this new legal reality would become effective to all as of February 2020.
Nevertheless, not all things run as smoothly as a bossa nova song in Brazil. Former President Michel Temer vetoed some provisions of the new law due to the argument of being formally unconstitutional. Among them, all provisions related to the establishment of a data protection authority in Brazil were included. For reasons not to be discussed here, later in December, an executive order (MPV 869/18) was enacted to complement the law in matters rejected by the vetoes and to extend the date in which the law would become effective for an additional six months.
Today, at the end of 2019’s first quarter, the current scenario is still somehow confusing. That is because the provisional measure must be discussed and ratified by the newly elected Congress until June; otherwise, it will become ineffective, and the original text will prevail. In conclusion, the present status of the Brazilian General Data Protection Law is uncertain as no one knows when it will become effective — February or August 2020.
Does this mean there are no effective rules on data protection in Brazil today? Absolutely not. On the contrary, it means that the previous sectorial and a rather complex regime of different pieces of legislation remains valid and effective. It also means that, based on these pieces of legislation, enforcement actions are being taken, including class-actions proposed by public prosecutors and investigations started by consumer watchdogs.
To understand how Brazilian data protection law is currently applied is to knit a complex patchwork of separate laws and regulations, including state and municipal laws. Therefore, the purpose of this article is to provide some insight into the main applicable laws in force to date.
1.) Brazilian Federal Constitution (1988): Within the list of Brazilian fundamental rights are the personal rights to privacy, intimacy and one’s image. In general terms, these rights are considered “inviolable” and compensation for material and/or moral damages verified upon a violation thereof is guaranteed. Once considered fundamental rights, such rights cannot be waived by their subjects. Additionally, the Federal Constitution provides for the confidentiality of communications, which could only be accessed in the course of a criminal investigation and if authorized by a court order. A specific federal law establishes more criteria on interception of private communications. Finally, we note that the Federal Constitution inserted the “habeas data” institute into the Brazilian legal system. This specific type of lawsuit can be brought directly by the data subject interested in requesting access to the personal data stored in any governmental database.
2.) Civil Code (2001): In broad terms, the Civil Code determines that the right to one’s private life is a “personal right.” As such, the code expressly determines that it is not assignable neither waivable by its subject under any circumstances. Image rights receive a more specific provision as the code states that someone’s image can only be used for commercial purposes if authorized. Furthermore, although not specifically related to data protection, it is worth mentioning that legal capacity in Brazil is granted by the Civil Code to those over 18 years old. Individuals ranging from 16 to 18 years old are deemed relatively capable, meaning that any civil acts performed by them (such as giving consent) must be accompanied by an adult to be considered valid. Finally, general law on indemnification is also provided for in the Civil Code, and it should be pointed out that strict liability is imposed to those who cause damages to third parties when conducting an activity that naturally threatens the rights of others.
3.) Consumer Defense Code (1990): The Consumer Defense Code sets a wide range of obligations applicable to product/service providers, as well as gives many rights to consumers, who are considered the vulnerable part of such relationship. Within such rules, this code determines certain criteria for the collection, processing, transference, disclosure and storage of consumer data, as well as the need for companies to obtain consent from consumers to perform such activities, preferably in an unambiguous form. It also grants data subjects the right of access to information obtained about them, in addition to the right of rectification of such data.
Furthermore, in more general terms, the Consumer Defense Code imposes that all communication directed to consumers, such as terms of use, must be in Portuguese and in a plain and clear language that is easily understandable. As it is applicable to all consumer relationships, although being a sectoral law, the code’s principles and rules are deemed applicable to most business activities in Brazil, including services free of charge, which are paid for indirectly, such as advertising-based services. Additionally, the code adopts the strict liability regime, meaning that suppliers and all companies within the supply chain can be held liable for damages suffered by consumers, regardless of their fault. On the enforcement side, consumer law in Brazil is vigilantly followed by Consumer Protection Foundations in all levels of administration, such as municipal, state and federal, as well as by specific sectors of the Public Prosecutors Offices, meaning that this code is the legal basis for most complaints and legal actions on data protection matters today.
4.) Internet Legal Framework (2014): This more recent piece of legislation contains substantial data protection principles and rules, and it is widely applicable as it establishes the rights and obligations related to internet use in Brazil. There are provisions expressly contained in it determining extraterritorial reach by imposing the application of Brazilian laws in any act of collection, storage or processing of personal data, if communications occur in Brazil or an endpoint of processing is in Brazil. Foreign companies must also be bound by these rules, if they have at least one legal entity established in the country or if services offered are aimed at Brazilians.
Besides reaffirming the inviolability of one’s privacy, this law specifically and clearly determines that personal data collection, use, storage, processing or transferring to third parties cannot be done without the data subjects free, expressed and informed consent. Moreover, consent language must be detached from other contractual terms, meaning it must be visibly different to catch the attention of subjects. Additional provisions imposing the duty of transparency and data minimization are also included in this law, as well as the security measures standards to be adopted. Regarding sanctions, the Internet Legal Framework options allow gradual enforcement action since warnings, fines, suspension or prohibition of data processing activities are available to authorities. It must be pointed out, however, that such sanctions are tougher than the ones in the newly enacted law: The current fine can reach up to 10% of annual revenues in Brazil, while the new General Data Protection Law limits fines up to 2% and gives no room for suspension of prohibition of data processing activities. It is yet to be seen how both legal provisions will be applied once the General Data Protection Law comes into effect.
Moreover, other sector-specific laws provide for data protection rules and more general privacy provisions. Among these, we can mention (a) the Telecommunications Law applicable to telecom companies, (b) the Financial Operations Secrecy Law applicable to commercial banks and other financial institutions, and (c) the Positive Credit Act. In such a sectoral approach, one must also be conscious that certain sectors are regulated by specific federal agencies, which could initiate administrative procedures to investigate and impose sanctions in response to violations of such laws. Such administrative bodies can also enact regulations on data processing activities be adopted by companies regulated by them, as did the Brazilian Central Bank in determining security standards for financial institutions that engage with third parties for data processing services.
Finally, it needs to be mentioned that the Criminal Code also establishes certain criminal prohibitions related to violation of the data protection law. As an example, professional secrecy violation is a crime under the Brazilian Criminal Code. Furthermore, certain professions have the duty of secrecy imposed by federal laws, such as the Federal Lawyers’ Statute, or by Councils’ Regulation, such as the Federal Medical Council.
It is impossible to say that no protections are given to personal data in the country. In addition, it is visible that the new data protection law will bring more certainty and detail on how personal data should be processed, despite the existence of some conflict points with current applicable laws, which must be ultimately solved through future court decisions. Until then, we hope this article brings some light to foreign professionals when assessing how to conduct their business while the new Brazilian General Data Protection Law has not yet come into force.
Photo by Kelly Sikkema on Unsplash