Brazil does not yet have a general data protection law that can be applied transversally to every sector of the society. The current regulatory status of personal data in Brazil is sectoral; there are different rules for different sectors of society: the financial sector, the credit sector, the health sector and the internet sector. However, many of these diverse sectors cannot be treated separately. For instance, how would it be possible to detach health and financial services from services rendered over the internet? Moreover, some of these rules may be considered inflexible to the point of impairing some business models based on using personal data, especially those related to big data, artificial intelligence and the internet of things.
That’s why the Brazilian National Congress is currently discussing two different bills of law that aim to enact a general data protection law. The eventual law will take into consideration new technologies and new business models based on the use of personal data and will be applicable across all sectors — offline and online. It will affect any and all companies, private or public, that handle personal data in their operations or when offering their products and services. It is estimated that one of the bills will be approved this year, and the law should enter into force from three months to one year after its enactment.
See the authors' complementary article on earlier steps in the process of creating a Brazilian General Data Protection Law
In front of the Senate is bill 330/2013, and in front of the House is the more robust — and we believe more likely to succeed — bill 5276/2016, or the Bill on the Protection of Personal Data. It is very much influenced by the European General Data Protection Regulation and the discussions that led to the approved version, as you will see below.
Summary: Bill on the Protection of Personal Data
The Bill on the Protection of Personal Data applies to any public or private entity, with exceptions, such as national security. It is currently under discussion and might come into effect in 2018. These are the main areas set forth by the bill:
- Scope of application, including extraterritorial jurisdiction.
- Principles, such as purpose limitation and minimization.
- Concept of Personal data.
- Concept of Sensitive data.
- Concept of anonymization and profiling.
- Data subjects' rights.
- Legal basis for processing (consent and legitimate interests included) and exemptions.
- Privacy Impact Assessment and risk based approach.
- Data Protection Authority and National Counsel of the Protection of Personal Data.
- Need to appoint a privacy officer.
- International data transfers.
- Binding Corporate Rules.
- Global corporate rules.
- Data breaches and notification requirements.
- Data controller and data processor liability.
- Penalties, from fines to prohibition to processing.
- Vacatio Legis of 180 days.
Main points
Scope and individual rights:
- The bill will apply to acts performed by any public or private entity, with the exception of data processing for criminal prosecution, investigation and national security that still are limited to the list of principles set forth on the bill, such as purpose limitation, access and discrimination;
- A reference that one of the purposes of law is to guarantee free development of personality, and also liberty rights, intimacy and privacy. Therefore, the law corroborates that the right to protection of personal data is autonomous to the right to privacy, which shall be interpreted through the focus of personality rights. It also sets that one of the goals of the law is to foster innovation and economic and technological development;
- Principles including lawfulness, fairness, purpose limitation and transparency on the use of data. It also sets forth the need for data minimization, accuracy, storage limitation, integrity and confidentiality;
- It will guarantee rights of access, rectification, cancellation and opposition (ARCO), including automated decisions, secure holding and processing of data, and destruction of data once its purpose has been fulfilled;
- A requirement that data subjects have a right to portability of their personal data (similar to GDPR) that must be designed in an interoperable format. Such practices may make personal data protection practices a competitive factor to enhance data controllers’ market share, specifically for less invasive personal data processing services;
Concepts and definitions:
- Concept of personal data: All data related to an identified or identifiable individual, including identification numbers, locational data or electronic identifiers, considering that they are referred to a person. In other words, data that can identify a person directly or indirectly, such as name, Identity Card (RG), Taxpayer's number (CPF), addresses, cookies, IP addresses, or information related to an identified or identifiable person, such as, medical, financial, location, cultural data, or even that which can subject someone to certain practices, such as targeted advertising and directed content, or profiling and prediction models.
- Biometric and genetic data is included in the concept of sensitive data, together with traditional concepts such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health, or data concerning a natural person’s sex life.
On anonymization and profiling:
- References to anonymous data and associated data do not exist in the law. Both were substituted for anonymized data, a direct reference to anonymization procedures that might prove unlikely to identify a data subject.
- However, anonymized data will fall within the scope of data protection law if they can be reasonably re-identified or they can influence data subjects’ lives by employing behavior analysis procedures and/or profiling (data that can, algorithmically, expose the data subject to automatic decisions). A good example would be price discrimination methodologies; exposing the user to an automatic decision of price wavering would make the data fall within the scope of the law and, consequently, be prohibited since discrimination practices are not allowed — the non-discrimination principle.
- The supervisory authority can later determine the reasonability of anonymization processes since it can issue regulations about standards and technical aspects of de-identification. On top of that, the legal regime focuses on transparent means for using and sharing anonymized data, taking into consideration the risks (probability) of re-identification related to the practice of data aggregation. To complete the regulatory framework, the supervisory authority may request privacy impact assessments of data controllers.
Consent rules:
- Unambiguous and free consent is the main rule, and express consent is only required in predetermined situations, such as for the processing of sensitive data. This approach softens the prior wide qualifications employed towards consent requirements, such as freely given, informed and express, therefore, in line with technologies such as big data, artificial intelligence and machine learning;
- Consent, however, is only one of the nine ways to authorize collection, use and processing of personal data (legal and contractual obligations included), including the necessary legal basis of legitimate interest, which shall comply with the following criteria:
- The legitimate expectations of the data subject;
- Transparency and effective ways for the data subjects to oppose to further processing of their data;
- Adequacy with the original purposes for data processing, regarding concrete situations;
- Anonymization of the personal data whenever possible; and
- Privacy impact assessment reports whenever requested by the supervisory authority.
There is, therefore, a comprehensive proportionality test that has been established for further processing of personal data based on legitimate interests. This test is significantly innovative, in particular its requirements 1, 2 and 5, if they were to be compared with other legislation, such as the European General Data Protection Regulation. Those requirements conciliate efficient mechanisms to allow data subjects to maintain control over their own personal data, and, at the same time, provide more certainty to data controllers that wish to employ further processing based on legitimate interests.
- Public data (“of unrestrictive public access”) is no exception to consent, and its processing must comply with data processing principles and rules established by the law, such as purpose limitation, good faith and the public interest which justified making the data publicly available.
Processing requirements:
- Privacy Impact Assessments (PIA) and risk based approach used to identify risks to privacy and the protection of personal data when processing for purposes of profiling and high risks cases, such as processing of sensitive data;
- Sensitive personal data can only be used for purposes of historical or scientific research or statistics if the data processing is not bound by commercial interests, or to the public administration interests, such as criminal investigations or national intelligence practices. These cases are known as “pure research”;
- Requirements for personal data processing specific to the public sector. A chapter contains rules making it necessary to inform the supervisory authority about data sharing practices amongst public entities and between public and private entities. In some cases, it might be necessary to get authorization from the supervisory authority for such data sharing practices. These changes represent advances toward oversight of personal data processing in the public sector, albeit it slight;
- Even when processing of personal data is a condition for providing a product or a service, it is necessary to ensure the data subject means to exercise their sphere of control over their data. This observation, associated with the possibility given to the supervisory authority to regulate how the aforementioned data control will be exercised, has opened space for the so-called granular consent. With this in mind, data subjects may issue fragmented authorizations regarding their personal flow of information, and, consequently, mitigating the take-it-or-leave-it logic of current privacy policies;
Organization requirements:
- Need to appoint a privacy officer, requirement that may suffer limitations to small companies’ what corroborates the focus of the law on fostering innovation and competition;
- Privacy Impact Assessments (PIA) and risk based approach used to identify risks to privacy and the protection of personal data by means of data mapping and analysis of company processes, in order to adapt them to the best practices and regulatory obligations. This practice will be considered a mitigation measure to check if the controller is taking proper safeguards to protect individuals´ data. It will also be mandatory in some cases;
- Obligation to employ general data protection principles since the technology, products and services conception, making mandatory the employment of privacy by design and data protection by design;
- Need to employhigh data security standards, including keeping of all data processing activity and use of criptography, anonymization and psedoanonymization;
- Certifications, codes of conduct and co-regulation will be recommended.
International transfers:
- Adequacy, upon the recognition of the level of protection by the supervisory authority, is only one of the methods to perform international data transfers. Others include:
- special, specific, prior and informed consent;
- biding corporate rules (BCRs);
- global corporate rules within the same company;
- standard clauses issued by the supervisory authority, and
- individual authorizations issued by the competent authority.
International data transfers based on items 2 and 3 must go beyond contractual promises regarding legal obligations. They must be complemented by accountability procedures that should be incorporated into the technology—privacy by design and data protection by design methodologies. Again, privacy might be seen as a competitive factor due to the economic advantage relating to trans-border free flow of information based on these technical “privacy friendly” requirements.
Enforcement:
- Description of the Supervisory Authority´s powers (Data Protection Authority), particularly its authority to oversee compliance with the law and enforce it upon private entities. Moreover, there is a description of the National Counsel of the Protection of Personal Data (Conselho Nacional de Proteção de Dados e da Privacidade), which will function as a multi-stakeholder entity aiming to assist the competent authority. Some attributions that deserve mentioning: promotion of debates and studies about personal data protection and dissemination of the subject among the population in general;
- Data breach notifications will be mandatory. The regulator may decide if data subjects must be directly notified about the breach and the controller may be requested to implement damage preventive measures;
- Penalties can vary from fines – there is no previous amount defined, or percentage, as the GDPR – to suspension of data processing activities for up to the years;
- The current period to adapt to the law is of 180 days, but the supervisory authority can establish rules to the progressive adaptation period of databases to the new rules and principles established by the law.
Conclusion
Despite of the currently local political crisis, the country is still walking in a fast pace in the direction of a general data protection law. There will be a significant impact, initially on operating costs, as companies of all sizes will have a predetermined period for adoption. At the same time, there will be a large number of new opportunities, especially for companies succeeding in the adoption procedures as well as those that already employ universal personal data protection principles. Therefore, the future legal framework should be regarded as a window of opportunity and companies should start in advance their preparation!
photo credit: Brasilia, Brazil: Parliament Buildings by Night via photopin