On January 28, the Ministry of Justice of Brazil started two public consultations to receive contributions on: (i) the decree that will regulate Law No. 12.965, of April 23, 2014, known as the Brazilian Internet Bill of Rights or the Marco Civil da Internet (MCI); and (ii) a Draft Bill for a Personal Data Protection Law, the Anteprojeto de Lei para a Proteção de Dados Pessoais (APL). The public consultations are being conducted through two specific interactive platforms that will collect contributions.
To those not familiar with the MCI, it has been in effect since July 24 and was aimed at establishing civil rights and obligations regarding the use and provision of Internet services in Brazil. It regulates the Internet broadly and has been welcomed both in Brazil and abroad as an opportune and pioneer effort. It reaffirms and creates, not as mere programmatic principles, certain fundamental rights of the web user, such as the rights to freedom of speech, net neutrality, privacy, plurality and diversity in the Internet. It also regulated civil liability for third-party content, to define that the Internet application provider will only be liable to damages deriving from a third party post in the event it does not obey a court order determining take-down.
The MCI public consultation platform did not present a base text for discussion. As such, the debate is taking place in relation to certain themes that were preselected by the Ministry of Justice, such as, potential exceptions to net neutrality, mandatory data retention (connection and web application logs) and data privacy. As to the APL platform, a preliminary draft was offered for discussion.
Likewise to continental Europe, Brazil has a civil law tradition. Not surprisingly, much of the protection regime foreseen by the APL has been inspired by the European data protection framework. Specifically, our Ministry of Justice sought inspiration mostly in the EU proposed regulation. For instance, in defining personally identifiable information (PII) the APL did so in a very similar fashion to that of the European proposal, by establishing that personal data are those that refer to a "natural person identified or identifiable, including by reference to an identification number, location data and online identifier".
The APL is much shorter than the proposed EU Regulation (52 vs. 91 articles), but the general picture is almost the same. Principles relating to processing are strikingly similar, as are the rights guaranteed to the data subject (right to data portability, right to object, right to be forgotten and to erasure, right of rectification, right of access, and right to transparent information and communication). On a side note, right to be forgotten provisions on the EU proposed regulation are much stricter.
Read an English translation of the APL here.
As one might expect, informational self-determination and consent are central in the APL´s framework. Though conditions for lawful processing are very similar in both proposals, unfortunately legitimate interest and fairness have not been contemplated by the Brazilian text.
Striking similarity is found in the conditions for processing of sensitive information, save for a broader definition of sensitive data by the APL which treats “moral” and “philosophical” beliefs as sensitive data.
As to data security provisions, in both cases criteria for data security governance can be dictated by the supervisory authority (“competent body” in the APL). Difference lies in the fact that the APL does require that data subjects must be notified of a data breach. On a related issue, data controllers will be held jointly and severally liable with data processors for data processor`s wrongdoings.
The APL does not provide for privacy by design or default, but the submission of codes of best practices by data controllers or associations is encouraged.
As to sanctions, the APL has chosen not to pre-define any amounts of monetary penalties, which leaves space for doubts as to the competence of the “competent body” for such a definition.
A very important point to be mentioned is that the APL left some uncertainty as to whether a supervisory authority will be created. The APL only mentioned a "competent body" without establishing its institutional format or explicitly defining its competence. These gaps are explained by a lack of consensus within the government as to the convenience of such an authority. Concerns regarding funding permeate internal discussions.
On the bright side, the Ministry of Justice, sponsor of the draft bill, is favorable to the creation of a specific agency. Besides the traditional reasons that advise the creation of such an authority, specifically for Brazil it will be essential. In our view, if rulemaking and enforcement are left to our consumer protection system, we will have to cope with a regime of diffuse and fragmented enforcement and protection, which would prove to be highly inefficient in the long run.
At this point, it is very early to estimate the likelihood of the APL being passed. After the public consultation process ends, it will still need to be sent to our National Congress, where it will face a number of commissions. There, it will probably be pondered with other existing bills relating to data protection. Moreover, our executive branch, which sponsors the draft bill has lost much of its support in congress after the past general election. On the other hand, privacy tends to be a hot topic for congress and in our view this will foster interest in voting the matter.
A draft bill has been promised by the Ministry of Justice for the past two to three years, meaning that there has been much anticipation by economic sectors which are traditionally highly dependent on data processing. These sectors have not issued public comments to this point. As to other players, which are just now starting to rely on data processing, awareness is still low. This tends to change in time.