The Latest Draft of the Brazilian Law on the Protection of Personal Data: Main Innovations

In 2010, Brazil launched the first version of a draft law that aimed to comprehensively regulate personal data protection. The first version—which not only provided a concept of personal data, but also several general data processing principles, data subjects’ rights and data controllers´ duties—was open to an online public discussion in 2011. An updated version was released in January 2015, and it was also open to public consultations through a platform on the Brazilian Ministry of Justice website that ended up receiving more than 1500 comments from all over the world. This newest version, which incorporated several suggestions from the comments, was made available on October 20 of this year.

Below is a list of the innovations and a brief explanation about each cutting-edge point, leaving aside, a priori, critical considerations:

Revised concepts and definitions:

• A reference that one of the purposes of law is to guarantee free development of personality, and also liberty rights, intimacy and privacy. Therefore, the law corroborates that the right to protection of personal data is autonomous to the right to privacy, which shall be interpreted through the focus of personality rights;
• Modification of the concept of personal data: on one side, there was a limitation regarding electronic unique identifiers when they refer to an identifiable person, what can be interpreted that the law does not include identifiers of equipment. On the other side, all other type of data shall be considered personal data,for the purposes of the law,if they are related to an identified or identifiable person, prevailing, therefore, the expansionist logic of the concept of personal data;
• Biometric data has been included in the concept of sensitive data, together with genetic data, which is different from the previous version of the draft law since it had referred the nature of such data to posterior regulation issued by the supervisory authority;

On anonymization:

• References to anonymous data and associated data are no longer in the law. Both were substituted for anonymized data, a direct reference to anonymization proceduresthat might prove unlikely to identify a data subject;

• However, anonymized data will fall within the scope of data protection law if they can be reasonably re-identified or they can influence data subjects’ lives by employing behavior analysis procedures and/or profiling (data that can, algorithmically, expose the data subject to automatic decisions). A good example would be price discrimination methodologies; exposing the user to an automatic decision of price wavering, would make the data fall within the scope of the law and, consequently, be prohibited since discrimination practices are not allowed—non-discrimination principle;

• The supervisory authority can later determine the reasonability of anonymization processes since it can issue regulations about standards and technical aspects of de-identification. On top of that, the legal regime focuses on transparent means for using and sharing anonymized data, which may be the influence of the so-called theoretical framework of information entropy by which the risks (probability) of re-identification are related to the practice of data aggregation. To complete the regulatory framework, the supervisory authority may request privacy impact assessments to data controllers;

New consent rules:

• Consent is now only one of the nine ways to authorize collection, use and processing of personal data, including the new possibility of legitimate interest, which shall comply with the following criteria:
  1. The legitimate expectations of the data subject;
  2. Transparency and effective ways for the data subjects to oppose to further processing of their data;
  3. Adequacy with the original purposes for data processing, regarding concrete situations;
  4. Anonymization of the personal data whenever possible; and
  5. Privacy impact assessment reports whenever requested by the supervisory authority.

There is, therefore, a comprehensive proportionality test that has been established for further processing of personal data based on legitimate interests. This test is significantly innovative, in particular its requirements 1, 2 and 5, if they were to be compared with other legislative initiatives, such as the European General Data Protection Regulation under discussion. Those new requirements conciliate efficient mechanisms to allow data subjects to maintain control over their own personal data, and, at the same time, provide more certainty to data controllers that wish to employ further processing based on legitimate interests;

• Unambiguous and free consent is now the main rule, and express consent is only required in pre-determined situations, such as for the processing of sensitive data. This new approach softens the prior wide qualifications employed towards consent requirements, such as freely given, informed and express;
• Public data (“of unrestrictive public access”) is no longer an exception to consent, and its processing must comply with data processing principles and rules established by the law, such aspurpose limitation, good faith and the public interest which justified making the data publicly available. Therefore, there is a clarification that the protection of personal data dynamic does not follow the dichotomy between public and private, which is inherent to the right to privacy;

Changes in processing and organizational requirements:

• Obligation to employ general data protection principles since the technology conception, making mandatory the employment of privacy by design and data protection by design;

   

• Sensitive personal data can only be used for purposes of historical or scientific research or statistics if the data processing is not bound by commercial interests, or to the public administration interests, such as criminal investigations or national intelligence practices. These cases are known as “pure research”;

• Requirements for personal data processing specific to the public sector. A new chapter contains rules making it necessary to inform the supervisory authority about data sharing practices amongst public entities and between public and private entities. In some cases, it might be necessary to get authorization from the supervisory authority for such data sharing practices. These changes represent advances toward oversight of personal data processing in the public sector, albeit it slight;

• Even when processing of personal data is a condition for providing a product or a service, it is necessary to ensure the data subject means to exercise their sphere of control over their data. This observation, associated with the possibility given to the supervisory authority to regulate how the aforementioned data control will be exercised, has opened space for the so-called granular consent. With this in mind, data subjects may issue fragmented authorizations regarding their personal flow of information, and, consequently, eliminating the take-it-or-leave-it logic of current privacy policies;

• Requirement that data subjects have a right to portability of their personal data (similar to the current EU GDPR draft) that must be designed in an interoperable format. Such practices may make personal data protection practices a competitive factor to enhance data controllers’ market share, specifically for less invasive personal data processing services;

• Adequacy, upon the recognition of the level of protection by the supervisory authority, is only one of the methods to perform international data transfers. Others include:
  1. special, specific, prior and informed consent;
  2. biding corporate rules (BCRs);
  3. global corporate rules within the same company;
  4. standard clauses issued by the supervisory authority, and
  5. individual authorizations issued by the competent authority.

International data transfers based on items 2 and 3 must go beyond contractual promises regarding legal obligations. They must be complemented by accountability procedures which should be incorporated into the technology—privacy by design and data protection by design methodologies. Again, privacy might be seen as a competitive factor due to the economic advantage relating to trans-border free flow of information based on these technical “privacy friendly” requirements;

• Possible limitation of small companies’ need to appoint a privacy officer, what corroborates the focus of the law on fostering innovation and competition;

Enforcement:

• New set of guidelines for enforcement of the law, including the right to informational self-determination, freedom of speech and freedom of communication, free enterprise and free competition. The guidelines are a true arsenal guide to drive the interpretation of all provisions of the law;
• Description of the Supervisory Authority´s powers, particularly its authority to oversee compliance with the law and enforce it upon private entities. Moreover, there is a description of the National Counsel of the Protection of Personal Data (Conselho Nacional de Proteção de Dados e da Privacidade), which will function as a multi-stakeholder entity aiming to assist the competent authority. Some attributions that deserve mentioning: promotion of debates and studies about personal data protection and dissemination of the subject among the population in general;
• The period to adapt to the law was extended from 60 days to 180 days, maintaining the possibility of the supervisory authority to establish rules to the progressive adaptation period of databases to the new rules and principles established by the law.

To conclude, one cannot avoid asserting that the public consultations of the draft law have being very fruitful, and, on top of everything, useful, as this series of innovations are the result of the engagement of the civil society on this debate. Now, certainly, there is a sense of fulfillment of the Brazilian Ministry of Justice, which is responsible for such open discussion, and to all Brazilian society that embraced such opportunity.

However, there is still a lot of work to be done. The draft bill shall soon be presented to the National Congress as a bill of law, which will initiate a (possibly long) period of new discussions that shall engage, once more, all civil society.

photo credit: Brasilia, Brazil: Parliament Buildings by Night via photopin (license)