Brazil is one of the countries with the highest number of internet users in the world. The use of internet and digital technologies has boosted the collection, storage and use of data in Brazil, stressing the importance of protecting users’ privacy and their personal data, as well as the urgency to regulate the treatment and use of personal data in Brazil.
The increased use of the internet and mobile devices on one side and developments in digital technology area on the other have proved challenging in the collection and use of information and personal data. As much more data related to users (including personal information and data, consumer behaviour and health data) have been generated, stored and often disseminated by networks, some issues have arisen in Brazil regarding the protection of privacy and the current rules of the right of privacy and protection of data.
Protection of privacy becomes an important issue when it relates to the collection, storage, use and sale of personal information. Indeed, the diffusion of digital technologies in Brazil has increased the collection and storage of personal information, and some data controllers have been disseminating private information to commercial partners, allowing them to access a variety of personal data to use for marketing purpose. Although the use of personal data is regulated in most Western countries, there is an almost complete absence of specific rules concerning these matters in Brazil.
The Brazilian legal system is based on the civil law tradition, which uses legal codes as the major source of law. In this sense, the Brazilian Federal Constitution of 1988 establishes the general principles and rules that must be observed by the Brazilian Congress, the House of Representatives, and the various state and administrative bodies during the making of the law, statutes, decrees, regulations and all kind of rules issued in the Brazilian territory. In the case of an absence of an internal infr a-constitutional law or rules related to a specific matter, in general terms, the constitutional principles and rules shall apply for facts not provided by law.
In Brazil, privacy and data protection are treated as distinct concepts, although both concepts derive from the Constitution, under which the right to privacy is a constitutional principal. While privacy is regulated in the Brazilian Civil Code (Article 212), data protection demands specific rules. In this sense, Law No. 12.965 (Brazil’s Civil Rights Framework for the Internet) regulates aspects of data privacy within the framework of the internet; however, it only applies to the collection, storage and use of data in the context of the internet. Outside the internet, there is no specific statute to regulate data protection and cybersecurity issues, although some sector-specific laws provide rules related to the protection of personal data. Notwithstanding, Bill No. 4.060/2012, which is before the Congress, aims to regulate the protection and treatment of personal data in Brazilian territory.
Cybersecurity is regulated in the criminal sphere in Brazil, as outlined below.
ii THE YEAR IN REVIEW
It has been a very important year in Brazil. After the publication of Law No. 12.965 on 11 May, former President Dilma Rousseff signed Decree No. 8.771/2016, which regulates some of the provisions of Law No. 12.965, including the rules on neutrality and the protection of logs and private communications.
In the field of case law, the Brazilian media have reported revenge porn cases related to both celebrities and private people. Revenge porn is currently regulated by Article 21 of the Civil Rights Framework for the Internet.
Further, Brazilian courts have ordered some controversial blocking of WhatsApp based on the refusal of the internet provider to deliver consumer data and to intercept user communications in real time. Meanwhile, four decisions by Brazilian state courts have been issued in criminal procedures related to the investigation of crimes such as paedophilia, robbery involving death and drug trafficking.
All the above-mentioned decisions were based on Article 12, Item III of Law No. 12.965/14. Fortunately, the Supreme Federal Court has held that the adoption of such drastic measure was ‘unreasonable and disproportionate’, as it left millions of Brazilians without this important means of communication. The Supreme Court emphasised that Brazil’s Civil Rights Framework for the Internet guarantees freedom of expression and security of communications.
This has been a landmark year for internet law in Brazil, with the consolidation of the principles and provisions stated by the Civil Rights Framework for the Internet. The next few years will be dedicated to the development of data protection in Brazilian territory.
IIi REGULATORY FRAMEWORK
In Brazil, the right to privacy is protected under the Constitution (Article 5, X), under which the right to privacy is a constitutional principal. In addition to the constitutional principle of privacy, the Brazilian Civil Code (Law No. 10.406/2002) regulates the right to privacy, which applies generally for individuals, but does not regulate data protection.
Law No. 12.965 establishes the principles, guarantees, rights and obligations for the use of the internet in Brazil. Law No. 12.965, which is a unique internet-related statute, has influenced other legislation around the world. It focuses on the protection of rights in the context of the internet and regulates aspects of data privacy within the framework of the internet.
It is important to reiterate that Brazil currently has no general data privacy regime in place, and that Law No. 12.965 only regulates internet-related data privacy. It does not reach the collection, storing and processing of personal data outside the internet.
Law No. 12.965 implements civil rights related to the internet in Brazil and imposes obligations on internet service providers as well as internet users over the Brazilian territory. Among other rules, it establishes principles for usage of the internet in Brazil, namely:
- a freedom of speech, communication and expression, pursuant to the Constitution;
- b the protection of privacy;
- c the protection of personal data in accordance with the law;
- d the preservation and guaranteeing of net neutrality according to the regulations;
- e the preservation of the stability, security and functionality of the network by means of technical practices compatible with international standards and the incentives for the use of best practices;
- f the liability of agents, according to their activities, in line with the law; and
- g the preservation of the participatory nature of the internet.
Particular attention should be paid to the fact that the above-mentioned principles defined by Law No. 12.965 do not exclude other principles set forth by the national legal system related to the matter, or by those under international treaties signed by Brazil.
Further, Law No. 12.965 guarantees to users the following rights:
- a the right to the non-violation and secrecy of their communications, except in the case of a court order, under the specific clauses determined by law, for the purpose of a criminal investigation or under a criminal lawsuit;
- b the right to have clear and comprehensive information included in contracts with providers that expresses the regime for the protection of personal data, connection logs and internet service access logs, as well as information on the providers’ adopted practices for network management that might affect the quality of service offered; and
- c the right to the non-disclosure or use of connection logs and internet services access logs, except under express consent or due to a court order.
Under Law No. 12.965, the keeping of records, and the provision of connection and access to the internet, must comply with the preservation of the privacy, private life, honour and image of parties. Breach of this rule shall subject the provider to civil, criminal and administrative sanctions provided by law.
Furthermore, under Law No. 12.965, providers of internet applications may only be liable for damages arising out of content that is generated by third parties after receiving a specific court order regarding such content if they do not take any step – within the framework of their services and within the time period provided – to make unavailable the illegal content.
In addition to Law No. 12.965, Bill No. 4.060/2012 is currently under consideration in Congress to establish the protection and treatment of personal data. This Bill is quite important for the further development of data protection in Brazil, since Law No. 12.965 applies only to internet issues. As such, in cases of intranet issues or other situations not connected with the use of the internet in Brazil, Law No. 12.965 does not apply, and individuals, companies and organisations must seek relief in court based on constitutional principles and rules.
Recently, Bill No. 5276/2016, which is intended to regulate the processing of personal data to guarantee the free development of the personality and dignity of natural persons, was attached to Bill No. 4.060/2012. Bill No. 5276/2016 aims to change the rules proposed by Bill No. 4.060/2012. As these Bills are still under consideration by Congress, all the related provisions are not yet in force; however, they do serve to indicate where the law should develop.
Thus, although there is an absence of specific rules related to personal data, apart from those provided by Law No. 12.965, which only applies to internet issues, it is possible to apply the constitutional and general civil rules to enforce the right of privacy.
On the other hand, the Brazilian Copyright Law has a specific provision on data protection – although it only protects the titleholder of the collected data.3 These general provisions, however, do not reflect the necessary grounds for ensuring clear and transparent rules relating to personal data protection through networks.
In the criminal sphere, the Brazilian legal system does not have specific legislation covering violations of protected data, so that the penalties applied to offenders who disclose secret data or data that violate the intimacy, private life, honour and image of a person are established sparsely, and in various legal provisions. In this respect, we can cite the following examples:
With regard to the protection of children and adolescents, Articles 17, 18, 143 and 247 of Law 8,069/90 contain rules to protect the image and reputation of children and adolescents by punishing anyone who exposes them in a negative or injurious manner.
In turn, protection of banking and tax secrecy is established by Article 5, X, of the Federal Constitution, with some exceptions set out in Complementary Law 105/01.4 Specifically regarding taxation, Article 198 of the National Tax Code establishes sanctions for violations of fiscal secrecy,5 as do Articles 154 and 325 of the Penal Code, which cover unauthorised revelation of secrets in general:6
The secrecy of telephonic, telegraphic and computerized communications is covered by Law 9,296/96,7 which regulates the rule of Article 5, XII, of the Federal Constitution, according to which ‘the secrecy of correspondence, telegraphic communications, data transmission and telephonic communications is inviolable, except, in the last case, by court order, in the situations and in the form established by law for purposes of criminal investigation or to obtain evidence in a criminal proceeding [...]
That law, in Article 10, defines as criminal the interception of telephone or computer communications or the breach of judicial secrecy without a court order or with objectives not authorised by law. Violation is punishable by two to four years in prison and a fine.
IV INTERNATIONAL DATA TRANSFER
Brazil currently has no regulation on international data transfer. Bill No. 5276/2016 is currently under consideration in Congress to regulate the processing of personal data, and it provides a chapter dedicated to international data transfer.
Nevertheless, Brazil’s Civil Rights Framework for the Internet states that in any operation for the collection, storage, retention and treatment of personal data by internet application providers where at least one of these acts takes place in the Brazilian territory, Brazilian law must be mandatorily respected regarding the protection of personal data, even if such activities are carried out by a legal entity based abroad, provided that it offers services to the Brazilian public or at least one member of the same economic group is established in Brazil. Thus, whether a foreign company intends to collect data in Brazil to transfer to other countries, Brazil’s Civil Rights Framework for the Internet must apply to the collection, storage, retention and treatment of the personal data.
V COMPANY POLICIES AND PRACTICES
Law 12.965/2014 regulates the collection, storage and treatment of personal data in the context of the internet. Regarding this Law, internet providers must obtain the previous authorisation of individuals to collect, store and treat their data, and must delete any collected, stored and treated data if so required by the individual.
vi DISCOVERY AND DISCLOSURE
As previously mentioned, protection of privacy and intimacy in general is set out in Article 5, X, of the Constitution. The right of privacy and intimacy is enshrined in the list of fundamental rights or, according to Ingo Sarlet,8 first-generation rights, so that the right of privacy and intimacy can only be relaxed to optimise or safeguard another fundamental right.
Again according to that legal scholar, the relaxation of guarantees can only occur when they collide with other guarantees, and only to the extent indicated by weighing the respective rights or by applying the principle of proportionality.9 Therefore, in the ambit of criminal investigations, unless a specific law exists authorising it, the breach of privacy is subject to judicial reservation, meaning that the investigatory authority (the police or public prosecution service) must obtain a court order to override the secrecy of private information (inter alia, bank and tax data, personal information, telephone communications, written communications, data exchange).
With respect to requests for information by investigatory bodies in the international arena, these will be subject to the existence of a mutual legal assistance treaty (MLAT) between Brazil and the other country. If no treaty for international cooperation in criminal matters exists, a request for private information protected by secrecy must be formulated by the foreign authority by means of a letter rogatory, addressed to the Superior Tribunal of Justice (STJ) (the highest court for non-constitutional matters). Only after this court grants exequatur can the request be sent to a local judicial authority with competence to order compliance with the request from the foreign authority.
The letter rogatory route is much slower than when an MLAT exists, for example, as happens between Brazil and the United States.10 As a rule, under MLATs, requests are made through a central authority designated by each country, thus obviating the need for a decision by the STJ in Brazil.
For example, in the case of a request for cooperation to obtain evidence in a criminal investigation where this is subject to the judicial reservation clause,11 the Brazilian Central Authority will send the request to the Federal Prosecution Service, which has competence to apply for court orders. Since judgment by the STJ is not necessary, direct requests for assistance (via MLATs) are faster and more efficient.
Vii PUBLIC AND PRIVATE ENFORCEMENT
Brazil does not have a data protection authority yet. However, the consumer protection and defence authorities (PROCONs), which are local official bodies created by Brazilian states and municipalities, as well as by the federal district, are empowered to defend and protect the rights and interests of consumers. Thus, as PROCONs are currently in charge of the protection of consumers, they can prosecute and impose penalties on companies inside their jurisdictions for offences related to consumers’ data protection and privacy.
Besides the PROCONs, the Brazilian Public Prosecutor’s Office may prosecute before the court, and its power encompasses not only consumers’ rights but also all criminal-related and internet-related issues.
Moreover, individuals and companies may enforce their own rights before the court.
Viii CONSIDERATIONS FOR FOREIGN ORGANISATIONS
Due to considerations of space, infrastructure and convenience, companies are increasingly allowing their employees to work from home on some days of the week. These employees typically use their own mobile devices for work purposes, thus facilitating mobility and reducing companies’ costs.
However, this ‘bring your own device’ arrangement12 potentially generates a serious problem: how can a company, if it is, for example, performing an internal audit as part of its compliance policy, have access to the data stored in the personal devices employees use for work? One solution to this problem can be the adoption of internal rules stipulating that all files and documents related to business activity be stored in a data cloud or filed on a shared company network.
However, another question arises: what can the company do to check whether an employee is storing work-related files or documents in a personal device rather than a shared company file?
In this case, as a rule unauthorised access to a mobile device is configured as a violation of information belonging to another party, defined as a crime in Article 154-A of the Brazilian Penal Code,13 so that a company policy requiring employees to allow access to their mobile devices would be illegal.
However, it is important to mention that in the Brazilian legal system (other than for environmental crimes), only individuals can be held criminally liable, not companies. Therefore, in cases of unauthorised invasion of an electronic device, the crime will be imputed to the person within the company who carried out the invasion, along with the person who ordered this illegal action.
Ix CYBERSECURITY AND DATA BREACHES
Since the criminal law is the strongest expression of governmental power over individual freedom, the rational justification of the punitive system requires that the suppressive power of the government only be used when absolutely necessary, when other branches of law are not sufficient or able to protect rights. This is known as the principle of minimum intervention.
It is not difficult, especially in the Brazilian legal system, to observe the enactment of ‘emergency’ criminal laws. These are laws that are approved by legislators hastily in response to the media repercussion of a particular event or situation to satisfy the social clamour for ‘justice’. Often, these laws create new crimes or enhance penalties for existing ones that are unnecessary to protect the public interest, or that turn out to have unexpected negative consequences, flying in the face of the mentioned principle,14 although this is by no means always the case, since the law must be agile to cover new technological developments.
In this respect, and specifically related to the privacy of digital data, mention can be made of Law 12,737/12, which introduced Article 154-A to the Penal Code.15 It is popularly called the Carolina Dieckmann Law, referring to the famous Brazilian actress who in 2012 had her intimate photos posted online after files from her digital camera were copied by a repair shop technician.
In defining a new type of crime, Brazilian lawmakers were faced with a question not specifically covered by criminal law, namely the invasion of electronic devices to obtain, adulterate or destroy data or information without the express or tacit authorisation of the owner, or to install security threats to obtain illicit advantage.
Therefore, the natural problem that arises is to what extent intervention by the criminal law is necessary. This requires facing the following questions:
- a If the type of crime did not exist, would the criminal law be able to protect the public against injury resulting from the conduct newly typified?; and
- b Is the state power, in its strongest expression, necessary, or would civil law and other branches of law suffice to redress the damage caused?
On the first question, although it can be said that Articles 158 and 171 of the Penal Code, covering extortion and larceny by fraud16 are sufficient alone to punish installation of security threats in electronic devices, it must be mentioned that these crimes are limited to situations where the offender obtains an illicit advantage, while the new type of crime goes further by also covering mere invasion of privacy.
In turn, on the second question – obtaining, altering or destroying data – a parallel can be drawn with the violation of sensitive personal data (in corporate or personal systems) by companies, which not infrequently exchange or sell data and information about their customers to other companies.
In both cases, it can be argued that the damage caused can be satisfactorily redressed, and the conduct suppressed, by civil law, through suits for compensation, independent of criminal liability of the offender.
In light of all the foregoing, we believe that privacy and intimacy are sufficiently protected in the Brazilian legal system. Nevertheless, as is typical of delinquency in general, those constitutional guarantees will always be targets of increasingly elaborate attacks, so the interpreters of the law must act diligently to frame the offending conduct within the existing legal rules and principles.
As discussed above, privacy and intimacy are sufficiently protected in the civil and criminal spheres in Brazil. However, data protection is only regulated in the context of the internet by Law 12.965/2014. In this sense, two important bills (No. 4.060/2012 and 5.276/2016) are under consideration by Congress that aim to regulate data protection outside the context of the internet. We look forward to seeing whether Congress will pass the data protection bills, which will regulate these rights in Brazil.
1 Daniel Pitanga Bastos de Souza is a senior associate and Bruno Granzotto Giusto is a partner at Siqueira Castro – Advogados. The authors would like to thank Fernando Pires Nunes de Almeida for his contribution to this chapter.
2 Article 21: an individual’s private life is inviolable, and a judge, at the request of the interested party, may take necessary measures to prevent or terminate any acts contrary to this standard.
3 Article 87. The owner of the economic rights in a database shall enjoy the exclusive right to authorise or prohibit the following in relation to the form of expression of the structure of that database: I. complete or partial reproduction by any means or process; II. translation, adaptation, rearrangement and any other modification; III. distribution of the original or copies of the database, or communication of the database to the public; and IV. reproduction, distribution or communication to the public of the results of the operations referred to in item II of this Article.
4 Complementary Law 105/01. ‘Addresses the secrecy of the transactions of financial institutions and other matters’: www.planalto.gov.br/ccivil_03/leis/LCP/Lcp105.htm. Last accessed on 26 August 2016.
5 Law 5,172/66. ‘Addresses the National Tax System and establishes general rules of tax law applicable to the Federal, State and Municipal Governments’: www.planalto.gov.br/ccivil_03/leis/L5172Compilado.htm Last accessed on 26 August 2016. Article 198: ‘Without prejudice to the provisions of criminal legislation, the disclosure by the Tax Administration or its civil servants of information obtained by reason of their authority about the economic or financial situation of taxpayers or third parties and about the nature and the state of their business affairs or activities is forbidden.’
6 Decree-Law 2,848/40. Penal Code: www.planalto.gov.br/ccivil_03/decreto-lei/Del2848
compilado.htm. Last accessed on 26 August 2016. Article 154: ‘To reveal to someone, without just cause, a secret one learns by reason of one’s function, position, trade or profession and whose revelation can produce damage to another person: Penalty – detention of three months to one year, or a fine.’ Article 325: ‘To reveal a fact one learns by reason of one’s position and that must remain secret, or to facilitate the revelation thereof: Penalty – detention of six months to two years, or a fine, if the fact does not constitute a more serious crime.’
8 Sarlet, Ingo Wolfgang. Curso de direito constitucional, São Paulo: Editora Revista dos Tribunais, 2012, p. 260.
9 Alexy, Robert. Teoria dos direitos fundamentais, 5th edition, São Paulo: Malheiros Editores, 2006, p. 94.
10 Decree 3,810 of 2 May 2001. ‘Promulgates the Treaty between the Government of the Federative Republic of Brazil and the Government of the United States of America on Mutual Legal Assistance in Criminal Matters, signed at Brasília on October 14, 1997, corrected in its version in Portuguese through Exchange of notes on February 15, 2001.’ www.planalto.gov.br/ccivil_03/decreto/2001/D3810.htm. Last accessed on 26 August 2016.
11 The judgment exercised by the STJ when receiving a letter rogatory is restricted to verification of whether the request formulated by the foreign state satisfies the necessary formalities, without examining the merit of the question. If the formal aspects are satisfied, there is no violation of human rights, and the statutory limitation period has not lapsed, the STJ will issue exequatur and send the request for cooperation to the competent authority (usually a federal court).
12 olhardigital.uol.com.br/noticia/bring-your-own-device-que-tal-levar-os-proprios-dispositivos-para-trabalhar/26418. Last accessed on 26 August 2016.
13 Penal Code, Article 154-A: ‘To invade another’s informatics device, connected or not to a network of computers, by undue violation of a security mechanism and with the purpose of obtaining, adulterating or destroying data without the express or tacit authorisation of the owner of the device, or to install security threats to obtain illicit advantage: Penalty – detention of three months to one year, and a fine.’
14 Martinelli, João Paulo Orsini and BEM, Leonardo Schmitt de. Lições fundamentais de direito penal: parte geral. São Paulo: Saraiva, 2016, p. 156.
15 Penal Code, Article 154-A.
16 Penal Code, Article 158: ‘To restrain someone, by violence or grave threat, with the intent to obtain for oneself or another an undue economic advantage, or to tolerate doing or refraining from doing something: Penalty – imprisonment from four to ten years, and a fine.’ Article 171: ‘To obtain, for oneself or another, an illicit advantage, causing harm to another, by inducing or maintaining an error, through artifice, ruse or any other fraudulent means: Penalty – imprisonment of one to five years, and a fine of five hundred mil réis to ten contos de réis.’ (the Brazilian currency units at the time of enactment).