The Brazilian Federal Constitution guarantees privacy protection as a fundamental right of all individuals. The Brazilian Civil Code, the Consumer Protection Code, the Information Access Act, the Banking Secrecy Act, the Wiretap Act and the Internet Act are the main statutes governing the processing of personal data, although such statutes apply in specific circumstances, such as in a consumer relationship, in case of data collected online, in case of data controlled by the government, etc.
After years of legislative process, the Brazilian Congress finally approved and the President enacted Law 13,709, of 14 August 2018, the Brazilian Data Protection Law (LGPD). The LGPD was significantly inspired by the General Data Protection Regulation (GDPR) of the European Union. The LGPD establishes detailed rules for the collection, use, processing and storage of personal data in Brazil. This statute is applicable to private and public entities in all economic sectors, both in the digital and physical environment. The LGPD will become effective on 16 February 2020. While the final text of the LGPD approved by Congress provided for the creation of the National Data Protection Authority (DPA), the President vetoed the creation of such entity owing to a flaw in the legislative process. Under Brazil Federal Constitution, the creation of independent regulatory agencies and public functions can only be made by means of a bill submitted to Congress by the President. In the original bill on data protection submitted by the President through the Ministry of Justice, the DPA was not actually created. If the creation of the DPA had not been vetoed by the President, an important constitutional debate would have taken place and the authority of the DPA would have been disputed. It is expected that the President will send another draft bill to the Congress in order to correct the flaw, and allow for the DPA to be properly established as it comes into effect.
Until then, the Public Prosecutor's Office, the Ministry of Justice, consumer protection authorities (such as the Consumer Protection and Defence Authority (PROCON)) and sector-specific regulatory agencies (such as the Brazilian Central Bank, the Brazilian Securities and Exchange Commission, among others) are handling matters of potential violations of privacy rights in Brazil. Among such authorities, the Federal Prosecutors of the Federal District created a data privacy division, which has turned out to be the most proactive body in prosecuting companies in connection with potential data privacy violations.
II THE YEAR IN REVIEW
The entry into force of the GDPR in May 2018 and the Cambridge Analytica scandal have prompted the Brazilian Congress to expedite the last stage of debates of the LGPD. Another fact that contributed to the approval of the new legislation was the country's desire to become a member of the Organisation for Economic Co-operation and Development (OECD), which requires the approval of an omnibus legislation.
As a result, after more than eight years in debate, the LGPD was finally approved; and the impact of this new law is very relevant, not only for Brazilian companies that process personal data in Brazil, but also for any foreign company that processes personal data in the context of offering goods and services to individuals located in Brazil. Just like the GDPR, the LGPD has significant extraterritorial reach.
Aside from the legislation, another important debate took place in the country's Superior Court of Justice, which considered null and void a consent for intercompany data sharing included in a privacy statement of a large financial institution. The Court took the position that, despite the clear language in the privacy statement accepted by the data subject authorising the sharing of information, the data subject could not freely object to the data sharing and still retain the credit card services it was looking for. As the sharing of information was being made for commercial purposes, so it was not needed to provide the service, the Court deemed the consent invalid on this specific matter.
Another interesting debate is taking place in the Supreme Court, which is analysing the legality of encryption technology that prevents the disclosure of communications content to law enforcement. A decision on this matter is still pending.
III REGULATORY FRAMEWORK
i Privacy and data protection legislation and standards
The Federal Constitution and Civil Code
The Federal Constitution rules that intimacy, private life, honour, and image are fundamental rights of all individuals and are inviolable. Individuals who suffer material or moral damage as a result of violation of such rights have the right to indemnification. The Federal Constitution also establishes that one's mail, data and telephone communications are inviolable, except by authority of a court order and within the context of criminal investigations. The Brazilian Civil Code acknowledges and reinforces the principle that privacy is inherent to an individual's personality and dignity.
The Brazilian Data Protection Law
The recently approved LGPD establishes detailed rules for the collection, use, processing and storage of personal data in Brazil. This omnibus law is applicable2 to any processing activity of personal data carried out by a natural person or legal entity, regardless of the means of processing (i.e., digital or nor) and where the processor is headquartered, provided that the processing is carried out in Brazil; the processing relates to the offer or supply of goods or services in Brazil; or the data was collected in Brazil.
Under the LGPD, personal data is defined as 'information related to an identified or identifiable natural person'. Any processing activity shall be made in accordance with the principles set forth therein3 and based on one or more of following legal bases for data processing provided for in such law:
- compliance with a legal or regulatory obligation;
- when necessary for the performance of a contract or preliminary procedures related to contract of which the data subject is a party, at the request of the data subject;
- when necessary to meet the legitimate interest of the data controller or third parties;
- regular exercise of rights in judicial, administrative or arbitral proceedings;
- protection of the life or physical safety of the data subject or third party;
- protection of health, in proceedings carried out by health professionals or by health entities;
- by research bodies, to carry out studies, guaranteed, whenever possible, the anonymisation of personal data;
- by the public administration, for the execution of public policies; and
- protection of credit.
The LGDP draws a distinction between personal data and sensitive data and imposes a higher bar for allowing processing of this kind of data.4 Sensitive data shall mean any information related to a data subject concerning racial or ethnic origin, religious beliefs, political opinions, membership of trade unions or religious, philosophical or political organisations, health, sexual life, genetics or biometrics.
When relying on consent, the LGPD imposes specific requirements. So, the consent shall be prior, free, informed and unequivocal. For sensitive data, in addition to such requirements, the consent must be specific and given separately from other consents.
Several other rights have been granted to data subjects, such as the right to obtain information regarding the processing of data, right to access, to rectify and erase data, right to withdraw the consent, to receive information to whom the data has been shared, the right to data portability and the right to obtain the review of automated decisions.
The new law also provides for limitations to international data transfers as further detailed below. The LGPD also contemplates data incident reporting obligations (see Section IX below).
Anonymised data is out of the realm of the LGPD. Anonymised data was defined as a data of an individual who cannot be identified, using reasonable technical means available at the time the processing takes place.
Other statutes dealing with the processing of personal data, such as the Consumer Protection Code, the Wiretap Act, the Banking Secrecy Act, the Information Access Act and the Internet Act shall continue to apply, to the extent that they do not conflict with the LGPD.
ii Penalties for non-compliance
Violation of privacy rights gives rise to compensation for moral and direct damage. Non-compliance with the provisions of the LGPD may result in warning, mandatory disclosure of the data incident, deletion of personal data, temporary blocking and fines of up to 2 per cent of the infringing company's economic group net turnover in Brazil in the preceding fiscal year, limited to 50 million reais per violation.
iii General obligations for data handlers
The LGPD defines two categories of data handlers, the 'controllers' and 'operators' (jointly referred as 'processing agents'). Inspired in the definition of controllers and processors under the GDPR,5 the LGPD defines controllers as 'natural person or legal entity, public or private, which is responsible for the decisions concerning the processing of personal data', and operators as 'natural person or legal entity, public or private, which performs the processing of personal data on behalf of the controller'.
Processing agents, in any case, shall abide by the data processing principles set forth in the LGPD and adopt technical and organisational measures to protect personal data from data incidents.6
According to the LGPD, data controllers must: (1) define and document the legal basis for processing personal data (record of processing); (2) guarantee the implementation of mechanisms to comply with data subjects' rights; (3) report data breaches and security incidents to the DPA and, in some cases, to the affected data subjects; (4) perform privacy impact assessments (where required by the DPA); and (5) appoint a data protection officer, who will be in charge of handling personal data within the organisation.
In addition, data controllers shall make easily accessible to the data subject a fairly detailed privacy notice, stating clear, adequate and ostensive information on the purposes of the data processing; form and duration of the data processing; contact information of the controller; information regarding the shared use of personal data by the controller; responsibilities of the processing agents; and data subjects' rights.
If the privacy notice is drafted in such a way as to significantly reduce the privacy rights recognised by law, there is a chance that it shall be deemed invalid. Even before the LGPD, Brazilian courts have been systematically striking down privacy notice provisions that imply a waiver of all or substantially all of an individual's privacy rights.
There is no requirement for registration of databases in Brazil.
The LGPD also defines the mandatory reporting of data incidents, as further detailed below.
iv Specific regulatory areas
The Consumer Code establishes certain data protection rights to be observed in a consumer relationship, including the deletion of negative creditworthiness information exceeding five years; and rectification of data within the period of five days.
Under the Internet Act, internet connection providers (i.e., those that offer telecommunications connectivity for internet access) cannot monitor or store any information concerning the use of the internet by their users. Internet connection providers are required to retain connection logs for a minimum period of 12 months. Connection logs must include the date, time and duration of an internet connection made by a certain IP address provided by the connection provider to the user.
Internet application providers (i.e., those that offer any kind of functionality to their users through the internet, such as social networks, e-commerce websites, etc.) shall store access logs for at least six months. In such cases, access logs must include the date, time and duration of connections to the internet application made by a certain IP address.
Under the Internet Act, express consent is always required for collecting data online. Upon the creation of the LGPD, we are of the opinion that the other lawful basis provided for in the new statute shall also apply to data collected online. Furthermore, the consent attributes shall be those approved by the LGPD and no longer those of the Internet Act. In other words, no express consent shall be required for data collected online when the LGPD becomes effective.
Information handled by public authorities
The Information Access Act governs the collection, use and processing of data by the federal government. This law also establishes rules and procedures by which citizens can request details of the information processed by public authorities.
Banking Secrecy Act
Financial institutions, such as banks, credit card administrators and the stock exchange must maintain strict confidentiality of financial transactions and financial information of their clients, pursuant to Complementary Law No. 105/01. The exchange of data between financial institutions for credit profiling and risk management is allowed in specific circumstances. Financial institutions shall report to relevant authorities any transaction they deem suspicious (under anti-money-laundering regulations), and such reporting shall not be considered a breach of confidentiality duties. Specific and detailed cybersecurity requirements are imposed on financial institutions, including specific limitations to contract data processing and cloud services (Central Bank Resolution 4,658/2018), the same applying to payment companies.
The Medical Ethical Conduct Code (Federal Council of Medicine, Resolution 1,931/2009) provides for certain rules on the protection of patients' information and medical records. A specific resolution issued by the Federal Council of Medicine governs the use of computer systems for storage, handling and retention of such data, authorising the replacement of paper with electronically stored information. In any case, with the enactment of the LGPD, the processing of sensitive data (which includes medical information) shall only occur on the basis expressly allowed by the LGPD.
Telephone or radio communications
The confidentiality of telephone and computer communications is protected by the Wiretap Act (Law 9,296/96) and the Telecommunications Act (Law No. 9,472/97). The access to and interception of telephone and telematics communications may only occur under the authority of a valid court order in criminal investigation proceedings. Pursuant to the Telecommunications Act, the use of clients' information can only be made for the purpose of delivering telecommunication services.
Employees are subject to data protection rights under the LGPD. The employers are allowed to process employees' data for the purposes of managing the employment relationship. The legal basis for processing may be compliance with legal obligation, performance of a labour contract or legitimate interest of the controller. Therefore, consent is not required for processing data relating to the management of labour relationship, even in case of sensitive data. Employee data may be used by the employer and transferred to other affiliate entities for the purpose of managing the employment relationship (for use by a centralised back office, HR-related activities, etc.), provided that the requirements of international transfer are observed.
Employers are allowed to monitor the use of equipment and IT systems offered by the employer, so employees should not expect privacy on such environments. The majority of legal scholars and most of the decisions rendered by the court of appeals sustain this position. All equipment and devices provided by the employer to their employees for the exercise of the employees' functions within the company shall be deemed company property and therefore may be subject to surveillance. For companies that install their systems into employee's devices (BYOD), we also believe that surveillance on such devices is possible to the extent that it focuses only on the employer's information. Finally, Brazilian laws do not restrict the use of surveillance video systems, provided that the recording or videotaping is not performed in areas where any kind of embarrassment is inflicted on the employee (e.g., cameras installed in bathrooms).
Marketing campaigns by email are likely to be deemed legitimate under the opt-in or 'soft opt-in' system, but shall always allow the data subject to opt-out from receiving such messages. The telecommunications regulators determined that mobile carriers are only allowed to send promotional messages to their users who have expressly accepted receiving them.
The Child and Adolescent Act (Law No. 8,069/1990) stipulates that the offer, exchange, delivery, transmission, distribution, publication or disclosure of photographs, videos or other materials containing explicit sex scenes or child pornography is a criminal activity, which will be subject to a penalty of up to eight years of imprisonment. The LGPD adds additional protection to child's personal data. Among other provisions, it determines that information should be provided in a simple, clear and accessible manner to the child and the processing agent shall use reasonable efforts to verify that the consent was given by the child's legal representative.
Exercise of profession
Other federal statutes cover legal profession privilege, such as attorney–client privilege.
Brazil has a new data protection legislation, which may significantly increase data subjects' rights and control over their data. While the protection of personal data is certainly positive in many instances, the law should not be interpreted in a way to materially impact the development of new technologies that may bring important benefits to the country.
As such, the use of anonymised data should be encouraged and right of privacy shall be read in conjunction with other principles and values embraced by other laws and the Federal Constitution.
Section 2 of the LGPD states that innovation, economic and technologic development and free enterprise constitute cornerstones of the new law. As a result, significant importance shall be given to the controller's legitimate interest in processing data, as well as processing to meet public interest objectives (such as health, education, agriculture, smart cities and urban mobility, among so many others). Many upcoming technologies in the space of IOT and artificial intelligence are boosting innovation and being instrumental for this technological revolution. Government and enforcement authorities should be aware that their actions may significantly impact the pace by which the country may benefit from all such developments.
The key is to balance privacy rights with all other rights afforded to individuals and legal entities. No right should be interpreted on a stand-alone basis.
IV INTERNATIONAL DATA TRANSFER AND DATA LOCALISATION
The LGPD imposes certain requirements for international data transfer, which can only take place in the following circumstances:
- to countries with an adequate level of protection (to be determined by the DPA);
- through the use of standard contractual clauses, binding corporate rules, seals, certificates and codes of conduct approved by the DPA;
- upon specific consent of the data subject, with prior information on the international character of the operation;
- to comply with a legal or regulatory obligation;
- when necessary for the performance of a contract;
- for the protection of life and physical safety of the data subject or third party;
- for the regular exercise of rights in judicial, administrative or arbitral proceedings;
- when necessary for international legal cooperation between intelligence, investigation and prosecutors;
- when authorised by the DPA; and
- when necessary for the execution of public policy or compliance with the legal attribution of the public service.
Except for sector-specific regulations (e.g., applicable to the processing of government and financial data), Brazilian laws do not impose data localisation requirements.
V COMPANY POLICIES AND PRACTICES
With the enactment of the LGPD, private and public organisations will have to adjust their privacy policies and practices to become compliant with the new legal standards.
There are two different dimensions to this matter. One dimension is the customer-facing policies that will have to be adapted to conform with the LGPD. Companies will have to determine whether their right to process data is compatible with the new law. This means investigating all lawful bases for data processing. Even when the processing is made on the basis of consent, one must ensure that the consent meets the requirements of being free, previous, informed and unequivocal. Where consent is not available, one may determine if there is any other legal basis for processing data, such as the obligation to perform a contract, compliance with law or even the controller's legitimate interest.
The data controller must record all decisions concerning the processing of data, and these records may be required by the DPA.
Conducting privacy impact assessment is also advisable when any processing operation may pose a significant risk to the data subject, and notably when the basis for processing is the controller's legitimate interest. Privacy by design is also part of the LGPD, so companies should be used to create new products, services or technologies applying the right principles of data treatment (such as data minimisation, transparency, right of access and deletion of data, portability, etc.).
As far as data incidents are concerned, the companies shall permanently train their personnel on the company's policies concerning data processing, confidential information, intellectual property rights, trade secrets, among other related matters.
VI DISCOVERY AND DISCLOSURE
An internet application provider shall only be compelled to disclose user access logs and information under the authority of a valid court order.7 Interception of telephone and internet communication may only occur in limited circumstances and by authority of a valid court order in the context of criminal investigation proceedings.
Brazilian judges have systematically argued that Brazilian court orders should be complied with by Brazilian subsidiaries of the data controllers who actually processes data outside Brazil. Frequently, the order is directed to local subsidiaries of internet service providers (ISPs) that do not host the required information locally. These subsidiaries used to claim lack of procedural standing (as the information is held by the parent company) or that a formal recognition process (e.g., MLAT) should be adopted to allow such order to produce effects out of Brazil. Although these arguments have been raised by several internet companies, they have been repeatedly rejected by Brazilian courts.
Therefore, the current trend is to impose the obligation on the entity that may have access to the requested information (and, therefore, has the means to deliver the information), rather than on the entity considered to be the original data handler. The place where the information is actually hosted has largely tended to become irrelevant as cloud computing solutions are increasingly adopted.
With the increased use of voice over internet protocol and messaging services protected by strong encryption, complying with interception or content disclosure orders have become more challenging. The increased number of requests for disclosure of metadata, on the other hand, has shown that other types of information may also be relevant for criminal prosecution purposes.
VII PUBLIC AND PRIVATE ENFORCEMENT
i Enforcement agencies
Until the creation of the DPA, no specific regulatory agency or public administrative body was specifically designated to regulate and enforce data privacy laws. Typically, investigations are initiated by the Public Prosecutor's Office, consumer protection authorities (such as PROCON) and other consumer protection associations. Administrative proceedings may be either civil or criminal, and may lead to the filling of civil or criminal public lawsuits, as the case may be. The administrative and judicial proceedings are subject to due process, so the defendant may put together an adequate defence and produce all evidence deemed important. Under the Consumer Laws, penalties are generally applied up to 10 million reais. Moral damages may also be imposed and Brazilian courts generally award up to 1 million reais for these types of damages. The payment of such damages may be on the top of individual claims. Under the Internet Act, violations of privacy rights may give rise to indemnification of up to 10 per cent of the infringing entity's net turnover in Brazil in the previous fiscal year. Under the LDPG, penalties may be imposed of up to 2 per cent of the Brazilian turnover of the infringing entity's economic group in the previous fiscal year. We are of the opinion that the same violation should not give rise to a double penalty. Therefore, if there is a violation of privacy rights, the penalties of the Internet Act or the penalties under the LGPD should apply but not both.
ii Recent enforcement cases
There are many administrative proceedings initiated against entities in Brazil, either with respect to data breaches or to alleged illegal processing. We already mentioned a decision issued by the Superior Court of Justice deeming invalid a consent for intercompany data sharing made by a major financial institution. Other high-profile cases not yet settled involved a major urban mobility app, one of the major sporting apparel e-commerce portals, and a major provider of software company that was prevented from collecting data from the internet browser embedded by OEMs into computers. In another interesting case, the Department of Consumer Protection and Defence imposed a fine of 7.5 million reais for adopting geopricing techniques, by which consumers would pay different prices for equal services depending on the user's location.
iii Private litigation
Because Brazil is among the countries with the highest number of internet users, private litigation has been significantly increasing in recent years, fostered by technological developments and proliferation of websites and service providers, many of which are unaware of laws and regulations in Brazil. The most common private claims involve: indemnification for breach of privacy or provision of defective products or service (including lack of safety or proper warnings); user and content takedown; and supply of data by the offender (connection and access logs, which are used to identify individuals who may have committed offences through the internet).
VIII CONSIDERATIONS FOR FOREIGN ORGANISATIONS
The Internet Act and the LGPD establishes that Brazilian law shall apply to any processing activity performed in Brazil, related to individuals located in Brazil or collected from an user located in the country. Brazilian law shall apply even if the service provider is domiciled abroad.
When the data controller is located abroad but holds a subsidiary in Brazil, this subsidiary will be recognised as holding procedural standing in any claim (either initiated by an individual or by the consumer protection authorities). In the past, local subsidiaries used to argue that they would lack standing, as the servers are not in Brazil and they could not have access to it. The Brazilian judiciary has systematically denied this position, so raising this jurisdictional argument is ineffective and does not contribute to creating a positive reputation for a company.
IX CYBERSECURITY AND DATA BREACHES
Organisations processing personal data shall observe the cybersecurity requirements imposed by the LGPD. Data controllers and processors shall adopt technical and organisational measures to protect personal data from unauthorised access and from accidental or unlawful destructions, loss, change, communications, transmission, or any other occurrence resulting from inadequate or illegal data processing (a data incident). Except in limited circumstances, data incidents may trigger liabilities. The Consumer Code also provides that companies shall take all reasonable measures to oﬀer safe and free-of-defect products and services. Therefore, if the organisation does not implement appropriate security measures (normally based on industry standards or best practices) a product or service may be deemed defective and trigger liabilities.
In addition, the LGPD requires data controllers and processor to adopt data protection measures since the creation of any new technology or product, which will require organisations to adopt a privacy by design approach.
Data incidents that may result in relevant risk or harm to individuals must be reported to DPA8 within a reasonable time9 and, where required by the DPA or otherwise by law, to the affected data subjects.
The DPA does not prevent other cyber-related statutes from being imposed by sectoral agencies, such as the Brazilian Central Bank with Resolution 4,658/2018.
With the approval of the LGPD, organisations will have to adapt their privacy policies, notices and internal processes to become compliant with the new legislation. Multinational organisations are likely to be subject to more than one regulatory regime on the matter, such as those that process data related to individuals located in Brazil and in the European Union, which will have to comply not only with the LGPD, but also with the GDPR. More awareness and protection of data subjects' rights and increasing enforcement action from Brazilian authorities are certainly expected in years to come.
1 Fabio Ferreira Kujawski is a partner and Alan Campos Elias Thomaz is an associate at Mattos Filho, Veiga Filho, Marrey Jr e Quiroga Advogados.
2 The LGPD is not applicable to processing activities (1) performed by natural persons, exclusively for private and non-economic purposes; (2) for journalistic, artistic and academic purposes; (3) for public and state security, and national defence purposes; (4) for investigation and prosecution of criminal offences; and (5) for data transiting through Brazil, without any processing in the country.
3 The principles of the LGPD are as follows: free access (free and easy consultation of data processing activities and their duration); transparency (clear, accurate and easily accessible information); purpose (processing must be carried out for legitimate, specific, explicit and stated purposes, and no further processing shall take place when incompatible with such purposes); adequacy (processing shall be compatible with the stated purpose); data quality (assurance that the data is accurate, clear, relevant and up to date); data minimisation or necessity (processing shall be limited to the minimum information necessary to achieve its purpose, using relevant, proportional and not excessive data); security (use of technical and administrative measures capable of protecting personal data from unauthorised access and from accidental or unlawful events of destruction, loss, alteration, communication or dissemination); prevention (adoption of measures to prevent the occurrence of damages); non-discrimination (processing should not be unlawful or discriminatory); accountability (demonstration of effective measures for complying with the rules);
4 The lawful bases for processing sensitive data include: (1) consent; (2) compliance with a legal or regulatory obligation; (3) regular exercise of rights, including in contract and in judicial, administrative and arbitral proceedings; (4) protection of life or physical safety of the data subject or third party; (5) protection of health, in proceedings carried out by health professionals or by health entities; (6) when necessary to guarantee the prevention of fraud and safety of the data subject, in the process of identification and authentication in registries of electronic systems; (7) by the public administration, for shared processing of data necessary for the performance of public policies set forth in law or regulation; and (8) by research bodies, to carry out studies, guaranteed, wherever possible, the anonymisation of data.
5 In the GDPR, 'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; and 'processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
6 Data incident may be considered as 'unauthorised access and from accidental or unlawful destructions, loss, change, communications, transmission, or any other occurrence resulting from inadequate or illegal processing'.
7 One exception to this rule relates to the rights of police authorities and prosecutors to request limited information (such as name, ID number, address and parents' name of an individual) without a court order.
8 Specific information needs to be provided, including, at least: (1) a description of the data and individuals affected; (2) the risks related to the data incident; (3) the reasons why the notification to the DPA has been delayed, if applicable; and (4) the technical and security measures taken to protected the data, and the measures that were or will be taken to revert or mitigate the effects of the data incident.
9 Unlike the GDPR, there is no particular deadline for notification (e.g., 72 hours). In any case, it cannot be unreasonably delayed and the DPA or any further decree may impose a maximum reporting time frame.