I OVERVIEW

The concept and protection of privacy is not an innovation in Brazil. The privacy, private life, honour, and image of individuals were considered inviolable as well as a fundamental right by the Brazilian Federal Constitution of 1988 (the Brazilian Federal Constitution).2

After many years of legislative discussions, in 2018, the Brazilian General Data Protection Act (Law No. 13,709/2018 – LGPD) was enacted.3 This law is considered the most important data protection law in our jurisdiction, and represents a big advance and an important step for Brazil, to guarantee the protection of individuals, define limits to data processing for companies and enable the expansion of Brazil's digital economy.

The LGPD is not yet in force, owing to the covid-19 pandemic and a legislative race that will be addressed further on in this chapter.

The rights given in Article 5 of the Federal Constitution are classified as fundamental rights. As described above, privacy is considered a fundamental right, but data protection is not included in this list, even though there is a legislative initiative – a constitutional amendment proposal – to insert data protection as a constitutional fundamental right (PEC No. 17/19)4 that is currently being voted at the House of Representatives.

II THE YEAR IN REVIEW

The covid-19 pandemic emphasised the exponential growth of technology in people's daily lives, in companies' activities, governmental roles and in the fight against coronavirus. Suddenly, the entire world found itself in social isolation and witnessed the collapse of the health system. In this scenario, technology was an important ally in the practice of medicine, in the home office, in online education and in relationships as a whole.

There was no difference in Brazil, and we experienced a moment formed by an infinitude of new technological solutions, legislative proposals, executive and judicial demands. The technological solutions brought some issues about privacy and data protection, considering the lack of valid specific law in Brazil.

In early 2020, the LGPD was expected to come into force on 14 August, though there were already some draft laws5 that intended to postpone this date because of difficulties in implementing the provisions and economic reasons. With the advent of the pandemic, the scenario changed and a legislative race began in Brazil, between two different power initiatives: Bill No. 1,179/2020,6 proposed by the National Congress (the Federal Senate) and Provisional Measure No. 959,7 enacted by the Presidency of the Republic. Both proposals brought different dates for the validity of the LGPD.

Bill No. 1,179 was approved and converted into Law No. 14,010/2020,8 and the administrative sanctions that the LGPD foresees in its Articles 52, 53 and 54 will come into force only in August of 2021. Concerning the remaining legal text, for now, it will come into force in May of 2021, taking Provisional Measure No. 959 into consideration.

Also, in April 2020, the Brazilian President enacted Provisional Measure No. 954,9 which provides that telecommunications companies shall disclosure their customers' personal data to the Brazilian Institute of Geography and Statistics (IBGE), to support official statistics regarding social isolation during the public health emergency of international importance due to covid-19. In response, the Federal Council of the Brazilian Bar Association,10 followed by four political parties,11 submitted to the Supreme Federal Court (STF) a Direct Unconstitutionality Action arguing that the provisional measures infringe the constitutional and fundamental right to privacy. On 7 May 2020, the STF decided12 to suspend the validity of Provisional Measure No. 954, recognising the overruling of the privacy principle and fundamental guarantees and highlighting the need to balance crucial measures to face covid-19 and the individual's rights and freedoms such as privacy. The court also considered that this Provisional Measure could cause irreparable damage to citizens. Provisional Measure No. 954 still awaits a vote at National Congress, pending a final decision by the STF.

III REGULATORY FRAMEWORK

i Privacy and data protection legislation and standards

The Brazilian Federal Constitution establishes the inviolability of its people's privacy, private life, honour and image as fundamental rights. Besides this, the right to compensation for property or moral damages resulting from their violation is ensured.13

Also, Brazil has a civil regulatory framework for use of the internet: Law 12,965/201414 (the Brazilian Internet Law), which establishes principles, guarantees, rights and obligations for the use of the internet in Brazil. Decree 8,771 of 11 May 201615 establishes procedures related to data retention and protection by connection and application providers, and points out transparency and enforcement measures concerned with personal data and private communications.

Besides this, Brazil has enacted the LGPD, which provides for the processing of personal data, including in digital media, by a natural person or legal entity of public or private law, with the purpose of protecting the fundamental rights of freedom and privacy and free development of the personality of the natural person.

The LGPD16 contains core definitions related to data protection, such as:

  1. personal data: information regarding an identified or identifiable natural person;
  2. sensitive personal data: personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organisation membership, data concerning health or sex life, genetic or biometric data, in relation to a natural person;
  3. data subject: a natural person to whom the personal data that are the object of processing refers to;
  4. controller: natural person or legal entity, of public or private law, that has the competence to make the decisions regarding the processing of personal data; and
  5. processor: natural person or legal entity, of public or private law, that processes personal data in the name of the controller.

Furthermore, there are other sectoral laws related to the privacy and protection of personal data, including, but not restricted to:

  1. Law No. 8,078/199017 (the Consumer Protection Code), which sets out data protection principles in consumer relations;
  2. Law No. 9,472/199718 (the Telecommunications Act), which guarantees measures related to privacy and protection of personal data of telecommunication services users;
  3. Law No. 10,406/200219 (the Civil Code), which grants the inviolability of the private life of the natural person; and
  4. Law No. 12,414/201120 (the Positive Credit Registry Act), which is responsible for the formation and consultation of databases with data on credit history, of natural or legal persons.

ii General obligations for data handlers

Under the LGPD,21 processing agents have a duty to process personal data for legitimate, specific, explicit and informed purposes for the data subject. Also, the processing must be compatible with the purpose communicated to the data subject and limited to the minimum necessary to achieve its purposes. Other duties relate to an assurance of easy consultation by data subjects about the processing, with clear and precise information, in addition to ensuring the accuracy, clarity, relevance and updating of the personal data processed. Also, processing agents must use technical and administrative measures that are able to protect personal data from unauthorised accesses and accidental or unlawful situations and must adopt measures to prevent the occurrence of damages due to the processing of personal data.

Processing agents are obliged to have one of the following legal bases22 for processing personal data:

  1. consent of the data subject;
  2. compliance with a legal or regulatory obligation by the controller;
  3. processing and shared use of data must be necessary for the execution of public policies provided in laws or regulations;
  4. carrying out studies by research entities, ensuring, whenever possible, the anonymisation of personal data;
  5. it must be when necessary for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject;
  6. regular exercise of rights in judicial, administrative or arbitration procedures;
  7. protection of life or physical safety of the data subject or third party;
  8. protection of health, in a procedure carried out by health professionals or by health entities;
  9. it is necessary to fulfil the legitimate interests of the controller or third party;
  10. protection of credit; and
  11. ensuring the prevention of fraud and the safety of the data subject, in processes of identification and authentication of registration in electronic systems.

iii Data subject rights

The LGPD establishes in its Chapter III the systematisation of the rights of data subjects, which can be exercised at any time and upon express request of the data subject, or his or her legally constituted representative. The requested processing agent shall attend without costs to the data subject, within the periods and under the terms as provided in the regulation, by Article 18, paragraph 5 of the LGPD. Among other things, the LGPD provides for the rights to:

  1. confirmation of the existence of the processing;
  2. access to data and information concerning the processing of data subjects, which must be made available in a clear, adequate and ostensible manner;
  3. correction of incomplete, inaccurate or outdated data;
  4. anonymisation, blocking or erasure of unnecessary or excessive data or data processed in non-compliance with the provisions of LGPD;
  5. portability of the data to another service or product provider, through an express request and subject to commercial and industrial secrecy;
  6. erasure of the personal data processed with the consent of the data subject, when permissible; and
  7. information about public and private entities with which the controller has shared data.23

iv Specific regulatory areas

In addition to the LGPD, Brazil has other regulations and laws that address the issue of data protection in specific sectors.

In the financial sector, Resolution No. 4,658/2018 issued by the Brazilian Central Bank (BACEN)24 provides that the financial institutions shall adopt procedures that take into account the quality of the access controls aimed at protecting the data and information of the institution's customers, issuing requirements for the contracting of processing services and data storage.

In the marketing sector, there is a Self-Regulatory Code for E-mail Marketing Practice (CAPEM),25 created by diverse entities, which issues guidelines for email marketing practices.

The Superintendence of Private Insurance issued Resolution 382 in March 2020,26 listing the protection of personal data as one of the principles to be adopted by insurance companies, capitalisation companies, open private pension entities and their intermediaries.

The National Agency for Supplementary Health Services enacted Act No. 443/19,27 which provides for the adoption of minimum corporate governance practices, with an emphasis on internal controls and risk management, for the purposes of solvency of healthcare plan operators.

v Technological innovation

Developers of new technologies must incorporate privacy and data protection in their design. The concept of privacy by design is based on the LGPD principles that ensure technical, administrative and security measures to protect personal data, as well as the effectiveness of such measures in observance of personal data protection rules.

Behavioural advertising

Although there is no specific legislation, the Consumer Protection Code28 contains provisions that grant overall consumer protection against fraudulent and abusive advertising, coercive or unfair commercial methods, as well as against unfair or imposed practices and terms in the supply of products and services. Also, there is a Code of Self-Regulation that addresses email marketing practices (CAPEM). Besides this, the Internet Management Committee in Brazil (CGI.br) has developed a website that contains guidelines for best practices to inform the user and network administrator about spam, its implications and ways to protect against and combat it.29 Furthermore, the Brazilian Advertising Self-regulation Code30 regulates the ethical rules applicable to advertising and propaganda.

Facial recognition and biometrics

Regarding facial recognition technologies, although there is no specific regulation of such technologies, there are series of legislative bills pending in legislative houses, such as Bill No 4,612 of 2019,31 which provides for the development, application and use of facial and emotional recognition technologies, as well as other digital technologies designed to identify individuals and predict or analyse behaviours.

Artificial intelligence

At the beginning of 2020, a request for a public audience about artificial intelligence was approved by the Commission of Science, Technology, Innovation, Communication and Informatics. The objective is to instruct two bills: one of these introduces the National Policy on Artificial Intelligence (Bill No. 5,691/2019)32 and the other sets out the principles for the use of artificial intelligence in Brazil (Bill No. 5,051/2019).33

iv INTERNATIONAL DATA TRANSFER AND DATA LOCALISATION

The Brazilian Internet Law, in its Article 11, provides that in any operation of collection, storage, retention and processing of personal data or communications data by connection providers and internet application providers, where at least, one of these acts take place in the national territory, Brazilian law must be mandatorily respected, including with regard to the rights to privacy, protection of personal data and secrecy of private communications and logs.

Paragraphs 1 and 2 of Article 11 establish that the provision applies to data collected in the national territory and to the content of the communications in which at least one of the terminals is placed in Brazil, even if the activities are carried out by a legal entity located abroad, provided that it offers services to the Brazilian public, or at least one member of the same economic group is established in Brazil.

In a similar way, the LGPD34 applies to any processing operations carried out by a natural person or a legal entity of public or private law, irrespective of the means, the country in which its headquarters are located or the country where the data are located, provided that:

  1. the processing operation is carried out in the national territory;
  2. the purpose of the processing activity is to offer or provide goods or services or the processing of data of individuals located in the national territory; or
  3. the personal data being processed were collected in the national territory.

The LGPD's Article 33 provides that international transfer of personal data to foreign countries or international organisations of which the country is a member is only allowed when:

  1. it is to countries or international organisations that provide a level of protection of personal data that is adequate to the LGPD's provisions;
  2. the controller offers and proves guarantees of compliance with the principles and the rights of the data subject and the regime of data protection provided by the LGPD, in the form of:
    • specific contractual clauses for a given transfer;
    • standard contractual clauses;
    • global corporate rules; or
    • regularly issued stamps, certificates and codes of conduct;
  3. the transfer is necessary for international legal cooperation between public intelligence, investigative and prosecutorial agencies, in accordance with the instruments of international law;
  4. the transfer is necessary to protect the life or physical safety of the data subject or a third party;
  5. the national authority authorises the transfer;
  6. the transfer results in a commitment undertaken through international cooperation;
  7. the transfer is necessary for the execution of a public policy or legal attribution of public service, which shall be publicised;
  8. the data subject has given their specific and highlighted consent for the transfer, with prior information about the international nature of the operation, with this being clearly distinct from other purposes; or
  9. it is necessary for the controller to comply with a legal or regulatory obligation, for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party (at the request of the data subject) or for the regular exercise of rights in judicial, administrative or arbitration procedures.

The level of data protection in the foreign country or international organisation shall be evaluated by the Brazilian's National Authority (ANPD). Furthermore, the definition of the content of standard contractual clauses, as well as the verification of specific contractual clauses for a particular transfer, global corporate rules or stamps, certificates and codes of conduct will be carried out by the ANPD.

V COMPANY POLICIES AND PRACTICES

Article 50 of the LGPD suggests that data controllers and processors should create standard data protection policies and procedures in order to mitigate liability. Article 51 of the LGPD also provides that, in the future, the ANPD should establish technical standards in connection with data privacy issues. Nonetheless, it is considered the best practice for companies (also in order to mitigate liability) to have a broad number of policies and procedures in place for compliance purposes, as set out below:

  1. a data privacy policy, which regulates data processing by the company. There may be two different policies in place: one about data protection in general (relating to customers, clients, etc.) and another specifically related to data protection inside the company (regarding company's employees, which should provide training mechanisms, for example). The rules established by this policy have to comply with all the rules provided by the LGPD and the Brazilian Internet Law, as applicable;
  2. an information security policy and an information and communications technology policy, which establish internal rules for the use of technology devices (computers, mobiles, etc.), cybersecurity standards and guidelines, among other provisions;
  3. specific policies related to areas that usually process a lot of personal data (e.g., human resources departments, with guidelines on the processing of personal data of candidates pre-hire, during the admission phase and during the employment relationship);
  4. an employees' monitoring policy, establishing terms, conditions and limits for monitoring employees and their work tools;
  5. a 'bring your own device' policy, regulating the terms and conditions in the case of employees using their own devices for work activities;
  6. privacy policies and terms of use for the company websites;
  7. a cookies policy; and
  8. a data breach policy and response plan to set forth company procedures in the event of a data security breach, among other things.

VI DISCOVERY AND DISCLOSURE

The Brazilian Internet Law establishes rights and guarantees for all users of the internet in Brazil, such as the inviolability and confidentiality of the flow of users' communications through the internet and their stored private communications, except by a court order.

According to Article 22 of the aforementioned Law, any interested party may request a judge to order the entity responsible for keeping the records to provide the connection or access logs to internet applications, for the purpose of creating evidence in civil or criminal legal procedures. This request should contain, under penalty of inadmissibility:

  1. justified evidence of the occurrence of the offence;
  2. motivated justification of the usefulness of the requested records for investigation; and
  3. the period of time to which the records correspond.

It is important to highlight that the judge needs to take the necessary measures to ensure confidentiality of received information, as well as the preservation of intimacy, private life, honour and image of the data subject. The judge may determine the secrecy of justice,35 including with respect to requests for record retention.

Furthermore, the Brazilian Code of Criminal Procedure (Law No. 3,689/1941)36 states that judges may request information, including personal data, during criminal investigations and criminal proceedings. Pursuant to Article 3-B, XI, items (a) and (b), examining judges have the power to decide on requests to disclose personal data of users of electronic communications services, including internet, email, telephone and financial data.

Regarding the interception of telephone communications, this may be determined for evidence in criminal investigations and proceedings by the examining judge, ex officio or upon request of the competent police authority or the representative of the public prosecution. The interception should comply with the provisions of Law No. 9,296/1996,37 and will depend on an order of the competent judge of the main action,38 under the secrecy of justice.

VII PUBLIC AND PRIVATE ENFORCEMENT

i Enforcement agencies

The ANPD was created by Law No. 13,853/2019,39 and is an entity that is a part of the federal public administration, pertaining to the Presidency of the Republic. According to Article 55-J of the LGPD, the ANPD has the following duties, among others:

  1. to prepare guidelines for the National Policy for the Protection of Personal Data and Privacy;
  2. to supervise and apply sanctions in the case of processing of data carried out in violation of legislation, through an administrative process that ensures to the adversary broad defence and the right to appeal;
  3. to promote in the population the knowledge of the norms and public policies on the protection of personal data and security measures;
  4. to promote cooperation actions of an international or transnational nature with personal data protection authorities of other countries; and
  5. to edit simplified and differentiated rules, guidelines and procedures, including deadlines, so that micro and small companies, as well as incremental or disruptive business initiatives that self-declare as startups or innovation companies, can adapt to the LGPD.

Besides this, the ANPD is still not working. Some small steps were taken after its creation, such as the nomination of a few members, but the ANPD has not been fully formed and is not in operation.

It is important to mention that other government authorities are acting on behalf of the data protection principles, although the LGPD is not in force. To illustrate that, the major consumer defence body in Brazil (Procon) and public prosecution (Special Unit of Data Protection and Artificial Intelligence – Espec)40 are notifying, investigating and even applying fines41 to companies that act in an unlawful or abusive manner, based on other laws, such as the Brazilian Consumer Code.

ii Recent enforcement cases

Considering that Brazil does not have a General Data Protection Act in force yet and the National Authority is not operational either, no fine has been imposed by the ANPD.

However, other agencies have already imposed fines, on the grounds of sectoral legislation. In this regard, in August 2019, Google and Apple were fined close to 18 million reais by Procon.SP, owing to abusive clauses in the terms of use and privacy policy of the FaceApp application, besides being available only in the English version, in violation of consumer rights.42

In the same year, another significant case resulted in a fine being imposed by the Consumer Protection and Defence Authority on Facebook for improperly sharing data from 443,000 Brazilian users in the Cambridge Analytica case.43

Besides that, the Brazilian judiciary provided recent enforcement cases related to privacy and data protection, such as Provisional Measure 954. In May 2020, the Federal Supreme Court granted a writ of prevention suspending the effectiveness of Provisional Measure 954 on data sharing of telecommunication users with the IBGE for the production of official statistics during the pandemic of the new coronavirus. The trial contributed to the expansion of debates on the acknowledgment of the fundamental right to personal data protection in the Brazilian jurisdiction.44

iii Private litigation

Before any judicial remedies, interested parties and authorities may seek for administrative remedies for breaches of privacy and data rules. The LGPD provides for the data subject's right to petition, regarding their data, before the ANPD.

Furthermore, the Brazilian Federal Constitution45 provides that the right to judicial assistance is a fundamental guarantee for individuals, as it is universal, inalienable, unavailable, and unwavering.

For civil procedures, the Brazilian liability is subjective and the data subject shall prove the commitment of an unlawful conduct (by an act or an omission), the damage and the causal link. For consumer affairs-related cases, the law foresees that the agent is submitted to strict liability, provided that the liability exceptions are more restrict in these cases.

The LGPD provides that the controller or processor that, as a result of carrying out the activity of processing personal data, cause material, moral, individual or collective damage to third parties, in violation of legislation for the protection of personal data, is obligated to redress it.46

The LGPD also provides that the judge, in a civil lawsuit, may reverse the burden of proof in favour of the data subject when, at its discretion, the allegation appears to be true or when production of evidence by the data subject would be overly burdensome. Lawsuits for compensation for collective damages may be filed collectively in court, subject to the pertinent legislation.47

Regarding class actions, collective interests are mostly regulated by the Brazilian Law of Public Civil Action (Law No. 7,347/1985),48 which foresees the protection of diffuse and collective interests related to the environment, the consumer, goods and rights of artistic, aesthetic, historical, tourist and landscape value, among other goods and rights listed in its article.

VIII CONSIDERATIONS FOR FOREIGN ORGANISATIONS

As per its Article 3, the LGPD shall apply to any data processing operation performed by any person or entity, public or private, provided that the processing operation is carried out in the Brazilian territory; the processing operation entails the offer or provision of goods or services or data processing for individuals located in Brazil; or data collection that was carried out within Brazilian territory.

Thus, in general, all foreign companies that process, in any way, personal data from Brazilian individuals should comply with the LGPD. Also in this regard, the Brazilian Internet Law had a very similar provision (Article 11), which resulted in the same conclusion.

These provisions were clearly provided by such laws because in the past there were many judicial discussions involving the data processing of Brazilian individuals occurring abroad. Some foreign companies tried to avoid the enforcement of Brazilian laws and judicial orders, arguing that the data processing was performed outside Brazil. To avoid this kind of problem, these recent legal provisions reiterate that any action involving personal data from Brazilian subjects or from individuals located in Brazil shall trigger the application of Brazilian laws.

IX CYBERSECURITY AND DATA BREACHES

The Brazilian Internet Law provides that the discipline of internet use in Brazil should preserve the stability, security and functionality of the network, via technical measures consistent with international standards and by encouraging the use of best practices. Decree No. 8,771/2016, which regulates the Internet Law, also establishes some guidelines on security standards that connection and application providers must observe when processing personal data and private communications, such as strict control over access to data, authentication mechanisms for access to records, inventories of access to records and use of record management solutions such as encryption or equivalent measures.

Furthermore, the LGPD49 provides that processing agents shall adopt technical and administrative security measures, and be able to protect personal data from unauthorised access and accidental or unlawful situations of destruction, loss, alteration, communication or any type of improper or unlawful processing.

Besides the general provisions of the Brazilian Internet Law and the LGPD, there are several sectoral laws and regulations concerning cybersecurity requirements for specific regulated sectors, including:

  1. Resolution No. 4,658/2018 of BACEN, which provides for cybersecurity policy and the requirements for hiring data processing and storage services and cloud computing to be observed by financial institutions and other institutions authorised to operate by BACEN;
  2. Ordinance 271/2017,50 which provides the Information Security and Communications Policy of the Ministry of Health; and
  3. Ordinance 1,966/18,51 which defines information and communication security standards within the Ministry of Health.

Also, in the public sector:

  1. Decree No. 9,637/2018 approves the National Information Security Policy52 within the federal public administration, to ensure the availability, integrity, confidentiality and authenticity of information at national level; and
  2. Decree No. 10,222/2020 approves the National Strategy of Cybersecurity (E-Ciber),53 a government plan on the main actions, nationally and internationally, that it intends to apply in the cybersecurity area.

Regarding data retention, there are no specific time periods provided; however, the LGPD54 establishes that the ANPD may provide standards in relation to the retention period of records, especially considering the need for the data and for transparency to the data subjects. Also, there are many diverse specifications related to the retention period of records in sectoral laws, such as the legal obligation of storage of connection records by connection providers for one year and the storage of access records by application providers for six months, according to the Brazilian Internet Law,55 for example.

As regards data breach reporting requirements, the LGPD56 establishes that the controller should communicate to ANPD and the data subject the occurrence of any security incident that may cause risk or relevant harm to data subjects. This activity may be executed by the data protection officer (DPO), as the DPO is the person indicated by the controller to act as a communication channel between the controller, the data subjects and the ANPD. This notification should be made in a reasonable period of time (which will be defined by the ANPD in the future) and should contain, at a minimum:

  1. a description of the nature of the affected personal data;
  2. information on the data subjects involved;
  3. an indication of the technical and security measures used to protect the data, subject to commercial and industrial secrecy;
  4. the risks related to the incident;
  5. the reasons for delay, in cases in which the communication was not immediate; and
  6. measures that were or will be adopted to reverse or mitigate the effects of the damage.

Finally, the Computer Emergency Response Team Brazil (CERT.br) presents guidelines and recommendations for the notification of security incidents, what to notify, who to notify and formats for the notification, among other instructions.57

X OUTLOOK

The entry into force of the EU's General Data Protection Regulation (GDPR)58 in 2018 contributed to the endorsement of the LGPD in the same year in Brazil, as the same way as it has already had a significant impact on Brazilian companies that process the personal data of persons located in the European Union, or that transfer data internationally. In this regard, the free flow of data between EU countries and Brazil is conditioned by the level of adequacy of data protection, which must be similar to the one in the EU. Furthermore, Brazilian companies have been conducting adaptation projects to comply with the data protection legislation, through the adoption of best practices for processing personal data grounded on LGPD authoritative hypotheses and personal data protection principles.

The entry into force of Brazilian General Data Protection Act, as well as the establishment of the National Authority, are expected in the near term.


Footnotes

1 Ricardo Barretto Ferreira is a senior partner, Lorena Pretti Serraglio and Juliana Gebara Sene Ikeda are senior associates and Isabella de Castro Satiro Aragão, Camilla Lopes Chicaroni and Beatriz Canhoto Lima are associates at Azevedo Sette Advogados. The authors would like to thank the following for contributing to this chapter: Danielle Chipranski Cavalcante and Juliana Petrella Hansen, senior associates, and Camila Sabina Del Sasso, associate, at Azevedo Sette Advogados.

2 Brazilian Federal Constitution of 1988 (CF/1988). Available at: http://www.planalto.gov.br/ccivil_03/constituicao/constituicao.htm.

3 Brazilian General Data Protection Act (Law No. 13.709/2018). Available at: http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709.htm.

4 Proposal of Constitutional Amendment No. 17/2019. Available at: https://www.camara.leg.br/propostas-legislativas/2210757.

5 Bill No. 5.762/2019, available at: https://www.camara.leg.br/propostas-legislativas/2227704; Bill No. 6.149/2019, available at: https://www.camara.leg.br/propostas-legislativas/2230582 and Bill No. 6.149/2019, available at: https://www.camara.leg.br/propostas-legislativas/2230582.

9 Provisional Measure No. 954/2020. Available at: http://www.planalto.gov.br/CCIVIL_03/_Ato2019-2022/2020/Mpv/mpv954.htm.

10 Direct Unconstitutionality Action No. 6387. Available at: http://portal.stf.jus.br/processos/detalhe.asp?incidente=5895165.

13 Article 5, X, of Brazilian Federal Constitution.

16 Article 5 of LGPD.

17 Law 8.078/1990. Consumer Protection Code. Available at http://www.planalto.gov.br/ccivil_03/leis/l8078.htm.

18 Law 9.472/1997. Telecommunications Act. Available at http://www.planalto.gov.br/ccivil_03/leis/l9472.htm.

19 Law 10.406/2002. Civil Code. Available at http://www.planalto.gov.br/ccivil_03/leis/2002/l10406.htm.

20 Law 12.414/2011. Positive Credit Registry Act. Available at http://www.planalto.gov.br/ccivil_03/_ato2011-2014/2011/lei/l12414.htm.

21 Article 6 of LGPD.

22 Articles 7 and 11 of LGPD.

23 Article 18 of LGPD.

25 Self-Regulatory Code for E-mail Marketing Practice. Available at: https://abemd.org.br/codigo-de-autorregulamentacao-para-pratica-de-e-mail-marketing.

26 Superintendence of Private Insurance. Resolution No. 382/2020. Available at: http://www.in.gov.br/web/dou/-/resolucao-n-382-de-4-de-marco-de-2020-247020888.

27 National Agency for Supplementary Health Services. Act No. 443/19. Available at: http://www.ans.gov.br/component/legislacao/?view=legislacao&task=TextoLei&format=raw&id=MzY3MQ==.

28 Chapter III: Basic Consumer Rights, of Consumer Protection Code.

29 Anti-Spam Working Committee (CT-Spam). Available at https://www.antispam.br/index.html.

30 Brazilian Advertising Self-regulation Code. Available at http://www.conar.org.br/codigo/codigo.php.

31 Legislative House. Bill no. 4612 of 2019. Available at https://www.camara.leg.br/proposicoesWeb/fichadetramitacao?idProposicao=2216455.

32 Federal Senate. Bill No 5,691/2019. Available at https://www25.senado.leg.br/web/atividade/materias/-/materia/139586.

33 Federal Senate. Bill No 5,051/2019. Available at https://www25.senado.leg.br/web/atividade/materias/-/materia/138790.

34 Article 3 of LGPD.

35 'Secrecy of justice' refers to a situation in which judicial procedures or policial investigations, usually available to the public, are kept under secrecy. This usually happens when there is a risk of exposure of private information related to the defendant or investigated; or when the procedure has confidential documents, such as bank statements or phone tapping, for example.

37 Law No. 9,296/1996. Available at: http://www.planalto.gov.br/ccivil_03/LEIS/L9296.htm.

38 The 'main action' is the action in the procedure that brings the main purpose of the litigation. This main action is independent, i.e., it exists by itself.

40 Brazilian Special Unit of Data Protection and Artificial Intelligence. Available at: https://www.mpdft.mp.br/portal/index.php/conhecampdft-menu/nucleos-e-grupos/espec.

42 For additional information about the case, access: https://www.procon.sp.gov.br/aplicativo-
de-envelhecimento-2/.

43 For additional information about the case, access Consultor Jurídico Journal, available at: https://www.conjur.com.br/2019-dez-30/governo-multa-facebook-compartilhamento-dados.

44 For additional information about the case, access: http://www.stf.jus.br/portal/cms/verNoticiaDetalhe.asp?idConteudo=442902.

45 Article 5, XXXV, of Brazilian Federal Constitution.

46 Article 42, caput of LGPD.

47 Article 42, Sections 2º and 3º of LGPD.

48 Brazilian Law of Public Civil Action (Law No. 7.347/1985). Available at: http://www.planalto.gov.br/ccivil_03/leis/l7347orig.htm.

49 Article 6, VII of LGPD.

54 Article 40 of LGPD.

55 Article 15 of Brazilian Internet Law.

56 Article 48 of LGPD.

57 Computer Emergency Response Team Brazil. Available at: https://www.cert.br/docs/whitepapers/notificacoes/.

58 EU's General Data Protection Regulation. Available at: https://gdpr-info.eu/.