My Data, My Rules. An Overview of Data Protection in Brazil 

January, 2017 - Fabio Luiz Pereira

Data can be one of a business’s most valuable assets. Market players such as Facebook, Uber, Airbnb and Twitter were built almost entirely on data. Because of the increase in data tracking techniques, countries, companies, and individuals are more and more concerned with how their data – private or professional – is being collected, stored, processed, and transferred.

Data protection is about safeguarding an individual’s fundamental right to privacy, which is enshrined in international laws and conventions. Individuals, citizens, and consumers need to have effective means to exercise their right to privacy and protect themselves and their information from abuse.

Unfortunately, although there have been important developments in data protection, our society still struggles to understand the relevance of the matter because data protection is often in early stages of development in some jurisdictions. Brazil, for instance, is often left out of global projects involving personal data because it lacks specific legislation and is considered to be without an adequate level of data protection.

Laws on data privacy are extremely important not only to consumers, but also to companies because they tend to increase the legal certainty in commercial relationships, mitigate the risk of business activities, and facilitate new businesses and partnerships. The purpose of these regulations is to vest citizens with the basic rights regarding the use of their personal information, enabling greater control over the collection of such information, whether located in the national territory or in servers abroad.

In Brazil, even though there is no specific privacy or data protection law, personal data is protected under the general terms of the Brazilian Federal Constitution, the Brazilian Civil Code (Law No. 10,406/2002), the Brazilian Consumer Defence Code (“CDC” - Law No. 8,078/1990), the Brazilian Internet Act (Law No. 12,965/2014) and its Regulating Decree (Decree No. 8,771/2016).

The Brazilian Federal Constitution sets forth general principles that protect the privacy and confidentiality of personal information and communications. Accordingly, it provides for the right to intimacy, privacy, honour, and image of individuals, which shall not be violated. The Constitution also establishes that individuals have the right to consult any information about themselves and to request amendments to keep their data accurate at all times. Violation of the above rights entitles the individual (data subject) to indemnification for moral and material damages.

Additionally, based on Law No. 12,965/2014 (“the Internet Act”), which sets forth a legal framework for regulating the internet in the country, internet users shall be guaranteed, among other guarantees, the non-violation of their intimacy and private life, and the non-violation and secrecy of their communications over the internet and stored private communications. The Internet Act does not provide which types of personal information may be collected from users. Generally, information customarily collected and processed in Brazil include names, addresses, dates of birth, I.D. numbers, preferences in relation to a specific industry, tastes, hobbies, etc.

Concerning the proposed regulations currently under discussion in Brazil, it is worth mentioning the Bill of Law on Personal Data Protection (Bill of Law No. 5,276/2016), which aims at regulating the processing of personal data by the government, individuals, companies, and other organizations.

The Bill lists a series of principles that shall be observed in data processing, in addition to the general principle of good faith, such as purpose, necessity, transparency, security and non-discrimination. Consent is a key element of the Bill and data subjects must have easy access to information about the treatment of their own data, which shall be done in a clear, adequate and purposeful way.

Finally, the Bill has a special section dedicated to the creation of the National Counsel of Data and Privacy Protection, an official authority responsible for the progressively adequacy of current databases to the Bill’s requirements.

Voting and approval of the aforementioned Bill is anticipated to occur later this year. The society in general, companies and the government are optimistic about having a more definitive regulation on privacy and data protection, since this is a subject of high relevance from a commercial standpoint and Brazil, as an important market player, is expected to enact a strong data protection framework, assuming its leading role in Latin America.

 

MEMBER COMMENTS

WSG Member: Please login to add your comment.

dots