Brazil has passed Law 13,709/18 on personal data protection.
It contains rules for both the public and private sectors regarding the collection, processing, treatment, and sharing of personal data.
However, recently, the President of the Republic indicated several vetoes to the bill passed by the National Congress. Among these vetoes: the creation of a regulatory agency for personal data protection (Articles 55 to 59), the rules of data sharing by the public sector and private companies (Articles 23, item II, 26, item II, paragraph 1, and Article 28), sanctions of complete or partial suspension of the operation of the database and suspension of the exercise of personal data processing activity, and partial or complete prohibition of exercising any activities related to data processing (article 52, items VII, VIII, and IX). We shall examine these vetoes further on in this text.
The law on the protection of personal data is adapted to the context of the evolution of the technologies based on digital platforms, big data, artificial intelligence, machine learning.
The legislative regulation of this matter is critical because corporate self-regulation is not enough to resolve the complex issues related to personal data protection.
As an illustration of the above, we have the scandal between Facebook and the company Cambridge Analityca regarding the improper collection of the data of millions of users of that social network, as well as third-party personal data.
In the United States, there was also news about a lawsuit against Google due to the illegal monitoring of millions of iPhone and Android users. According to such lawsuit, Google does not disable the user’s location history. This business practice violates the privacy laws of the State of California, according to the plaintiff. This is a typical case related to the protection of personal data and privacy.
Also, the media often reports on the invasion of personal databases and the leak of such data, under the responsibility of public authorities and private companies.
In Brazil, for example, a security breach was reported in the E-Health application of the Ministry of Health, with the exposure of the personal data of thousands of Brazilians that use the Unified Public Health System (“SUS”), with the display of the patient’s medical information, medication use history, and appointments in the public health service.
This theme is inserted in the context of the risks of cyber-attacks by hackers, with threats to personal data security and privacy. Therefore, the law is intended to prevent this kind of abuse against the rights to personal data protection.
Personal data is information on your private life (ID, image, location, and health, among others), financial life (existence of bank or credit cards debts, etc.), among other aspects.
Currently, personal databases are a source of economic value to private companies. For the public sector, they are essential to the implementation of public policy in several areas, such as public health.
According to the law mentioned above, in its Article 5, sensitive personal data are those related to ethnic or racial origin, religious beliefs, political opinions, affiliations to trade unions or religious organizations, health-related data, genetic or biometric data, sexual orientation.
The foundations of the Brazilian Data Protection Act are laid out in its Article 2: the respect to privacy, informative self-determination, the freedom of expression, information, communication, and opinion, the sanctity of privacy, honor, and image, economic and technological development and innovation, free enterprise, free competition, and consumer protection, human rights, the free development of personality, dignity, and the exercise of citizenship by individuals, among other things.
The law is applicable to personal data processing operations, regardless through what means, the country of the processor’s headquarters, or where the data is located, provided that the processing operation take place in Brazilian territory, the purpose of the data processing activity is the offering or provision of goods or services or the processing of data of individuals located in Brazilian territory, or the personal data being processed was collected in Brazilian territory (article 3, item II and III. Also, the personal data whose subject is in Brazilian territory at the time of their collection will be deemed as having been collected in Brazil (art. 3, paragraph 1).
This Personal Data Protection Act impacts several companies from industries such as telecommunications, internet applications, such as social networks, search engines, video sharing websites, financial institutions, e-payment companies, startups in the technologies and government sector (govtech), digital marketing companies, hospitals, among others.
For example, in the financial sector, there is a trend towards the opening of banking data (open banking) to increase competition in that sector. So, if the Brazilian Central Bank regulates the issue appropriately, the traditional banks will have to share the account-holders’ personal information with credit and financing companies, such as the startups known as fintechs.
In the business realm, the application of this law creates demands for the hiring of executive professionals for database management. It also creates a need for the creation of compliance rules with the companies and the respective bodies of enforcement.
This federal law also applies to the public sector, containing rules on the sharing of personal data in databases administered by government agencies. Example: the data from people registered in the public health system.
The law, however, does not apply to personal data processing performed by an individual for private and non-economic purposes, carried out exclusively for artistic and journalistic, or academic purposes, or held for the sole purpose of public safety, national defense, data security, criminal investigation and repression activities, article 4.
In the context of international regulation, Europe has the General Data Protection Regulation (GDPR). Each European country has an agency that regulates personal data protection.
There are questions as to the application of the European legislation. Online advertising companies that use personal data such as the location of the users of applications on mobile phones are concerned with the compliance rules to be adopted. On the other hand, media companies are seeking alternatives to address the dispute with technology companies, focused on digital advertising.
The United States, in its turn, does not have a general personal data protection law. There, the Federal Commerce Commission, the American regulatory agency responsible for enforcing loyal trade practices between businesses and consumers, regulates the issue of consumers’ personal data and applies sanctions against potential abuses committed against consumer rights. For example, the Federal Commerce Commission has entered into several settlements with Google and Facebook concerning consumer privacy protection.
The law referenced above holds the requirements for personal data processing, upon consent by the data subject. In other words, the permission of the owner of the personal data is a condition for its valid use, according to the law.
According to the law under examination, in its article 5, item X, personal data processing is the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, information assessment or control, modification, communication, transfer, dissemination, or extraction of such data.
The principles of personal data processing activities laid down in Article 6 include: the purpose (identification of the legitimate and specific purpose informed to the owner), fitness (compatibility of the processing with the purposes informed to the subject), need (limiting the minimum processing required to achieve its purposes), free access (guarantees that the owners will have easy and free consults regarding the form and duration of the processing), data quality (assurance of precision, clarity, relevance, and updating of the data, as needed and to achieve the purpose of the processing), transparency (assurance of clear, precise, and accessible information to the owners on the performance of the processing, respecting business and industrial secrets”.
Personal data may be processed to comply with legal or regulatory obligations. For example, employees’ personal data, such as name, address, vacation periods, benefits, leaves, of mandatory registration before public authorities (known as e-social). Another example is the sharing of the personal data of users of telecommunications and internet services, between private companies and Anatel (the Brazilian Telecommunications Regulatory Agency) for the purpose of public policies on communications.
The public administration may also process personal data required to enforce public policies. Example: public taxation policies, by sharing the personal data of citizens for tax collection purposes.
Personal data processing is also allowed for credit protection. Example: the Brazilian Credit Protection System (Serasa and SPC), used in by the trade, industry, and service sectors.
Another permitted use is in the regular exercise of rights in lawsuits or administrative or arbitration proceedings. Given the current context of electronic proceedings, there is a demand for proper processing of personal data to protect rights before the Judiciary and/or the Public Administration.
Article 11 of the Law deals specifically with the processing of sensitive data.
For example, in this respect, the following rule is stated in Article 11, Paragraph 3: “The shared use or communication of sensitive personal data between controllers with the purpose of obtaining economic benefits may be subject to
prior authorization or regulation by national authorities, upon hearing the proper sectoral agencies.”
This legal provision may be applied, for example, by the Brazilian Agency of Supplementary Healthcare (“ANS”) to restrict the sharing of sensitive personal data, such as using personal data in medical records and clinical history that may be used by healthcare plans to check for pre-existing diseases.
The processing of the personal data of children and teenagers requires specific consent by one of their parents or legal guardians, as per Article 14, Paragraph 1. For example, children and teenagers will need one of their parent’s consent to have access to YouTube.
The data subject has the right to obtain confirmation of the existence of the processing of their data, access to their data, correction of incomplete, inaccurate and outdated data; and de-identification, blockage or erasure of unnecessary or excessive data, or of data processed in breach of the provisions of the law, portability of personal data to another product or service supplier, elimination of personal data treated with the data subject’s consent, as per article 9 of the law.
Regarding the processing of personal data by government, the law states that the shared use of personal data must be consistent with specific ends associated with the execution of public policies and duties by public bodies and entities, according to the personal data protection principles established in Article 6 of the law.
However, the government is forbidden from transferring personal data stored in databases under their management, or to which such entities may have access to private entities, except in those cases in which processing is outsourced to private entities, as per Article 6, Paragraph 1, item I. Sharing is also authorized in the case of legal provision and when the transfer of personal data is based on contracts, agreements or similar instruments.
But, according to the presidential veto, the cumulative requirement (legal and contractual provision) hinders Public Administration, because “several procedures related to the transfer of personal data are detailed in normative acts, such as the processing of the public servants’ payroll by private financial institutions, the collection of fees and taxes, and payment of social security benefits, among others”.
Also, in the event of public access to personal data, sharing is possible, within the limits of the law.
According to Law No. 13.709/18, in its article 5, item XVI, shared use of data is the disclosure, dissemination, international transfer, interconnection or shared processing of a database by public bodies or entities, when in fulfillment of their obligations, or among public agencies or entities and private entities, with specific authorization, for one or more classes of processing assigned by such public entities, or between private entities.
According to the presidential veto, the prohibition of sharing information identifying the personal data of the subject applying to have access to information hinders the functioning of the Public Administration.
The veto cites, as an example, the sharing of the Social Security database and the National Registry of Social Information. The veto claims the hindering of activities related to the administrative power of police, such as investigations within the National Financial System.
The disclosure and shared use of personal data between public entities and private entities require the data subject’s consent, except for the legal waivers of consent in the cases of shared data use, with extensive publicity, as per article 27 of the law.
However, according to the presidential veto, unrestricted communication or advertising of shared personal data use among government agencies can make hinder the regular exercise of some public actions of surveillance, control, and administrative police.
Under the law, the processing of personal data by notarial registry services must follow the rules applicable to the public sector. The bill also provides that these notarial and registry services must provide access the public administration with access to such data, by electronic means.
State-owned companies and quasi-public corporations which operate in a free competition environment will be bound by the same rules as those enjoyed by private entities. For example, public banks must follow the provisions of the law under examination.
There is a specific chapter on the international transfer of personal data, starting with Article 33. The international transfer of personal data will only be allowed to countries that afford a level of personal data protection equivalent to that of the law.
The international transfer is also allowed when the data controller offers sufficient guarantees of compliance with the general principles of protection and with the rights of the data subjects, presented on contractual clauses approved for a specific transfer. Likewise, when the international transfer of data is necessary for international judicial cooperation between public intelligence and investigation agencies, under international rules and laws. Or when the transfer of data is required for the protection of life or the physical safety of the data subject or a third party.
In the specific chapter on security and best practices for protecting data confidentiality, there is a provision on security incidents, in which case the data controller shall notify the competent public body within a reasonable term. If necessary, the relevant public body may order a broad disclosure of the fact in the media and/or measures to revert or mitigate the consequences of the damage.
There are also legal provisions on the liability and compensation for damages caused by personal data controllers and/or processors. The data controller and data processor are jointly and several liable for damages caused to the data subject and the cases of waiver of such legal liability, according to Article 42 of the law.
As for the supervision of the personal data processing activities, Article 52 provides several administrative sanctions to be imposed by the competent public body: warning, simple or daily fine up to 2% of the billing of the private legal entity, limited to BRL 50,000,000.00; publication of the violation after it has been adequately verified and confirmed; blockage of the personal data subject of the breach until its regularization; erasure of the personal data subject of the breach; total or partial suspension of operating databases, for a period not exceeding 6 months; suspension of personal data processing operations, for a period not exceeding 6 months; total or partial prohibition of data processing related activity.
The President of the Republic vetoed the sanctions of complete or partial suspension of the operation of the database, suspension of the exercise of personal data processing activity, and partial or complete prohibition of exercising any activities related to data processing.
According to the veto, these administrative penalties of suspension or prohibition of the operation/exercise of data processing activities can lead to “uncertainty for those responsible for this information, as well as make it impossible to use and process databases essential to various activities, such as those used by financial institutions, among others, which may jeopardize the stability of the National Financial System.”
The law creates the National Data Protection Authority, a federal agency bound to the Ministry of Justice.
There is undoubtedly a need for an independent regulatory agency specialized in personal data protection. The specialization of the matter requires the creation of a regulatory agency. By the way, this is the European model, where each country has a regulatory agency for personal data protection.
However, the President of the Republic vetoed this provision that creates the regulatory agency for personal data protection, on the grounds of formal unconstitutionality, given a flaw of initiative in the matter, which is reserved for the Head of the Executive Branch.
According to media reports, the President of the Republic will submit a new bill or even a provisional measure to create of the National Data Protection Agency.
Note that the lack of regulatory agency undermines the effectiveness of the law and its enforcement.
It is clear that the absence of an independent authority to supervise the law will leave personal data unprotected.
Also, the law provides for the Personal Data and Privacy Protection Council (Articles 58 and 69).
However, these legal provisions have been vetoed by the President of the Republic.
Finally, Law N. 13.709/18 alters the Internet Regulatory Framework in two aspects.
On the one hand, it provides for the right of permanent deletion of the personal data provided by users to a particular internet application at the end of the relationship between the parties, except when the law requires mandatory storage of records.
On the other hand, there is the right to permanent deletion of personal data that are excessive in relation to the purpose for which consent was given by the data subject, notwithstanding the legal caveats.
“Law N. 13.709/18 will come into force in 2020, 18 months after its official publication” (Article 65). Therefore, there is a reasonable time for adjustment to the legal regulations.
In conclusion, there are several challenges for the effectiveness of the Brazilian Personal Data Protection Act. Among them, the veto to the creation of the National Agency for Personal Data Protection. The international best practices, as set out in the European model, is in the sense of the existence of independent and efficient regulatory agencies, committed to public interest. Hence the urgency in solving this severe problem regarding the lack of a regulatory agency for Personal Data Protection.