In Chapter 4 of GPD’s recently published Travel Guide to the Digital World: Data protection for human rights defenders, we outline a set of key questions which can be used to determine whether a data protection regime is rights-respecting. In this mini-series, Data Protection on the Ground, we apply this framework to three laws currently in development. The second one in the series is the newly adopted Brazil data protection law. For this entry, special thanks go to Bruna Martins dos Santos of Coding Rights and Renato Leite Monteiro of Baptista Luz Advogados who contributed invaluable review and feedback.
Until the passage of a data protection law in August 2018, there was no comprehensive data protection legislation in Brazil. Personal data processing was instead regulated through a variety of sectoral laws, including the Marco Civil, the Consumer Protection Code, the Compliant Debtors List Act, and the Bank Secrecy Act.
The Ministry of Justice started work on a draft data protection bill in 2010, and carried out a public consultation on the text. Different drafts were put forward by legislative bodies until a final text (read it here in English) was published in October 2015, and – after consideration by the President’s Chief of Cabinet – submitted to the National Congress in May 2016. Two years later, in May 2018, Brazil’s lower house approved the legislation. The bill was reviewed by the Brazilian Senate (the upper house) and sent for presidential assent in July 2018.
Following assent in August 2018, the new law will take effect after an 18 month transition period.
DOES THE DATA PROTECTION LAW INCORPORATE THE MINIMUM STANDARDS NEEDED TO ENSURE THAT AN INDIVIDUAL’S RIGHT TO PRIVACY IS PROTECTED?
In Article 6, the Act incorporates the minimum standards for data processing, including: access (the right of data subjects to freely access data held about them); notification of purpose (the requirement that processing is done for legitimate, specific and explicit purposes of which the data subject is informed); and quality (the requirement that data controllers guarantee the accuracy, clarity, relevance of the data, in accordance with the need and purpose of the processing).
The Act even goes beyond these minimum standards by providing data subjects with the right to object to automatic processing (Art 20) and the right to data portability (Art 18(V)), and in its requirement for data controllers to implement a comprehensive privacy governance program (Art 50), demonstrate meaningful consent has been obtained (Art 8), and report data breaches (Art 48). It also provides children and adolescents with particular protections (Section III, Article 14) by requiring that their personal data is only processed after the receipt of specific and informed consent from a legal guardian, and forces data controllers to “make public the information about the types of data collected, the way it is used and the procedures for exercising the rights referred to”.
Provisions which were originally included in the legislation, but were vetoed by the President, would have made the law even stronger, by demanding government transparency around data transfers between among public actors and between public and private actors, and giving data subjects the right to challenge these transfers of data.
IS THE DATA PROTECTION LAW COMPREHENSIVE?
The law applies to both public and private bodies and to any type of data processed (whether online or offline). Where exceptions exist (in Article 4, III), they come with strong safeguards which ensure measures are necessary and proportionate – by providing that any exception “carried out for the sole purpose of public security, national defence, state security or investigation and prosecution of criminal offences” must be governed by separate legislation. Some of that legislation – for example, relating to access to information – already exists.
Further, Articles 3 and 4 make clear that the law has extraterritorial impact, which means that the rights afforded to data subjects remain in place whether their data is processed within Brazil or not. This is an important protection in an age where data crosses borders and is often processed in more than one country. Specifically, it means that the law applies:
“to any processing operation carried out by a natural person or a legal entity of public or private law, irrespective of the means, the country in which its headquarter is located or the country where the data are located, provided that:
I – the processing operation is carried out in the national territory
II – the purpose of the processing activity is to offer or provide goods or services or the processing of data of individuals located in the national territory; or
III – the personal data being processed were collected in the national territory.”
IS THERE AN ENFORCEMENT AUTHORITY IN PLACE EQUIPPED WITH THE POWERS TO ENFORCE THE LEGISLATION?
The law does not establish an independent national data protection authority with the powers to enforce the legislation. The original bill would have established such an authority, as well as a multistakeholder national council for the protection of personal data, but both provisions were vetoed by the President.
As outlined in the Travel Guide (p. 59), a key prerequisite of rights-respecting data protection regimes is an independent enforcement authority, equipped with the powers to enforce the law. As the law does not establish an independent authority, this means that the Brazilian data protection law does not constitute a fully human-rights respecting regime. President Temer has sought to justify this omission on the basis that the creation of regulatory agencies is a matter for the executive, rather than Congress, and that the executive will therefore establish the enforcement authority. If this is so, it remains essential that the data protection authority that is created is fully independent, both financially and in the operation of its mandate, and appropriately resourced to be able to carry out its functions.
Clause 40 of the bill requires that a copy of all personal data relating to data subjects in India be stored within the country. Although not strictly in contravention of the minimum standards, such a requirement, often referred to as “data localisation”, would not only limit cross-border trade by imposing additional costs on data controllers, but would also – given the broad exemptions discussed above – create opportunities for widespread government surveillance.
The legislation’s provisions for disclosure and notification could also be improved. Under the current bill’s provisions, a data processor responsible for a breach is obliged to inform only the DPA, and not the affected data subject/s. As a result, finding out whether your personal data has been compromised as an Indian citizen would depend on the discretion and capacity of the DPA. Here, the EU’s General Data Protection Regulation offers an example of better practice. Under its provisions, the data controller is obliged, in cases of data breaches likely to result in a high risk to the rights and freedoms of individuals, to contact any affected data subjects without undue delay.
The Brazilian data protection law provides strong protections. It not only incorporates the minimum standards of data protection but also, as we have noted, provides additional protections that go beyond the minimum standards. It also harmonises the wide range of sector-specific legal frameworks that existed in Brazil, and which directly and indirectly dealt with the protection of privacy and personal data.
However, the law does not establish an independent enforcement authority to oversee the law’s enforcement, which means that it falls short of being fully human-rights respecting.