Presentation given at the DataGuidance´s webinar "Brazil: Towards Privacy Compliance", about the Brazlian Draft Bill for the Protection of Personal Data (Anteprojeto de Lei para a Proteção de Dados Pessoais) issued in January 2015, which introduced concepts such as Data Protection Officer and Binding Corporate Rules.
Police Misconduct Lawyers - Law Office of Jerry L. Steering
Draft Bill on the Protection of Personal Data
1. Draft Bill of Law on the Protection of Personal Data
RENATO L. MONTEIRO
2. 2
Brazil – Sectorial legislation
PROVISIONAL MEASURE 2.200/2001: digital certification;
FEDERAL LAW 8.078/1990: Consumer Code, which regulates consumer databases;
FEDERAL LAW 9.983/2000: crime of inserting false data in public administration information
systems;
COMPLEMENTARY LAW 105/2001: regulates confidentiality with the financial system;
FEDERAL LAW 10.406/2002: civil code, which regulates personalities rights
FEDERAL LAW 12.414/2011: addresses the issue of protection of personal data within credit
protection database;
FEDERAL LAW 12.527/2011: right to access to information stored in public databases;
FEDERAL LAW 12.551/2011: addressees the issue of teleworking within Labor Legislation;
FEDERAL LAW 12.737/2012: crime of invading computer devices (C. Dieckmann);
DECREE 7.962/2013: e-commerce changes to the Consumer Code;
FEDERAL LAW 12.846/2013: anticorruption act (Clean Company Act)
FEDERAL LAW 12.965/2014: Brazilian Civil Rights Framework for the Internet
3. 3
The Civil Rights Framework for the Internet
and the digital compliance
Almost every company that has a
website or collects personal data
electronically is obligated to comply
with Brazilian rules.
• “The Civil Rights Framework
for the Internet necessarily
reinforces the need of
compliance with information
security principles and unveil
the need of establishing a
privacy compliance structure”
It’s good to know that the need of creating a privacy compliance structure is going to
be reinforced by specific federal legislation about the protection of personal data,
which the draft’s main points we will exposed herein.
4. 4
Protection of Personal Data (Draft Bill of Law)
The public debate for the drafting
of the data protection bill is
opened until July 5th. Everyone is
welcome to participate and
collaborate on the elaboration of
an innovative and protective new
text.
The proposed discussion aims on
the strengthening of fundamental
rights while encouraging
innovation and tackling
challenging global issues.
5. 5
Protection of Personal Data (Draft Bill of Law)
• Jurisdiction;
• Scope of application;
• Personal data;
• Sensitive data;
• Consent (exemptions);
• Data subject´s rights;
• Data Protection Authority;
• Privacy Officer;
• International data transfers;
• Binding Corporate Rules – BCRs;
• Global corporate rules;
• Data breaches and notification
requirements
• Liability;
• Penalties;
• Vacatio Legis.
"Consent is the key-point of the law"
6. 6
Jurisdiction and scope
• Jurisdiction: the law shall be applied to any processing operations performed through
totally or partially automated means, by a natural person or by a legal person under
public or private law, regardless of:
• the country where the natural or legal person are located; and
• the country where the database is located, provided that:
I - The processing operation is performed within the national territory; or
II - The personal data subject to processing have been collected within the
national territory (data subject must be in Brazil at the time of collection,
regardless of his/her nationality).
• Scope: the law shall not be applied to:
• any data processing that is:
I - Performed by a natural person for exclusively personal purposes; or
II - Performed for exclusively journalistic purposes.
III- Public safety, defense, State security, public investigation activities an
the repression of criminal offences (general principles).
7. 7
Personal data
• Personal data: the concept of personal data was widened when compared to the
previous version of the text. It has been influenced by current discussions in Europe
towards updating the data protection legal framework;. The current definition of the
Brazilian law is based on the EU Regulation:
any data related to an identified or identifiable natural person, including
identification numbers, location data, or electronic identifiers
• Sensitive data: sensitive data can now be collected, treated and processed in more
cases, as long as there is proper consent, which has received some guidelines on the
text and must be different and separate from the regular consent; The forthcoming
DPA will have the authority to issue some additional requirements. But at
the moment, when law goes into effect, there might not be some
issued additional requirements. Nonetheless, the consent must be different from the
method used for regular personal data.
• Anonymous data: there is an ongoing trend to consider anonymous data as personal
data regarding the protections listed on the draft bill.
8. 8
Consent
Consent: the requirements to obtain consent and which information must be given to
the subject have been broadened. The specific purpose to collect and process the
data must be informed to the subject prior to obtaining his consent. When consent
is given, the data subject shall be clearly, adequately, and ostensibly informed about the
following points:
I - Specific purpose of the processing;
II - Form and duration of the processing;
III - Identification of the controller;
IV - Controller's contact data;
V - subjects or categories of subjects to whom the data can be communicated, as
well as the scope
of disclosure;
VI - Responsibilities of the agents that will perform the processing; and
VII - data subject's rights
Right to denial: subjects have the right to deny the collection of their personal data
without limiting their access to the services, with some exceptions;
9. 9
Consent exemptions
Consent is exempt in the case of:
• unrestricted public access data
• legal obligation by the controller;
• Data shared by public authorities;
• Contractual obligations;
• historical, scientific, or statistical research, ensuring,
whenever possible, the dissociation of the personal data;
• The regular exercise of rights in legal or administrative
proceedings;
• life or physical safety;
• Healthcare;
• Legitimate interests?
10. 10
Data subject´s rights
The personal data subject is entitled to obtaining:
• Confirmation of the existence of data processing;
• Access to the data (interoperable and open format);
• Correction of incomplete, inaccurate, or outdated data;
• (anonymization) dissociation, blocking, or cancellation of
unnecessary or excessive data;
• Data portability???
• Right to opposition;
• Right to review: the data subject is entitled to request a review of
decisions based solely on automated processing of personal data and
that affect their interests, including decisions aimed at defining their
profile or evaluate aspects of their personality.
• The controller shall provide, whenever requested, adequate
information about the criteria and procedures used for the
automated decision.
11. 11
Data Protection Authority
• Data Protection Authority: the previous version of the text
clearly created a separate and independent data protection
authority. The new version excluded this chapter of the text,
referring to a “competent authority”, without defining what
will constitute it.
• Privacy Officer: companies will have to employ Privacy
Officers who will be responsible to overview the compliance
with the law and also serve as a bridge between the company
and the “competent authority”; The previous version of the bill
had set a minimum size of 200 employees. The current version
does not set this bottom line, but it might be further regulation
by the DPA.
13. 13
International Data Transfers
• Adequate level of protection: international transfer of personal data is only
allowed for countries that provide a level of protection for personal data that is
equivalent to the level established in this Law, with some exceptions:;
• Binding Corporate Rules – BCRs: a long standing tool in the EU data
protection system, Binding Corporate Rules are now included on the new
version of the text, what can broadly enhance the flow of data until the
Brazilian legal system adapts itself to the new data protection environment;
• Global corporate rules: the possibility of data flow within the same corporate
structure was also tackled on the new version of the project;
• Special and specific consent: in the case of countries that do not provide a
level of protection, transfer is possible through a specific statement, different
from the consent pertaining to other processing operations; and with prior
and specific information about the international nature of the operation,
including a warning about the risks involved
14. 14
Liability
• Data breaches and notification
requirements: The controller shall
immediately report any security incident
which might damage the data subjects to the
competent body. Prompt notification to the
data subjects affected by the security
incident shall be mandatory, regardless of
the competent body's decision, in cases in
which the incident endangers the data
subjects' personal safety or can damage
them.
• Liability: The current version sets that both
the data processor and the data controller
can be held liable for mishandling personal
data. Subsidiary liability refers to the need to
prove that the company was at fault when
mishandling the data.
• Penalties: may be cumulatively applied. Non
compliance with the law may lead to:
• A simple or daily fine;
• The disclosure of the breach;
• Dissociation of the personal data;
• Blocking of the personal data;
• Suspension of the processing of
personal data for a period no longer
than two years;
• Cancellation of the personal data;
• Prohibition of the processing of
sensitive personal data for a period no
longer than ten years; and
• Prohibition of database operation for a
period no longer than ten years.
• Vacatio Legis: companies will now have
120 days from the implementation of the law
to adapt to the new data protection
rules. But there is no estimation of time. It
might take some years.