The Brazilian personal data and privacy scene
1. Civil Rights Framework for the Internet (Law n. 12.965/2014)
In Brazil, the Civil Rights Framework for the Internet (Law Nr. 12.965/2014) and Decree Nr. 8.771/2016, which institutes the Framework, brings forth innovative questions regarding the legal framework for the use of the Internet. In them, new rules are established concerning the usage, storage and protection of data on the Internet, amongst other dispositions.
Decree Nr. 8.771 defines personal data as the data related to an identified or identifiable natural person, including identification numbers, location data or electronic identification, when related to a person, and the treatment of personal data as any operation made with the use of personal data, like the collection, production, reception, classification, usage, access, reproduction, transmission, distribution, processing, archival, storage, elimination, appraisal or control of information, besides the modification, communication, transferal, diffusion or extraction.
The Framework presents the principles of internet usage in Brazil in its Article 3, among which are the protection of privacy (item II) and the protection of personal data in accordance to the law (item III) . The law also highlights the inviolability of intimacy, private life, the flow of communications on the internet, which must be confidential, and stored private communication, which must also be confidential, save by force of a judicial order.
Article 7, which states the rights of internet users, has in its item VII the right to not having data shared with third parties, including connection logs and application access logs, except upon free, explicit and informed consent or in the cases stated in law. Item IX presents the need to highlight contractual clauses that mention the need for the manifest consent regarding the collection, usage, storage and treatment of personal data.
Furthermore, item X establishes the right to the definitive exclusion of personal data that the user may have provided to a determined internet application by means of a request made upon the end of the relationship between both parties. Accordingly, the guarantee of the right to privacy is stated in article 8 as a condition for the full exercise of the right to internet access.
In some of its articles, the Civil Rights Framework also mentions the existence of specific legislation regarding the protection of personal data and privacy in a more thorough and structured manner, with a few bills regarding the subject being highlighted in the debates about such subjects.
Presently, several bills broach the subject of a national policy for the protection of personal data, demonstrating the lawmaker’s intent to resemble international dispositions, such as the former Data Protection Directive n. 95/46/EC and the new General Data Protection Regulation (GDPR) of the European Union. Some of the more relevant bills are:
· Bill no. 4.060/2012, regarding the treatment of personal data;
· Bill n. 330/2013, regarding the protection, treatment and usage of personal data and also mentions the storage of Brazilian user information in foreign data centers;
· Bill no. 181/2014, which establishes principles, guarantees, rights and obligations related to the protection of personal data;
· Bill no. 131/2014, regarding the provision of data from citizens or Brazilian companies to foreign entities, establishing requirements for the request of personal data by international bodies.
3. The GDPR
When it comes to the international scenario, the main point of discussion on the subject of data protection and privacy is the General Data Protection Regulation – GDPR, which will be in force on May 25th, 2018, replacing the Data Protection Directive n. 95/46/EC.
GDPR’s main innovation is the increased territorial scope, with extra-territorial applicability, which makes the Regulation’s dispositions applicable to all companies that process personal data of residents of the EU, regardless of their location. Such dispositions include the restructuring of consent forms and data storage in a intelligible and easily accessible form, using clear and plain language.
Subsequently, breaches of GDPR’s provisions can be fined up to 4% of annual global turnover or €20 Million, whichever is greater. The dispositions include the mandatory breach notification in security incidents which endanger the protection of personal data, as well as the right to be forgotten and the right to data erasure. The portability of data and the need for the structuring of systems with the principle of “privacy by design” are also mentioned.
4. Developments of data protection and privacy laws
With the strengthening of legal structures for the protection of personal data and privacy, companies must focus on the conformity to all legal dispositions regarding the treatment of personal data of its users and clients, observing all provisions of penalties and fines related to noncompliance of such provisions.
The observance of legal demands is also essential for the orientation of those responsible for the administration of a company’s personal data, privacy and database management, since there is a chance of incurring liabilities for the undue use and management of data and violation of users’ privacy.
The theme of internet privacy is also highlighted in labor law, especially in relation to the technologic control through tracking and supervision of employees’ behavior during the use of the company’s computer and internet connection. The principle of inviolability of correspondence and the right to privacy applicable to the employee are confronted with the employer’s right to property over equipment, its objective liability over acts executed through its internet connection and its machines and the power of direction stated in the Brazilian Labor Law Consolidation.