Rafael Pellon, MEF LatAm advisor and partner at Focaccia, Amaral, Salvia, Pellon & Lamonica, here explores the latest developments in the arena of digital privacy in Brazil, taking an in-depth look at the sweeping legal and regulatory changes coming into force as 180 million internet users become increasingly aware of the value of their personal data and those who might seek to exploit it.
It is hard to imagine life nowadays without technology. Smartphones, tablets, notebooks; digital is everywhere. All these innovations strive to make our lives easier, but they have also brought new concerns until recently considered irrelevant. These worries have given rise to new regulations in markets all around the world in order to impose effective ways to protect fundamental consumer rights, such as privacy, honor and image-related rights of individuals. These rights have often been threatened by this widespread surge of technologies, that ultimately lead us to this authentic gold rush to mine information in the new century.
. . .the Marco Civil da Internet was an important breakthrough in Brazilian regulatory history, since it was drafted and commented on a public website, available to anyone and commented by more than a hundred thousand people. It was a leading case of public engagement to format a bill of law.”
In this context, at the European Union, the so-called “Right to be Forgotten” was implemented to permit individuals to require search engines to remove links containing personal information about them. In the US, the Consumer Privacy Bill Of Rights Act has established guidelines applied to commercial industry in order to protect consumer’s privacy. In South America, many countries, like Chile, Argentina and Colombia have presented specific bills aimed to regulate consumer’s internet rights and the usage of personal data by corporations. In the meantime, what is happening in Brazil, the south’s biggest internet economy?
In 2012, the Internet Civil Law (“Marco Civil da Internet”) was approved with the creation of guarantees and obligations to Brazilian citizens. This law essentially covers principles, users’ rights, data storage and limited access to personal data. Its principles state the guidelines to interpret the law. They represent constitutional protections, like freedom of speech, applied within the framework of the internet. Users’ rights state what internet users are able to request such as, for example, the deletion of their personal data when a contractual relationship ends with a given company. Data storage is an effort to preserve data if in the future this information is somehow needed to identify a specific user in case of legal offense, even though authorities’ access to such data is limited and can only be disclosed with a specific judicial order.
Another important premise established by the Internet Civil Law is the case for jurisdiction election. According to the law, all data collected via the internet in Brazil – whenever at least one of the terminals is located inside its borders – shall be subjected to legislation. Even though the law does not regulate personal data protection in detail, it states as mandatory the compliance with Brazilian Law by all companies, national or foreign-based, attending privacy rights and with keeping the confidentiality of records. For all of that, the Marco Civil da Internet was an important breakthrough in Brazilian regulatory history, since it was drafted and commented on a public website, available to anyone and commented by more than a hundred thousand people. It was a leading case of public engagement to format a bill of law, later presented to Congress for discussion and approval.
Because of its hugely successfully implementation, the same mechanism has been used to draft a specific personal data protection bill for Brazil. The current bill draft brings together provisions considered relevant to the civil society concerning collection, treatment, storage, interconnection and monetization of data, such as the purpose for what specific personal data is collected, its quality and credibility, possibility to access and modify it, transparency, best practices that should be followed, prevention, security and non-discrimination.
One of the most significant sections in this draft bill concerns obtaining prior consent. According to it, users’ express consent is mandatory to collect their personal data. Companies that require specific personal data from the users must also inform for which purposes the information collected will or may be used.
Following the legislative examples of Colombia and Argentina, the Brazilian data protection draft established a differentiation among types of personal data and how it should be treated. Under the draft bill, companies cannot process sensitive personal data, except in limited circumstances. The legal definition of “sensitive data” includes racial and ethnic origins, religious, philosophical or moral beliefs, political opinions, health and sexual orientation information and even genetic data. After receiving contributions for a few months during this year, the draft bill is now in the hands of the Ministry of Justice to format its final text that will be presented to Congress in early 2016.
Meanwhile, given the relevance of the privacy theme to regulators, another bill of law has been causing passionate discussions among Brazilians. Bill of Law n. 215/2015, named by its opposites as “Spy Project Law”, proposes amendments in the text of the Internet Civil Law to allow any person to request the removal of defamatory data if it’s somehow connected to their name or image. This provision has been largely denounced as a way to ease the deletion of politicians’ public past from historical registers. Given Brazil’s current political mayhem and corruption scandals, it isn’t so illogical to think that politicians are trying to protect themselves, while civil organizations and government police bodies such as attorney generals increase the pressure over corrupts.
The amendment also disposes about the extension of mandatory data that would be requested from users. It obligates Internet companies to collect additional personal information from its users, like tax ID, address and phone number, which would then be released to any public authority that requires it, without the need for a prior judicial order. Considering that Brazil has more than 30 different types of public authorities in its 3 levels of government, it is easy to understand why this bill of law has such a catchy nickname.
Nonetheless, Brazilian personal data regulation may suffer more changes as a response to the Safe Harbor invalidation by the European Court of Justice. European regulation prohibits personal data from being transferred to or processed in other countries that do not provide adequate privacy protection practices.
Policy & Initatives, LatAm
However, Safe Harbor, a data-sharing agreement between European Union and the United States, provided a self-certification to US companies facilitating this transatlantic data flow without checking if necessary measures had been taken by multinational corporations. After the European Court decision, Brazilian legislators may have a precedent that encourages the adoption of a precise controls concerning international transfer of information, besides the creation of a special public body to oversee privacy practices of big corporations operating in the country.
At this point, it is hard to predict the future of privacy and data protection regulation in Brazil. Nonetheless, it is certain that society has been exercising its right to take a position and express, according to its point of view, what is necessary to establish in the law and which provisions would be unacceptable considering individuals’ rights. With more than 180 million internet users and a staggering 100 million of those inhabiting social networks, life in the tropics is deeply digital and its inhabitants are starving for more rights.