Brazil has taken a significant step to protect the personal data of Brazilians with the enactment of the first specific law on the subject. Bill of Law 53/2018, approved by the Senate on July 10, 2018, will be sent to the President for signing into law. The President will have 15 business days to sign it, but it is not yet clear whether whether any particular items in the law will be vetoed. After presidential signing, the law will take effect 18 months after its official publication.
Here are the main points of the law in the form approved by the Senate:
- Application: The law will apply to any transaction or operation involving treatment of data that (i) is performed in Brazil; (ii) has the objective of offering or supplying goods and/or services to people located in Brazil; or (iii) is carried out with personal data collected in Brazil.
- Exceptions: The law will not apply to the
treatment of personal data (i) carried out by individuals for private purposes; (ii) performed for journalistic, artistic or academic purposes; (iii) carried out for purposes of public safety, national security and defense or activities for investigation and deterrence of crimes (which will be the subject of a specific law); or (iv) with foreign provenance and that are not the target of communication, shares use with Brazilian data treatment agents or the object of transfer of data with another country that other than the country of provenance, provided such country provides a degree of protection adequate to the Brazilian Law.
- Definition of data: The expression “personal
data” is defined as any data or information related to an identified or identifiable individual (called the “owner”), with “sensitive personal data” being data about racial or ethnic background, religious belief, political opinion, membership labor unions or religious, philosophical or political organizations, as well as referring to health or sexual life, genetic or biometric data.
- Data treatment: “Treatment” is considered to
be all operations carried out with personal data,
such as collection, production, reception,
classification, utilization, access, reproduction,
transmission, distribution, processing, filing,
storage, elimination, evaluation, control,
modification, communication, transfer, diffusion or extraction of data or information.
Treatment agents: Agents fall into two categories: “controller,” defined as any individual or public or private legal entity responsible for the decisions related to the treatment of personal data, and “operator,” defined as the individual or legal entity that carries out the treatment of personal data at the behest of the controller.
- Competent bodies: The law establishes the
creation of a National Data Protection Authority, a body of the indirect federal public administration, subject to a special independence regime and linked to the Ministry of Justice and the National Council for Protection of Personal Data and Privacy; among its responsibilities are to propose strategic guidelines; provide support for the formulation of the National Policy on Protection of Personal Data and Privacy; suggest actions and propose studies.
Principles: Important principles must be observed in treatment activity, such as:
(i) purposes − the treatment must be carried out for specific and legitimate purposes, without the possibility of subsequent treatment in a form incompatible with these purposes
(ii) adequacy − compatibility of the treatment with the purposes reported to the owner
(iii) need − limitation of treatment only to the extent necessary to achieve expressed purposes
(iv) free access − guarantee that the owners can consult, easily and at no cost, on the form and time frame of the treatment, as well as the integrity of their data
(v) quality of the data − guarantee of the precision, clarity, relevance and currency of the data
(vi) transparency − guarantee of clear information that is easily accessible by the owners
(vii) security − utilization of technical and administrative measures to protect the data from access by unauthorized parties
(viii) prevention − adoption of measures to prevent the occurrence of damages due to treatment of personal data
(ix) nondiscrimination − impossibility of treatment for purposes of discrimination and
(x) accountability − demonstration of effective means to observe and prove compliance with the rules on protection of personal data.
- Requirements for treatment: The treatment may only be carried out (i) with consent; (ii) to
comply with a legal or regulatory obligation of the
controller; (iii) by the public administration, for treatment of data necessary for public policy purposes; (iv) for the purposes of study by a research entity, with guarantee of anonymization; (v) when necessary to perform a contract; (vi) for regular exercise of rights in a judicial, administrative or arbitral proceeding; (vii) for protection of the life or physical integrity of the owner or third parties; (viii) for protectio n of health, through a procedure carried out by professionals in the area of public health of by sanitary authorities; (ix) in the legitimate interests of the controller or third parties; and (x) for protection of credit.
- Consent: Consent must be expressed in
writing (in the case of a contract, highlighted with respect to the other clauses) or by other means that demonstrate the manifestation of the owner’s will, with the controller having the burden of proving consent was obtained pursuant to the law. Generic consent will be deemed null and void, and treatment in cases of defective consent is forbidden.
Revocation of consent: Consent can be revoked at any time, by the owner, with ratification of any treatment performed under the consent provided previously.
- Access to data: The owner shall be provided access to the data subject to treatment, and that access must be provided clearly, with reference to the purpose, form and duration of the treatment, identification of the controller and the corresponding contact information, explanation of the shared use of data and the purpose, responsibilities of the treatment agents, as well as explicit mention of the rights of the owner specified in Article 18 of the law (see next section).
- Rights of the owner (Art. 18): The owner has the following rights: (i) confirmation of the existence
of treatment; (ii) access to data; (iii) correction
of incomplete or inexact data; (iv) anonymization, blockage or elimination of unnecessary or excessive data; (v) portability of the data; (vi) elimination of personal data treated with consent; (vii) information about the public or private entities with which the controller has carried out shared used of the data; (viii) information about the possibility of not providing consent and the consequences of denial; and (ix) revocation of consent.
- Treatment of sensitive data: The treatment can only occur when the owner consents, specifically t, for specific purposes, or without consent of the owner in cases of need to carry out public policies by the public administration set forth in law; studies by research entities (with anonymization of sensitive personal data); regular exercise of rights; protection of the life or physical integrity of the owner; protection of public health; prevention of fraud; and security of the owner.
- Anonymization of data: This is defined as data by which the owner cannot be identified, and which therefore is not considered to be personal.
- Children and adolescents: The treatment of data on children and adolescents must be performed with the specific consent of at least one of the parents or legal guardians.
- End of the treatment: The treatment of data must end
when the purpose has been attained or the data cease being necessary or pertinent; at the end of the treatment period, by communication from the owner; or by determination of a national authority. The data must be deleted after the end of the treatment, other than in case of specific exceptions.
Treatment of data by the public authorities: The treatment must be performed only to serve the corresponding public purpose and with the objective of satisfying the legal attributions of the public service, with observation of the conditions determined in law.
- International transfer of data: The transfer of
personal data to other jurisdictions will be allowed only in cases set forth in law, such as (i) with the specific consent of the owner; (ii) to satisfy a legal or regulatory obligation, when necessary to perform contracts or for regular exercise of rights in a judicial, administrative or arbitral proceeding; (iii) to countries or international organizations that provide an adequate degree of protection of personal data as specified in law or determined by the competent entity; (iv) when the controller of the data proves it has guarantees of compliance with
the principles, rights of the owner and data
protection regime set forth in Brazilian law; (v) for protection of the life of physical integrity of the owner or a third party, among other situations.
- Records of operations for treatment of personal data: The controller and operator must keep records of the operations they carry out for treatment of personal data, mainly when the treatment is based on their legitimate interest.
- Report of the impact of protection of personal data: In relation with operations to treat data, the competent body can request the preparation of a “Report of the Impact of Protection of Personal Data,” which must state the types of data collected, the method used for their collection and the guarantee of their security, as well as analysis of the controller of the measures, safeguards and mechanisms for risk mitigation adopted.
Chief of treatment: the Chief of Data Treatment is the person responsible for accepting complaints and other communications from the data owner and competent authorities and for training employees about best practices, among others attributions. The Chief must be appointed by the controller and his/her identity and contact information must be disclosed clearly and objectively.
- Joint and several liability: Other than in
exceptional cases identified in law, the operator and controller are deemed to be jointly and severally liable for the data with respect to pecuniary or moral damages, either individual or collective, caused by the date treatment.
- Security measures: It is mandatory to adopt
technical and administrative security measures to protect the personal data from unauthorized access and accidental or illicit situations of destruction, loss, alteration, disclosure or any other form of inadequate or illicit treatment. The minimum technical standards must be disclosed by the competent body in a timely way, considering the specificities of the personal data and their treatment.
- Communication in cases of cybersecurity incidents: The controller must report to the competent body and the owners when any cybersecurity incidents occur that can cause a relevant risk or damage to the owners of the personal data.
- Administrative penalties: Infractions of the Law can subject the treatment agents to the
applicable administrative penalties by the
competent body, after an administrative proceeding that affords rebuttal and ample defense. Among the penalties are official warning, publicity of the infraction, partial or total suspension of use of the use of the database, single or daily fine (up to 2 percent of the gross revenue of a private company, business group or conglomerate in Brazil in the preceding year, excluding taxes, capped at R$50 million per infraction), or partial or total suspension of the activities related to the data treatment.
We will be monitoring this area of law to keep you informed about coming developments.
FOR MORE INFORMATION PLEASE CONTACT THE AUTHOR
Paula Mena Barreto
PartnerRio de Janeiro
T: +55 21 3262 3028F: +55 21 3262 3011