New Brazilian Data Protection Bill Adopts Data Breach Notification Regime
The new Brazilian Data Protection bill currently in discussion provides a whole new approach to data protection for the country. It also follows the current trend of several countries, European Union included, by adopting a data breach notification regime. The text would make companies liable without the need to prove omission or negligence. Currently they are only liable to the extent of damages resulting from the misuse of information leaked or stolen due to a data security breach.
Modeled after the European and Canadian data protection legal frameworks
Brazil, contrary to several countries in the world, does not have any comprehensive data protection framework. Even taking into consideration its Constitution and Civil Code, which guarantee individuals’ right to privacy and intimacy, and its Consumer Protection Code that protects Brazilian consumers’ personal data, Latin America’s biggest economy is far from reaching a level that could be considered equivalent to the one of countries and regions such as Argentina, Uruguay, Mexico and the European Union. A comprehensive overview of the current Brazilian privacy framework is available here.
Last year, the Fundação Getúlio Vargas (Foundation Getulio Vargas) and the Ministry of Justice, submitted to public debate a draft Data Protection Bill that is modeled after the European Data Protection Directive (95/46/EC) and the Canadian Data Protection Law (PIPEDA).
Brazil is now under the world’s spotlight: not only will it be soon hosting a string of international events, such as the Olympic Games and the Football World Cup, but more and more multinational companies are investing in the country, making economic growth and stability one of its major long-term objectives. As part of achieving them, the emphasis on information security technologies is increasing exponentially. Brazil is now opening discussions to regulate the Internet and adopt a data protection bill as the necessary steps to build a solid regulatory framework for foreign companies willing to invest in Brazil in the areas of technology and the Internet.
The bill in discussion
The draft bill now in discussion guarantees a list of citizens’ basic rights regarding their personal data: the right to (i) access one’s data; (ii) correct inaccurate or wrong data; (iii) delete them; (iv) object to their processing; (v) not be subject to purely automated decisions; and (iv) be compensated for the misuse of one’s personal data.
Before initiating any discussion on personal data protection, the Ministry of Justice launched a online public debate focused on the regulation of the Internet in Brazil. Its result led to a bill, called “Marco Civil” (Civil Framework), that was sent to the National Congress to discuss the adoption of a general legal framework for the Internet. The bill encompasses topics such as the fundamental right to access the Internet, the Internet and network neutrality, data retention and the storage of connection logs), the liability of Internet services providers, the necessity of a judicial order for law enforcement authorities to obtain users’ personal data, and the removal of illicit copyrighted material.
The situation right now is difficult for companies that process personal data: there is no firm legal basis to which they could refer that a data protection law would provide, the level of legal uncertainty is high, and the case law produced thus far is not the most coherent leading some companies to give up investing in Brazil because of it. Only recently have courts in Brazil started to address issues such as privacy and intimacy on the Internet, and topics such as the liability of companies doing business on the Internet and data protection are still left in the dark.
New data breach security obligations for companies
While companies are currently only liable when damage occurs because of the personal information they are storing: even if there is a security breach and personal data, such as credit card numbers and passwords, are leaked or lost, a business is only liable to the extent of the damages resulting from the misuse of that information. With the bill, the mere data breach could make the company liable without the need to prove omission or negligence, and that can be coupled with penalties as high as the closure of the business activity.
The bill also imposes several obligations to companies: it limits how personal data must be collected, used and generally processed; sensitive personal data such as biometrics, data revealing religious or political values, sexual preferences, receive a different treatment by requiring a separate consent and a more secure environment. The bill also requires that each individual provide an express consent to any processing of his personal data (collection, modification, transfer, disclosure to third parties or deletion). All of his personal data must also be fully accessible to him.
In case of a data security breach, the bill mandates that companies notify a so-called “Data Protection Authority”, or Guarantee Authority, of their occurrence. Upon failure to do so, they could face penalties such as the temporary suspension of their activities and the prohibition to manage databases of personal data. Also, depending on the case, the breach must be announced to the media.
In order to collect individuals’ personal data, companies must inform them about the nature and purpose of collection, the identity of the entity responsible for it, and the individuals’ access rights. Companies also have to implement technologies that can, within five days, provide users with the possibility to correct their personal data or anonymize (Article 4 of the bill) them, or cancel or block their processing. They must also implement methods that are able to differentiate between sensitive and other personal data. The bill also creates a National Counsel on Protection of Personal Data whose task will be to further implement the bill.
Several preventive security measures must be implemented in order to guarantee the adequate processing of the data and avoid data breaches. The Data Protection Authority to be established would release a list of all such recommended measures within a year after the law is enacted. All companies, private or public, would have to follow its recommendations, and be liable for any security breach without a showing of omission or negligence.
For companies with more than 200 employees and that process personal data, there would be a new obligation to appoint a data protection officer responsible for all data processing in the company and who would have to report directly to the Data Protection Authority.
Comprehensive comments on the bill
Caio César Carvalho Lima and I issued comments (in Portuguese) on the bill. They cover the main issues explained in this post, but also focus on its most critical aspects such as: (a) the establishment of a minimum time to store the personal data; (b) the difference between a physical and an electronic document; (c) the possibility given to the individual to get access to his data without the need for a lawyer; (d) the storage of personal data to be used for statistical purposes and the possibility of applying this data to behavioral analysis; and (e) the necessity of more transparent procedures, mainly on the methods used to acquire the individual’s consent to process his personal data.
Renato Leite Monteiro & Cédric Laurant
– Caio César Carvalho Lima & Renato Leite Monteiro, Comentários ao Anteprojeto de Lei sobre Proteção de Dados Pessoais (Comments on the new Brazilian data protection bill) (May 2011).
– Observatório da Internet.br – observatório brasileiro de políticas digitais (Internet Observatory – Brazilian observatory of digital policies).
– Habeasdata.org.br: privacidade e proteção de dados pessoais (blog) (habeasdata.org.br: privacy and data protection).
– Debate público: Proteção de Dados Pessoais (Public debate: protection of personal data).
– Comitê Gestor da Internet no Brasil (Brazilian Internet Management Committee).