Foreign business entities expanding into the Brazilian market should become familiar with the New Brazilian Data Protection Law (BDPL) recently enacted which will become effective in August 2020. The BDPL also known as General Personal Data Protection Law shall apply even to companies headquartered outside the Brazilian territory, provided that (i) the processing operation occurs within the Brazilian Territory; (ii) the purpose of the processing activity is the offer or the supply of goods/services or the processing of data of individuals located in the Brazilian Territory; or (iii) the personal data to be processed have been collected in the Brazilian Territory.
Until 2019, there was no specific law regulating the protection of personal data in Brazil. Brazilian Constitution and Civil Code protect privacy as a general principle, but they do not contain more specific provisions detailing, for instance, possible situations in which personal data may be processed without infringing privacy or the conditions to obtain an appropriate consent to collect and process personal data.
Brazilian Consumer Code (Law Nº 8,078/1990) establishes that consumers shall be notified in writing about their inclusion in a consumer registry or database and are entitled to access, correct, update or exclude their personal data from any consumer registry or database.
BDPL (Law Nº 13,709/2018) enacted in 2018 and to become effective in August 2020, establishes that personal data must be used only for the specific purposes for which it was collected, and that processing of personal data must be limited to the period necessary to achieve such specific purposes. For the purposes of the BDPL, "personal data" shall mean "information related to an identified or identifiable natural person" and "processing" shall include "any operation carried out with personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, disposal, evaluation or control of the information, modification, communication, transfer, diffusion or extraction".
The protection of personal data is grounded on, among other principles: (i) privacy respect; (ii) freedom of expression, information, communication and opinion; and (iii) inviolability of intimacy, honor and image (Article 2 of the BDPL).
It is worth mentioning that the BDPL creation process is nothing more than a consequence of a long process of raising awareness about the current importance of personal data. Information, in general, and personal data in specific have become the main exchange currency nowadays. After all, in order to have access a wide range of goods or services, it is necessary to provide a series of personal data. However, the service or product provider often exaggerates the amount of personal data required to conclude the purchase or contract in question. An example is when you go to a pharmacy to buy medicine for headache and, when you realize it, you are providing your name, address, marital status, e-mail etc. (only the blood type is missing!). All information provided is holder's property and its excessive collection has been happening due to the lack of legislation that regulates such an important and increasingly frequent subject in our daily lives.
The main purpose of the BDPL is to protect the fundamental rights of liberty and privacy and the free development of the natural person's personality (Article 1 of the BDPL). The BDPL is clearly inspired and fully consistent with the Regulation (EU) 2016/679 of the European Parliament (GDPR), the Canadian Data Protection Law, as well as with the laws of other Latin American countries such as Argentina and Uruguay.
BDPL applies to any processing operation of personal data carried out by a natural person or by a legal entity under public or private law, regardless of the media, the country of the company's headquarters or the country where the data is located, provided that: "(i) the processing operation is carried out within the national territory; (ii) the purpose of the processing activity is the offer or the supply of goods or services or the processing of data of individuals located in the national territory; or (iii) the personal data to be processed has been collected in the national territory." (Article 3 of the BDPL).
It is, therefore, a law of extraterritorial application. It applies regardless of whether personal data are from Brazilian citizens or not, but taking into consideration if such data are collected or processed in Brazil.
A frequent question concerns the applicability of BDPL only to the digital market, since its discussion started concomitantly with the discussion of the Brazilian Internet Act, which establishes principles, guarantees, rights and duties for the use of the Internet in Brazil but also addressed the protection of personal data. In order to avoid misinterpretation, BDPL expressly provided that it shall apply to any personal data processing no matter the media or the environment it is processed (Article 1 of the BDPL).
It is important to mention that the BDPL shall not apply to the processing of personal data carried out: (i) by a natural person exclusively for private and non-economic purposes; (ii) exclusively for journalistic, artistic and academic purposes; or (iii) for the sole purpose of public security, national defense, state security or activities related to investigation and prosecution of criminal offenses. In addition, the BDPL shall not apply to personal data processing from outside the Brazilian territory and which are not the communication' subject, shared use of data within Brazilian processing agents or international data transfer' subject with a country other than the country of origin, provided that the country of origin grants a degree of protection of personal data consistent with the provisions of the BDPL.
Processing Principles and Guidelines: Processing of personal data activity shall observe principles such as: (i) purpose: processing only for legitimate, specific, explicit and informed purposes; (ii) adequacy: compatibility of the processing with the purposes informed; (iii) necessity: processing limited to the minimum necessary for fulfill its purposes; (iv) free access: free and easy access to the processing form and duration as well as on the data integrity guaranteed; (v) data quality: accuracy, clarity, relevance and updating of the data guaranteed; (vi) transparency: clear, precise and easily accessible information on the conduct of the processing and related agents guaranteed.
Processing Requirements: Under BDPL, personal data shall only be processed in certain cases, including: (i) upon data owner's consent; (ii) for compliance with legal or regulatory obligation; or (iii) when necessary for the performance of a contract (Article 7, I, II and V of the BDPL).
Data Owners' Rights: Data owners have the right to easy access to information about the processing of his/her personal data, which should be made available in a clear, adequate and ostentatious manner. Among others, data owners shall have the right to: (i) access the data; (ii) data portability to another supplier; (iii) deletion of data processed with his/her consent; (iv) consent revocation (Article 18 of the BDPL).
Consent definition: Consent shall mean the free, informed and unequivocal manifestation by which the data owner agrees with the processing of his/her personal data for a certain purpose. However, processing of sensitive personal data are even more restrictive and must be tied to specific, highlighted and for specific purposes' consent (Article 11, I of the BDPL). For the purposes of the BDPL, "sensitive personal data" shall mean "personal data on racial or ethnic origin, religious belief, political opinion, membership of a union or a religious, philosophical or political organization, health or sexual life, genetic or biometric data, when related to a natural person".
Penalties: Among the penalties provided by BDPL, we can mention: (i) warning, (ii) infraction publication; (iii) personal data blocking or deletion; and (iv) simple fine, up to 2% (two percent) of the private law legal entity, group or conglomerate in Brazil revenue in its last fiscal year, excluding taxes, limited to R$ 50,000,000.00 (fifty million reais) per infraction.
Security and Good Practice: Processing agents shall adopt technical and security measures to protect personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication or any form of inappropriate or illicit processing. Controllers and operators, within the scope of their competences, for the processing of personal data, individually or through associations, may formulate good practices and governance rules that establish the conditions of the organization, the operating regime, the procedures, including claims and petitions, security standards, technical standards, specific obligations of the parties involved in the processing, educational actions, internal supervisory and risk mitigation mechanisms and other aspects related to personal data processing.
Notice Obligations: The controller shall inform to the Data Protection National Authority and to the data owner the occurrence of a security incident that may entail significant risk or damage to the data owners. Said communication shall be made within a reasonable time, as shall be defined by the Data Protection National Authority, and shall mention at least: (i) a description of the nature of the personal data affected; (ii) information on the data owners involved; (iii) the indication of the technical and security measures used for the protection of the data, observing the commercial and industrial secrets; (iv) the risks related to the incident; (v) the reasons for the delay, if the communication was not immediate; and (vi) the measures that have been or will be taken to reverse or mitigate the effects of the damage.
When it was enacted, the BDPL had some important provisions vetoed by President Michel Temer. Among them, the creation of the Data Protection National Authority, considered a key point for the development of data protection in the country, was vetoed for unconstitutionality. Provisional Measure No. 869/18, later converted into Law No. 13.853/19 was promulgated to solve this issue and, in addition to recreating the Data Protection National Authority, it also changed some other provisions of the BDPL. Find below the main changes of the BDPL:
- Automated decisions: the BDPL provides that the data owners can request a review of decisions that affect their interests made solely based on automated processing. However, in the original version, such a review would need to be done by a natural person. Now, the need for revision still exists, but it doesn't have to be done by a natural person.
- Person in charge: the BDPL provides that the controller should designate a person in charge to act as a communication channel between the controller, the data owners and the National Data Protection Authority. In the original version, such person in charge should be a natural person. Now, there is no longer any obligation to appoint a natural person, making room for eventual outsourcing of the activity.
- Health Plans: A prohibition was created for the operators of private health care plans for the treatment of health data for the practice of selecting risks when hiring any modality, as well as when accepting and excluding beneficiaries.
- Data Leaks: The possibility of direct reconciliation between controller and data owner in the case of individual leaks or unauthorized accesses was created.
- Penalties: New penalties were created (i) partial suspension of the database operation; (ii) suspension of the exercise of the activity of processing personal data; and (iii) partial or total prohibition on the exercise of activities related to data processing. Such penalties were initially vetoed by President Jair Bolsonaro, but the veto was later overturned by the National Congress.
- Initial Term: The effective date was changed to 24 (twenty-four) months after the date of its publication, which places the deadline in August 2020. There is a Draft Bill 5762/19 already being processed in the National Congress, which aims to extend the deadline to 2022.
With about 6 months to go before the BDPL becomes effective in August this year, several companies believe that the effective data shall be postponed. In fact, Draft Bill 5762/19 (under discussion in the National Congress since the end of last year) proposes to postpone BDPL's effective term by 2 years, transferring it to August 15, 2022.
The main reasons for the postponement would be the companies' delay in adapting to the BDPL and the Government's delay in installing the Data Protection National Authority.
Brazil IT Snapshot 2019, study by Logicalis on the panorama of corporate adoption of information technology in Brazil reported that only 17% of the 143 participating companies had concrete or already implemented initiatives in relation to the protection of personal data at the time of the survey. In addition, only 24% of the companies had included in their budget a specific forecast to implement a compliance project and 12% were already with a project in progress.
The Government delay to install the Data Protection National Authority is also considered a problem, since several provisions of the BDPL are yet to be regulated by the National Authority, which creates a high degree of legal uncertainty regarding the adjustments that must be implemented by the companies.
Thus, if approved, DB 5762/19 will provide an additional 2 year period for companies to adapt to the new law and for the Government to install the Data Protection National Authority, with time to discuss and approve regulatory issues, if possible even before BDPL's take effect.
However, even with the postponement of the effective date of BDPL, companies shall not delay the adoption of data protection compliance procedures. Maybe they might consider carrying out an initial assessment to determine more precisely what are the main risks and measures that should be adopted, setting a compatible budget and establishing a feasible schedule.
After all, the measures to be taken by each company can vary widely, not only because of the business segment (e.g., personal data is part of the core business or not) and the current compliance stage (e.g. what the company has already implemented) but also as a result of how the company intends to view the protection of personal data (e.g., it intends only to fulfill the minimum requirements or wants to adopt it as a principle and use it as a competitive advantage).
In any case, it is possible to adopt good practices that not only benefit the company right away, but also simplify the future adaptation process. For that, it is necessary to follow some simple rules:
1) Collect only the necessary data;
2) Obtain appropriate consent, when applicable;
3) Anonymize whenever possible.
Finally, it is important to point out that it is not advisable to give the extension as certain, even though the reasons for the postponement request are really something. Since BD 5762/19é pro does not proceed under an urgent regime and is currently waiting for the Constitution and Justice Committee opinion, it is unlikely that it will be appreciated in time. Is it worth taking the risk?
Renata Ciampi and Fernando Stacchini are partners in the Technology, Digital Law and Data Protection Practice Group of Motta Fernandes Advogados São Paulo office. Mrs. Ciampi is Certified Information Privacy Manager (CIPM) by the International Association of Privacy Professionals (IAPP).