Although the Brazilian legal system has a number of provisions on privacy and protection of personal data in the Federal Constitution, Civil Code, Consumer Protection Code, Criminal Code, Telecommunications Law, among others, Brazil in fact still does not have specific and uniform legislation on the subject like the United States and European Union.
It is in this context and with the explosion of cloud computing services throughout the world that the bill of law N. 5344 emerged in 2013, aimed at providing greater legal certainty to investors and cloud computing service providers.
The bill of law establishes general guidelines for the promotion, development and exploitation of cloud computing activities in the country. We note below the main aspects encompassed by the referred bill of law:
- Equating data storage to the Institution of Deposit, already regulated by the Brazilian Civil Code;
- Provides for application of the law even in case of data deposit in datacenters located abroad;
- Recognition of privacy, intimacy, data protection and intellectual property rights and the need for uniformity of the guidelines for treatment of data transfer between countries;
- Service provider's responsibility for its actions and for the actions of its subcontractors, except if otherwise provided for by contract;
- Adoption of measures to promote interoperability, allowing interaction of systems;
- Ensure technological neutrality and network and data portability;
- Main conditions of the provision of cloud computing services;
- Obligation of the person responsible for depositing the data to take technical and administrative measures to protect the deposited data;
- Provision of data to third parties only by court order or consent of the depositor;
- Sole responsibility of the depositor for the content of the data deposited;
- Obligation to return the data deposited to the place where the agreement was executed at the termination of the agreement;
- Fixing of compensation to be paid by the depositary to the depositor in the event of data loss in an amount equal to twice the amount received by the depositary in the last twelve months;
- Obligation of the depositary to not use, handle or dispose of data, unless as provided by contract; and
- Restrictions on data retention arising from absence of contractual payment.
The bill of law is going through the legislative process and, if approved, will become compulsory in Brazil.