Jurisdiction snapshot

Trends and climate

Would you consider your national data protection laws to be ahead or behind of the international curve?

Privacy and data protection laws in Brazil are behind the international curve.

Are any changes to existing data protection legislation proposed or expected in the near future?

In May 2018 the House of Representatives passed two bills dealing with data protection: Bill of Law 4,060/2012 and Bill of Law 5,276/2016. The Senate subsequently received the approved Data Protection Bill (PLC 53/2018), which it is expected to vote on before the end of the year.

The entry into force of the EU General Data Protection Regulation has also contributed to pushing forward the legislative efforts to approve data protection regulation.

Legal framework

Legislation

What legislation governs the collection, storage and use of personal data?

In Brazil, privacy and data protection are treated as a fundamental right of individuals under the Federal Constitution. Individuals who suffer direct or moral damage as a result of violation of such rights have the right to indemnification. In addition to the Federal Constitution, the Civil Code (Law 10,406/02), the Consumer Protection Code (Law 8,078/9) and the Internet Act (Law 12,965/14) are the most prominent statutes governing the use, collection and processing of personal data in specific cases by private enterprise. 

The Civil Code acknowledges and reinforces the principle that privacy is inherent to an individual’s personality and dignity, and states that the private life of an individual is inviolable. The privacy of consumer data is governed by the Consumer Code whenever a consumer relationship is established between an individual (or corporate entity, in certain circumstances) and a supplier of a product or service.

The Internet Act establishes other principles and rules with respect to the privacy and protection of internet users’ personal data. It contemplates specific rules on the collection, storage and processing of personal information through internet services and applications.

There are also other sector-specific laws and regulations that deal with privacy, eg, the Wiretap Act (Law 9,296/96), the Bank Secrecy Act (Complementary Law 105/01) and the Information Access Act (Law 12,527/01), which set rules for the use of personal data collected by the government in the exercise of its functions and duties. Other privacy rules apply to labour relationships and professional services (eg, law, accounting, medicine and psychiatry).

Scope and jurisdiction

Who falls within the scope of the legislation?

Any organisation performing data treatment activities in Brazil or offering services or products to individuals located in Brazil may fall within the scope of Brazilian laws.  Over the years, notably with the penetration of the Internet and significant increase in online offers, Brazilian courts have been systematically enforcing Brazilian jurisdiction and laws in such circumstances.

What kind of data falls within the scope of the legislation?

Brazilian laws do not provide a single unified statutory definition of ‘personal data’, which would define what kind of personal data is subject to local data protection laws. However, the courts have been consistently using the definition of “data related to an identified or identifiable individual” to determine what kind of data constitutes personal data.

The decree that regulated the Internet Act provides that personal data is the “data related to an identified or identifiable individual, including identification numbers, locational data or electronic identifiers, when related to an individual”.  PLC 53/2018 and the Senate bills on data protection also contain similar language. Finally, the Financial Records Act (Law 12,414/11) defines ‘sensitive information’ as information related to social and ethnic origins, as well as any other information regarding health, sexual orientation, political, religious and philosophical convictions.

All existing data privacy laws apply to data belonging to individuals, not legal entities.

Are data owners required to register with the relevant authority before processing data?

No, as Brazil still lacks a data protection authority.

Is information regarding registered data owners publicly available?

No.

Is there a requirement to appoint a data protection officer?

No.

Enforcement

Which body is responsible for enforcing data protection legislation and what are its powers?

There is no regulatory agency or specific public administrative body created to regulate and inspect compliance with data privacy laws, or to prosecute individuals or corporate entities for violations thereof. The Public Prosecutor’s Office, the Ministry of Justice and consumer protection authorities (eg, the Consumer Protection and Defence Authority and the National Consumer Secretariat) are the entities responsible for filing administrative or judicial proceedings against companies or individuals that violate privacy rights. Administrative proceedings may be of either civil or criminal nature, and may potentially lead to the filing of civil or criminal lawsuits. The Federal Public Attorneys of the Federal District has established an internal department to deal with data protection violations and has been quite active over the past months, mainly with respect to data breaches.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

Despite the lack of unified rules applicable to data treatment activities, sectoral laws provide for certain principles and requirements that must be observed.

The Consumer Code, for example, establishes that suppliers must abide by the principles of information and transparency, pursuant to which the consumer (ie, data subject) must receive information regarding all relevant aspects of the service or product supplied (including risks, limitations and general characteristics). In addition to such principles, the Consumer Code establishes that the consumer should be made aware if his or her data (including behavioural data) is being added to a database. The same statute allows consumers’ right of access, correction and rectification of information.

The Internet Act provides that personal data will be collected only upon the prior, express and informed consent of the data subject. The data subject must be fully informed, in a clear and direct manner, of the collection, use, storage and processing of his or her data by internet applications, which can be made only:

  • for justifiable reasons;
  • if not otherwise prohibited by law; and
  • if allowed by the relevant terms of service or privacy policy.

In this regard, internet application providers must expressly detail what type of personal data is collected and how they intend to collect, use and treat such information.

The Internet Act states that internet connection providers are required to retain user connection logs for a minimum period of 12 months. Connection logs must include the date, time and duration of an internet connection, as well as the corresponding IP address. Internet application providers (ie, those that offer any kind of functionality to their users through the Internet, such as social networks or e-commerce websites) will store access logs for at least six months.

As a rule, there must be a reasonable correlation between the information collected and the purpose for which the notice or consent to collect data is given. Personal data (including log records) must be kept in secrecy and be disclosed only with the individual’s consent, a valid court order or if otherwise expressly allowed by law.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

The Consumer Code establishes that negative credit information may not be stored for a period longer than five years. Under the Internet Act data minimisation principle, internet application providers may retain personal data that is needed for the offer of the services or products. Information will be deleted:

  • as soon as the purpose of use is reached;
  • at the end of the period determined by legal obligation; or
  • at the data subject’s request when the relationship terminates.

Brazilian courts have not yet recognised a general right to be forgotten, despite the fact that some decisions have been issued in recognition of this right on specific cases. 

Do individuals have a right to access personal information about them that is held by an organisation?

Yes, individuals have the right to access, correct and rectify personal data that is held by an organisation.

Do individuals have a right to request deletion of their data?

The Internet Act guarantees data subjects’ rights to request the deletion of their personal data. This right is available only on the termination of an agreement with the service provider. Service providers are not obliged to delete information that may be required to comply with a legal obligation.

Consent obligations

Is consent required before processing personal data?

If personal data is collected under a consumer relationship, a previous notice is required. If data is collected online, the Internet Act requires the previous, express and informed consent of the individual. Organisations should be able to demonstrate how and when notice or consent has been given.

If consent is not provided, are there other circumstances in which data processing is permitted?

Despite the fact that neither the Consumer Code nor the Internet Act provide for any derogations of the notice and consent requirement, the courts have been issuing decisions authorising the use of publicly available information without restrictions (ie, with no need to inform or seek consent). However, this is still a controversial matter and the use of publicly available data should be assessed on a case-by-case basis. Another aspect to consider is the processing of anonymised data. Despite the lack of laws and court decisions on the matter, and depending on the circumstances of the case, the processing of anonymised data without consent could be viable. Employees’ data may be treated by employers, regardless of an employee’s consent, for managing the employee relationship. Inter-company national or international transfer of employee data for the same purpose is also possible.

What information must be provided to individuals when personal data is collected?

As a rule, data subjects should receive clear and comprehensive information regarding the collection, use, storage and processing of personal data. Therefore, the following must be laid out in privacy policies:

  • the type of information collected and circumstances that may allow its transfer to third parties;
  • how and for what purpose the information is collected;
  • how the organisation will use, treat, process and transfer personal data;
  • what the organisation can do with the information;
  • how long the information will be treated or stored;
  • data controller contact information;
  • the level of protection afforded to the collected information (eg, safety standards adopted by the organisation); and
  • how the individual can reach the company in order to revoke consent, if applicable.

The courts have been systematically striking down privacy policy provisions that imply a waiver of all or substantially all of an individual’s privacy rights. As a result, organisations should be cautious as to how far they want to go in using data subjects’ data.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

According to the Consumer Code, companies should take all reasonable measures to offer safe and free-of-defect products and services. The courts have been of the opinion that if companies do not implement appropriate security measures (normally based on industry standards), their product or service is considered defective and may trigger liabilities.

The regulation of the Internet Act imposes the following security measures for internet application providers:

  • strict control over access to personal data on the definition of responsibilities of the personnel who will have access to the stored data;
  • two-stage authentication mechanisms that must be used to allow access to stored personal data by employees of the data controller or data processor;
  • detailed data inventories that must be created to record access to personal data (eg, date, time and duration of access, identity of employee responsible for access and a record of the accessed files); and
  • use of IT solutions that ensure the inviolability of data (eg, encryption or equivalent protective measures).

 

In addition, the Internet Steering Committee may recommend the adoption of additional security measures and standards.

 

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

There are no specific reporting obligations in the event of data incidents. However, in some specific cases (notably when the information leaked may cause a damage to the data subject), due to the principles of information and transparency imposed by the Consumer Code, affected individuals may have to be informed of data breaches. For regulated sectors, regulatory agencies overseeing the providers may also have to be informed (eg, the Central Bank, the Securities and Exchange Commission, the National Telecommunications Agency and the Private Insurance Superintendence). 

Are data owners/processors required to notify the regulator in the event of a breach?

Please see above.

Electronic marketing and internet use

Electronic marketing

Are there rules specifically governing unsolicited electronic marketing (spam)?

With respect to electronic marketing (spam), the Secretariat of Economic Law issued Ordinance 5/2002, deeming opt-out provisions in adhesion agreements to be abusive. In addition, the Internet Steering Committee issued a ‘soft law’ on unsolicited messages, providing that opt-in or soft opt-in email marketing campaigns are legitimate, but it also requires companies to adopt opt-out mechanisms in all circumstances. 

Cookies

Are there rules governing the use of cookies?

The Internet Act provides that the individual whose data is being collected must be given clear and comprehensive information about the collection, use, storage, treatment and protection of his or her personal data, including information collected through cookies, beacons and other tracking technologies.

Data transfer and third parties

Cross-border data transfer

What rules govern the transfer of data outside your jurisdiction?

There is no specific regulation on the transfer of data outside Brazil. Any transfer of information must have a legitimate business reason and should not frustrate the data subject’s reasonable expectation as to how his or her information will be treated. In addition, transfers should be detailed in the privacy policy.

Some provisions related to international data transfers in the data privacy bills will impose additional requirements for transferring data to countries considered to have less protection than Brazil. The data protection authority will also determine which countries fall into the category of ‘less safe’ for such purposes.

Are there restrictions on the geographic transfer of data?

No, Brazilian law imposes no restriction on geographic transfer of data and requires no notification or approval by any Brazilian authority to proceed with such transfer. However, the Institutional Security Cabinet has issued an ordinance (GSI IN 9/2018) establishing that public administration may only enter into cloud computing services which agree to host information in Brazil.

Third parties

Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

The privacy policy will determine if a transfer can be made and for what purpose. Organisations should avoid adopting excessively broad language concerning transfers, as it could be unenforceable. There must be legitimate business reasons for transferring data. The possibility of transferring data for processing purposes should be included in the privacy policies.

Penalties and compensation

Penalties

What are the potential penalties for non-compliance with data protection provisions?

The Consumer Code imposes criminal liability (six to 12 months’ imprisonment) for certain conduct that may qualify as a crime, although imposing criminal liability for violation of cybersecurity and data protection laws is very rare. In any case, a fine may be imposed on an organisation that is non-compliant with privacy laws or in the event of a data breach. Fines may encompass direct and moral damage. Collective claims may be filed for data protection violations.

The Internet Act establishes a fine of up to 10% of the breaching entity’s economic turnover in Brazil in the previous fiscal year, or the suspension or prohibition to engage in data treatment activities. 

Compensation

Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

Yes, violation of privacy rights gives rise to compensation for moral and direct damage.

Cybersecurity

Cybersecurity legislation, regulation and enforcement

Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

There are no Brazilian laws intended to specifically regulate cybercrime or cybersecurity. The Consumer Code and the Internet Act provide for certain principles and rules that should be observed in relation to cybersecurity.

The Criminal Code (Decree Law 2,848/1940) establishes the crime of invasion of a computing device and the Child and Adolescent Act (Law 8,069/1990) provides for the crime of handling child pornographic materials.

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

Not applicable.

Which cyber activities are criminalised in your jurisdiction?

Under the Criminal Code, the act of attacking a computing device, whether connected to the Internet or not, by breach of a security mechanism and for the purpose of collecting, altering or destroying data or information or installing vulnerabilities to obtain an illegal benefit is deemed a crime. The Child and Adolescent Act provides that the offer, exchange, delivery, transmission, distribution, publication or disclosure of photographs, videos or other materials containing explicit sex scenes or child pornography is a criminal activity.

Which authorities are responsible for enforcing cybersecurity rules?

There is no regulatory agency or specific public administrative body created to regulate and inspect compliance with data privacy laws, or to prosecute individuals or corporate entities for violations thereof. The Public Prosecutor’s Office, the Ministry of Justice and consumer protection authorities (eg, the Consumer Protection and Defence Authority and the National Consumer Secretariat) are the entities responsible for filing administrative or judicial proceedings against companies or individuals that violate privacy rights. Administrative proceedings may be of either civil or criminal nature, and may potentially lead to the filing of civil or criminal lawsuits.

Cybersecurity best practice and reporting

Can companies obtain insurance for cybersecurity breaches and is it common to do so?

Yes, companies can obtain insurance for cybersecurity breaches in Brazil. This kind of insurance is becoming increasingly popular, although it is still not widely adopted in Brazil.

Are companies required to keep records of cybercrime threats, attacks and breaches?

The Central Bank of Brazil recently enacted Ordinance 4,658/2018, which applies to financial institutions. This ordinance determines that such entities must put together a cybersecurity policy and generate yearly incident reports which record all relevant facts occurring in the previous year.  These reports must be approved by the company´s board and can be reviewed by the Central Bank, if requested.

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

Threats and unsuccessful attacks do not have to be reported. Generally, with respect to data breaches, companies are not required to report, except where sector-specific regulations impose reporting obligations (please see below for further details).

Are companies required to report cybercrime threats, attacks and breaches publicly?

There are no specific reporting obligations in the event of data incidents. However, in some specific cases (notably when the information leaked may damage the data subject), due to the principles of information and transparency imposed by the Consumer Code, affected individuals may have to be informed of data breaches. For regulated sectors, regulatory agencies overseeing the providers may also have to be informed (eg, the Central Bank, the Securities and Exchange Commission, the National Telecommunications Agency and the Private Insurance Superintendence).

Criminal sanctions and penalties

What are the potential criminal sanctions for cybercrime?

The crime of invading an informatics device may be subject to imprisonment from three months to two years and a fine. Unlawful use of photographs, videos or other materials containing explicit sex scenes or child pornography may be subject to a penalty of up to eight years’ imprisonment.

What penalties may be imposed for failure to comply with cybersecurity regulations?

Based on the Consumer Code, a fine may be imposed on an organisation that is non-compliant with cybersecurity laws or in the event of a data breach. Fines may encompass direct and moral damages. Collective claims may be filed for data protection violations.

The Internet Act establishes a fine of up to 10% of the breaching entity’s economic turnover in Brazil in the previous fiscal year, or the suspension or prohibition of treating data in Brazil.