Draft Bill of Law on the Protection of Personal Data
RENATO L. MONTEIRO
2
Brazil – Sectorial legislation
PROVISIONAL MEASURE 2.200/2001: digital certification;
FEDERAL LAW 8.078/1990: Consumer Code, which regulates consumer databases;
FEDERAL LAW 9.983/2000: crime of inserting false data in public administration information systems;
COMPLEMENTARY LAW 105/2001: regulates confidentiality with the financial system;
FEDERAL LAW 10.406/2002: civil code, which regulates personalities rights
FEDERAL LAW 12.414/2011: addresses the issue of protection of personal data within credit protection database;
FEDERAL LAW 12.527/2011: right to access to information stored in public databases;
FEDERAL LAW 12.551/2011: addressees the issue of teleworking within Labor Legislation;
FEDERAL LAW 12.737/2012: crime of invading computer devices (C. Dieckmann);
DECREE 7.962/2013: e-commerce changes to the Consumer Code;
FEDERAL LAW 12.846/2013: anticorruption act (Clean Company Act)
FEDERAL LAW 12.965/2014: Brazilian Civil Rights Framework for the Internet
3
The Civil Rights Framework for the Internet and the digital compliance
Almost every company that has a website or collects personal data electronically is obligated to comply with Brazilian rules.
• “The Civil Rights Framework for the Internet necessarily reinforces the need of compliance with information security principles and unveil the need of establishing a privacy compliance structure”
It’s good to know that the need of creating a privacy compliance structure is going to be reinforced by specific federal legislation about the protection of personal data, which the draft’s main points we will exposed herein.
4
Protection of Personal Data (Draft Bill of Law)
The public debate for the drafting of the data protection bill is opened until July 5th. Everyone is welcome to participate and collaborate on the elaboration of an innovative and protective new text.
The proposed discussion aims on the strengthening of fundamental rights while encouraging innovation and tackling challenging global issues.
5
Protection of Personal Data (Draft Bill of Law)
• Jurisdiction;
• Scope of application;
• Personal data;
• Sensitive data;
• Consent (exemptions);
• Data subject´s rights;
• Data Protection Authority;
• Privacy Officer;
• International data transfers;
• Binding Corporate Rules – BCRs;
• Global corporate rules;
• Data breaches and notification
requirements
• Liability;
• Penalties;
• Vacatio Legis.
"Consent is the key-point of the law"
6
Jurisdiction and scope
• Jurisdiction: the law shall be applied to any processing operations performed through totally or partially automated means, by a natural person or by a legal person under public or private law, regardless of:
• the country where the natural or legal person are located; and • the country where the database is located, provided that:
I - The processing operation is performed within the national territory; orII - The personal data subject to processing have been collected within the national territory (data subject must be in Brazil at the time of collection, regardless of his/her nationality).
• Scope: the law shall not be applied to:
• any data processing that is:I - Performed by a natural person for exclusively personal purposes; orII - Performed for exclusively journalistic purposes.III- Public safety, defense, State security, public investigation activities an the repression of criminal offences (general principles).
7
Personal data
• Personal data: the concept of personal data was widened when compared to the previous version of the text. It has been influenced by current discussions in Europe towards updating the data protection legal framework;. The current definition of the Brazilian law is based on the EU Regulation:
any data related to an identified or identifiable natural person, includingidentification numbers, location data, or electronic identifiers
• Sensitive data: sensitive data can now be collected, treated and processed in more
cases, as long as there is proper consent, which has received some guidelines on the text and must be different and separate from the regular consent; The forthcoming DPA will have the authority to issue some additional requirements. But at the moment, when law goes into effect, there might not be some issued additional requirements. Nonetheless, the consent must be different from the method used for regular personal data.
• Anonymous data: there is an ongoing trend to consider anonymous data as personal data regarding the protections listed on the draft bill.
8
Consent
Consent: the requirements to obtain consent and which information must be given to the subject have been broadened. The specific purpose to collect and process the data must be informed to the subject prior to obtaining his consent. When consent is given, the data subject shall be clearly, adequately, and ostensibly informed about the following points:
I - Specific purpose of the processing; II - Form and duration of the processing; III - Identification of the controller; IV - Controller's contact data; V - subjects or categories of subjects to whom the data can be communicated, as well as the scope of disclosure; VI - Responsibilities of the agents that will perform the processing; and VII - data subject's rights
Right to denial: subjects have the right to deny the collection of their personal data without limiting their access to the services, with some exceptions;
9
Consent exemptions
Consent is exempt in the case of:
• unrestricted public access data• legal obligation by the controller; • Data shared by public authorities;• Contractual obligations;• historical, scientific, or statistical research, ensuring,
whenever possible, the dissociation of the personal data; • The regular exercise of rights in legal or administrative
proceedings; • life or physical safety; • Healthcare;• Legitimate interests?
10
Data subject´s rights
The personal data subject is entitled to obtaining:
• Confirmation of the existence of data processing;• Access to the data (interoperable and open format);• Correction of incomplete, inaccurate, or outdated data; • (anonymization) dissociation, blocking, or cancellation of
unnecessary or excessive data; • Data portability??? • Right to opposition;
• Right to review: the data subject is entitled to request a review of decisions based solely on automated processing of personal data and that affect their interests, including decisions aimed at defining their profile or evaluate aspects of their personality.
• The controller shall provide, whenever requested, adequate information about the criteria and procedures used for the automated decision.
11
Data Protection Authority
• Data Protection Authority: the previous version of the text clearly created a separate and independent data protection authority. The new version excluded this chapter of the text, referring to a “competent authority”, without defining what will constitute it.
• Privacy Officer: companies will have to employ Privacy Officers who will be responsible to overview the compliance with the law and also serve as a bridge between the company and the “competent authority”; The previous version of the bill had set a minimum size of 200 employees. The current version does not set this bottom line, but it might be further regulation by the DPA.
12
Data Protection Authority
http://www.technologylawdispatch.com/2014/08/privacy-data-protection/brazilian-data-protection-authority-fines-internet-provider-159m/
http://www.reuters.com/article/2012/03/08/us-google-brazil-idUSBRE82718F20120308
13
International Data Transfers
• Adequate level of protection: international transfer of personal data is only allowed for countries that provide a level of protection for personal data that is equivalent to the level established in this Law, with some exceptions:;
• Binding Corporate Rules – BCRs: a long standing tool in the EU data protection system, Binding Corporate Rules are now included on the new version of the text, what can broadly enhance the flow of data until the Brazilian legal system adapts itself to the new data protection environment;
• Global corporate rules: the possibility of data flow within the same corporate structure was also tackled on the new version of the project;
• Special and specific consent: in the case of countries that do not provide a level of protection, transfer is possible through a specific statement, different from the consent pertaining to other processing operations; and with prior and specific information about the international nature of the operation, including a warning about the risks involved
14
Liability
• Data breaches and notification requirements: The controller shall immediately report any security incident which might damage the data subjects to the competent body. Prompt notification to the data subjects affected by the security incident shall be mandatory, regardless of the competent body's decision, in cases in which the incident endangers the data subjects' personal safety or can damage them.
• Liability: The current version sets that both the data processor and the data controller can be held liable for mishandling personal data. Subsidiary liability refers to the need to prove that the company was at fault when mishandling the data.
• Penalties: may be cumulatively applied. Non compliance with the law may lead to:
• A simple or daily fine;
• The disclosure of the breach; • Dissociation of the personal data; • Blocking of the personal data; • Suspension of the processing of
personal data for a period no longer than two years;
• Cancellation of the personal data; • Prohibition of the processing of
sensitive personal data for a period no longer than ten years; and
• Prohibition of database operation for a period no longer than ten years.
• Vacatio Legis: companies will now have 120 days from the implementation of the law to adapt to the new data protection rules. But there is no estimation of time. It might take some years.