This country-specific Q&A provides an overview to Data Protection & Cyber Security laws and regulations that may occur in Brazil.
Please provide an overview of the legal framework governing privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the laws enforced)?
The Brazilian Federal Constitution sets forth the core principles on the protection of privacy and personal information. According to the Constitution, privacy, private life, honor and image of individuals are inviolable, and the right to be compensated for economic and moral damages resulting from violation thereof is ensured.
Moreover, Brazil enacted, in August 2018, a General Data Protection Law (“LGPD”), which should become effective in August 2020, as amended by Provisional Act 869/2018, which is still under the Congress’ analysis. This law provides a wide regulation for personal data protection, including collection, storage, registration, monitoring, processing and disclosure of users’ personal data. The law requires that personal data processing activities comply with a number of principles, such as purpose, transparency, security, free access by the data subject, prevention of damages and non-discrimination.
Currently, one of the most important sectoral laws is the Brazilian Civil Rights Framework for the Internet (Law 12.965/2014, the “Internet Law”) which establishes principles, guarantees, rights and obligations for the use of the Internet in Brazil. In addition, Decree 8.771 of May 11, 2016, which regulates the Internet Law, sets forth the rules related to the request of registration data by public administration authorities, as well as the security and confidentiality of records, personal data, and private communications.
Besides that, there are other sectorial laws and regulations concerning rights to privacy and data protection, including, but not limited to:
Civil Code (Law 10.406/2002) grants general privacy rights to any individual and the right to claim against any attempt to breach such rights by any third party;
Positive Credit Registry Act (Law 12.414/2011) permits databases of ‘positive’ credit information (i.e., fulfilment of contracted obligations) but prohibits the registry of excessive information (i.e., personal data which is not necessary for analyzing the credit risk) and sensitive data;
Telecommunications Act (Law 9.472/1997) grants privacy rights to consumers in relation to telecommunications services;
Wiretap Act (Law 9.296/1996) establishes that interception of communications can only occur by court order upon request by police authorities and the Public Prosecutor’s Office for purposes of criminal investigation or discovery in criminal proceedings;
Bank Secrecy Act (Complementary Law 105/2001) requires that financial institutions (and similar entities) hold financial data of individuals and entities in secrecy, except under judicial order issued for purposes of investigation of any illegal acts or discovery in criminal proceedings;
Resolution 3/2009 of the Internet Steering Committee in Brazil (CGI.br), establishes principles for ensuring privacy and data protection on the use of the internet in Brazil, mainly regarding activities developed by internet service providers;
Resolution 124/2006 of the National Supplementary Health Agency imposes a fine on health insurance companies up to BRL 50,000 for the breach of personal information related to the health conditions of a patient.
There are also important laws under the Brazilian Congress’ analysis, like the above mentioned Provisional Act 869/2018 and the Proposal for Constitutional Amendment 17/2019, which adds item XII-A to article 5º, and item XXX to article 22 of the Brazilian Federal Constitution to include protection of personal data within the citizens’ fundamental rights and to set the Union’s exclusive jurisdiction to legislate about this subject.
In general, the Federal, State and Local Public attorneys take the lead as regards the enforceability of the aforementioned legislation. Consumer Protection authorities also play a relevant role on the enforceability of the legislation applicable to consumers.
Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?
Brazilian law does not require any prior licensing or registration for data processing activity. On the other hand, companies are required to get licenses/authorizations to be issued by the competent regulatory agencies as regards, for example the provision of telecommunication, banking, health and other regulated activities/services. Those are the so-called regulated service sectors.
How do these laws define personally identifiable information (PII) versus sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
The LGPD defines:
Personal data as information regarding an identified or identifiable natural person;
Sensitive information such as personal data concerning racial or ethnic origin, religious beliefs, political opinions, philosophical membership of trade unions or religious, philosophical or political organizations, data concerning health or sexual life, genetic or biometric data, when related to a natural person.
Other key definitions are:
Data subject: a natural person to whom the personal data object of processing refers to;
Data controller: natural person or legal entity, of public or private law, responsible for making decisions about the processing of personal data;
Data processor: natural person or legal entity, of public or private law, that processes personal data in the name of the controller;
Data protection officer: person appointed by the controller, who acts as a channel of communication between the controller and the data subjects and the supervisory authority;
National authority: agency of the indirect public administration responsible for supervising, implementing and monitoring compliance with this Law.
Are there any circumstances where consent is required or typically used in connection with the general processing of PII and, if so, are there are rules relating to the form, content and administration of such consent?
Besides the comments we have already made herein above, consent is one of the legal bases provided in the LGPD to process personal data and has specific rules to its use. Additionally, consent is required to process child and adolescent data as well. Although there is no specific format provided for in the applicable legislation, it must be acquired in advance, in a free, informed and unequivocal way, and shall refer to specific purposes. If consent is provided in writing, the contractual clause must appear highlighted from the other contractual clauses.
What special requirements, if any, are required for processing sensitive PII? Are there any categories of PII that are prohibited from collection?
It is not prohibited to collect sensitive information. However, the processing of sensitive personal data may only occur if the holder or his legal representative consents, in a specific and prominent way for such specific purposes. Without the data subjects’ consent, the processing of sensitive personal data must follow one of the events listed below:
For compliance with legal or regulatory obligation by the controller;
By the public administration for the processing and shared use of data required for the implementation of public policies;
For the conduction of studies by research entities, ensuring, whenever possible, the anonymization of personal data;
When necessary for the performance of a contract or the regular exercise of rights in judicial, administrative or arbitral procedures;
For the protection of the life or physical safety of the data subject or a third party;
For the protection of health, in procedures carried out by health professionals or sanitary entities;
For the guarantee of the prevention of fraud and security of the data subjects, in the processes of identification and certification of records in electronic systems, observing the data subject rights, and except in the event of prevalence of fundamental rights and liberties of data subjects that require protection of personal data.
How do the laws in your jurisdiction address children’s PII?
According to the Child and Adolescent Statute, children and adolescents have a peculiar condition of being in development. In this sense, the LGPD gives them stricter data protection rules and determines that processing of personal data belonging to children and adolescents shall be done in their best interest, pursuant to the rules below and applicable legislation.
Accordingly, the LGPD set forth the following rules to process children’s and adolescents’ personal data:
The processing of children’s and adolescents’ personal data requires a specific and highlighted consent of at least one of the parents or by the legal guardian;
When processing data based on consent, controllers shall keep public the information on the types of data collected, the way it is used and the procedures for exercising the rights established in the LGPD;
Children’s and adolescents’ personal data may be collected without consent when it is necessary to contact the parents or legal guardian, used only once and without storage, or for the children’s protection. Under no circumstances shall the data be transferred to third parties without the proper consent;
Data controllers shall not condition the participation of data subjects in games, internet applications or other activities to the provision of personal information beyond what is strictly necessary for the activity;
The controller shall make all reasonable efforts to verify that the person responsible for the child or adolescent has given the consent, considering the available technologies;
Information on the processing of children’s and adolescents’ data shall be provided in a simple, clear and accessible manner, taking into account the physical-motor, perceptual, sensory, intellectual and mental characteristics of the user, with the use of audiovisual resources when appropriate, in order to provide the necessary information to the parents or legal guardian and appropriate to the understanding of the child.
Are owners or processors of PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
Both the controller and the operator must keep records of the personal data processing operations they carry out, especially when based on legitimate interest. Also, it is highly recommendable to the controllers and operators to have an updated data mapping, to present a Data Protection Impact Assessment (DPIA) whenever required.
Are consultations with regulators recommended or required in your jurisdiction and in what circumstances?
There is no legal provision requiring consultation with regulators to process personal data. However, the national data protection authority, as of August 2020, will be the entity responsible for answering questions and queries regarding personal data.
Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?
The National Data Protection Authority may require that the controller must prepare a data protection impact assessment (DPIA), including sensitive data, referring to its data processing operations, in accordance with regulations, with due regard for trade and industrial secrets.
According to the LGPD, the DPIA shall contain the description of all personal data processing processes that could generate risks to civil liberties and fundamental rights, as well as measures, safeguards and mechanisms to mitigate these risks.
Do the laws in your jurisdiction require appointment of a data protection officer, or other person to be in charge of privacy or data protection at the organization? What are the data protection officer’s legal responsibilities?
According to the LGPD, the controller shall nominate/elect/recommend a data protection officer to be responsible for the processing of personal data. The identity and contact information of the officer shall be publicly disclosed, in a clear and objective manner, preferably on the controller’s website.
The activities of the data protection officer consist of:
Accept complaints and communications from data subjects, provide clarifications and adopt measures;
Receive communications from the national authority and adopt measures;
Guide employees and contractors regarding the practices to be taken in relation to the protection of personal data;
Perform other duties determined by the controller or established in complementary rules.
In addition, the national authority may establish complementary rules about the definition and attributions of the data protection officer, including cases of waiving the need of a data protection officer, according to the nature and size of the entity or the volume of data processing operations.
Do the laws in your jurisdiction require providing notice to individuals of the business’ processing activities? If so, please describe these notice requirements (e.g. posting an online privacy notice).
Yes. The data subject has the right to easy access of the information about the processing of the respective data, which should be provided in a clear, adequate and ostensible manner concerning it, including other aspects provided for in regulations for compliance with the principle of free access:
The specific purpose of processing;
Form and duration of the processing, observing business and industrial secrets;
Data controller identification;
Information about the shared use of data by the controller and for which purpose;
Responsibilities of the agents that will carry out the processing;
Rights of the data subject, explicitly mentioning the rights provided in the LGDP.
If the legal basis of the treatment is consent, whenever there are changes in the purposes of the processing of personal data that are not compatible with the original consent, the controller shall previously inform the data subject of the changes of the purpose, and the data subject may revoke the consent whenever there may exist disagreements with the changes.
If the processing of personal data is a condition for the supply of a product or service or for the exercise of a right, the data subject shall be informed of this fact and of the means by which the exercise of the rights set forth in the LGDP may be carried on.
Do the laws in your jurisdiction apply directly to service providers that process PII, or do they typically only apply through flow-down contractual requirements from the owners?
The data controller or data processor who, as a result of carrying out activities of processing personal data, causes material, moral, individual or collective damage to others, in violation of the legislation for protection of personal data, is obligated to redress/repair it.
The data processor is jointly liable for any damages caused by the processing if it fails to comply with the obligations of the data controller, or fails to follow the lawful instructions of the controller in which case the processor is deemed equivalent to the controller, except if they prove that:
They did not carry out the processing of personal data that is attributed to them;
Although they carried out the personal data processing attributed to them, there was no violation of the data protection law;
The damage results from exclusive fault of the data subject or any third party.
Do the laws in your jurisdiction require minimum contract terms with service providers or are there any other restrictions relating to the appointment of service providers (e.g. due diligence or privacy and security assessments)?
There is no legal provision requiring minimum contract terms or other restriction related to hiring service providers. Companies shall negotiate contract limits and restrictions between themselves. Nonetheless, the LGPD provides general guidelines related to security issues for data processors and data controllers, and also establishes that this matter can be further regulated by the national authority.
Is the transfer of PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (for example, does cross-border transfer of PII require notification to or authorization form a regulator?)
LGPD regulates transfer of data outside jurisdiction. International transfer of personal data is only allowed in the following cases:
To countries or international organizations that provide a level of protection of personal data that is adequate to the provisions of the LGPD;
When the controller offers and proves guarantee of compliance with the principles, rights of the data subject and the regime of data protection established in the LGPD, in the form of:a) Specific contractual clauses for a given transfer;
b) Standard contractual clauses;
c) Global corporate rules;
d) Regularly issued stamps, certificates and codes of conduct;
When the transfer is necessary for international legal cooperation between public intelligence and investigation bodies, in accordance with instruments of international law;
When the transfer is necessary for the protection of the data subject’s or a third party’s life or physical safety;
When the National authority authorizes the transfer;
When the transfer is the result of a commitment assumed in an international cooperation agreement;
When the transfer is necessary for the execution of a public policy or legal attribution of a public service;
When the data subject has provided specific and highlighted consent for international data transfer, with prior information about the international nature of the operation, with this information being clearly distinct from other purposes;
For compliance with legal or regulatory obligation by the controller, when necessary for the performance of a contract or preliminary proceedings related to a contract to which the data subject is a party, at the request of the data subject and for the regular exercise of rights in judicial, administrative or arbitral procedures.
What security obligations are imposed on PII owners and on service providers, if any, in your jurisdiction?
The LGPD establishes that processing agents shall adopt security, technical and administrative measures able to protect personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or any type of improper or unlawful processing.
The Internet Act provides security requirements for internet service providers. Decree 8.771/2016 provides the security standards for handling personal data and private communications, as follow:
Definition of responsibilities and authentication mechanisms so as to ensure individualization of the persons who will have access to and handle data, as well as detailed access logs;
Creation of detailed inventory of access to connection records and access to applications containing time, duration, identity of the designated employee or individual responsible for the access in the company and the accessed file; and
Management solutions of records through techniques that ensure the inviolability of data, such as the use of encryption or equivalent protection measures. The safeguard and availability of connection logs and access data, as well as PII and the content of private communications, must meet the security requirements to preserve intimacy, privacy and image of the parties directly or indirectly involved.
Moreover, the Brazilian Central Bank issued Resolution 4.658/2018, which provides a cyber security policy and the requirements for contracting services of data processing, data storage and cloud computing to be observed by financial institutions and other institutions licensed by the Brazilian Central Bank.
Does your jurisdiction impose requirements of data protection by design or default?
The LGDP establishes that processing agents shall adopt security, technical and administrative measures able to protect the personal data from unauthorized access and accidental or unlawful situations from the design phase of the product or service until its implementation.
The concept of privacy by default is implicit in the LGPD as companies are subject to the following principles:
Purpose: processing for legitimate, specific and explicit purposes, previously informed to the data subject, with no possibility of subsequent processing incompatible with these purposes;
Necessity: limitation of the processing to the minimum necessary to achieve its purposes, covering data that are relevant, proportional and non-excessive in relation to the purposes of the data processing.
Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?
Although the LGPD does not provide a definition of “security breach”, it addresses the issue. Generally, any security incident that may result in any relevant risk or damage to the data subjects may be considered a “security breach” and the data controller must communicate to the national authority and the data subject about it, within a reasonable period of time.
How are the laws governing privacy and data protection enforced? What is the range of fines and penalties for violation of these laws? Can PII owners appeal to the courts against orders of the regulators?
Until the LGPD becomes effective, there is no specific authority in charge of data protection in Brazil. For the time being, law enforcement authorities, such as the Public Prosecutor’s Office, consumer protection authorities and specific regulatory agencies will enforce privacy and data violations. PII owners can appeal to the courts against orders of the regulators.
For the last couple of years, the Special Unit for Data Protection and Artificial Intelligence opened several cases against companies that suffered security incidents and data breaches.
The Internet Law states that, without prejudice to any other civil, criminal or administrative sanction, the non-compliance with data protection rules can result in the following sanctions that may be applied on an individual or cumulative basis:
A warning, with a deadline for the adoption of corrective measures;
A fine up to 10% of the gross income of the economic group in Brazil in the last fiscal year, taxes excluded;
Temporary suspension of the activities that entails the events set forth in any operation related to treatment of data;
Prohibition to execute activities that entail processing of data.
The Brazilian Consumer Protection Code determines a penalty of six months to one year imprisonment or fine, or both, to those who block or hinder access by the consumer to respective information contained in files, databases or records, or those who are expected of knowing that information relating to the consumer as contained in any file, database, record or registration is incorrect and, nevertheless, fail to immediately rectify it. The same statute sets forth administrative penalties imposed by the authorities in charge of protecting consumer rights, and such penalties include fines, intervention and counter-advertising.
The Bank Secrecy Law (Complementary Law 105/2001) establishes a penalty of one to four years imprisonment and a fine for financial institutions (and similar entities) that breach the secrecy of the financial operations of, and the financial services provided to its users.
The Brazilian Criminal Code (Decree-Law 2.848/1940), as amended by Law 12.737/2012, sets forth the penalty of three months to one year imprisonment and fine to those who invade another computer device connected or not to the internet through improper breach of security mechanism and for the purpose of obtaining, tampering or destroying data or information without the explicit or tacit authorization of the device owner or installing vulnerabilities to gain any illicit advantage.
Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
Brazilian Data Protection Law does not apply to the processing of personal data:
Carried out by a natural person for strictly personal and non-economic purposes;
Carried out exclusively for journalistic, artistic or academic purposes;
Carried out exclusively for purposes of public safety, national defense, state security, or activities of investigation and prosecution of criminal offenses;
Originated from outside the national territory and which are not the object of communication, shared use of data with Brazilian processing agents or subject to international transfer of data with another country that is not the country of origin, provided that the country of origin has a level of personal data protection suitable for the provisions of this LGPD.
Please describe any restrictions on monitoring or profiling in your jurisdiction including the use of tracking technologies such as cookies – how are these terms defined and what restrictions are imposed, if any?
There is no definition or specific regulation for tracking technologies, such as ‘cookies’ in Brazil. However, if the information gathered by tracking technologies is able to identify a natural person, they fall within the scope of data protection laws.
Please describe any laws addressing email communication or direct marketing?
Although there is no legal rule concerning spam, the Internet Steering Committee (CGI.br) provides a guideline of good practice to avoid spam, as follows:
To send e-mails only to customers who have opted for registration in the mailing list;
Do not use third-party disclosure lists, or buy them from mailing lists sellers;
Do not reuse disclosure lists, i.e. do not send e-mails to customers registered on mailing lists from another service, even if they are from the same company;
To respect customers’ options given by registration forms, in writing or online;
To respect a consumer’s option to be unsubscribed from the mailing list;
Do not start the first contact with customers by e-mail, i.e. sending the first e-mail without prior authorization characterizes the practice of spam.
Additionally, Brazil has a Self-Regulation Code for E-mail Marketing Practice signed by representative entities of marketing companies, internet service providers and consumers, which permits soft opt-in only if there is evidence of previous commercial relationship between the sender and recipient. In this case, the express consent is not required but an option to “opt-out” must be provided. The sender must provide its opt-out policy and inform the deadline for removal of the recipient’s e-mail address from the data base, which may occur within two business days if it is requested by the “unsubscribe link” or within five business days if it is requested by other means. Also, the Brazilian Advertising Self-Regulatory Council reflects well the need to apply to advertisements on the Internet the same policy adopted for ‘conventional’ advertisements.
Lastly, it bears mentioning that Law 13.226/2008, enacted by the State of São Paulo, creates a registration list for blocking telemarketing calls with the purpose of preventing companies making marketing calls not authorized by the consumer.