-
Please provide an overview of the legal and regulatory framework governing privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the relevant laws)?
The Brazilian Federal Constitution sets forth the core principles on the protection of privacy and personal information. According to the Constitution, privacy, private life, honor and image of individuals are inviolable, and the right to be compensated for economic and moral damages resulting from violation thereof is ensured.
Moreover, Brazil enacted, in August 2018, a General Data Protection Act (Law 13,709/2018 – “LGPD”), which is scheduled to become effective in August 2020 – however, due to the inexistence of an active national authority, the small number of companies going through adequacy projects and the COVID-19 pandemic, there are Bills that propose the postponement of its vacatio legis (in this regard, we could mention Bills Nos. 5,762/2019, 6,149/2019, 3,420/2019 from the House of Representatives; and Bills Nos. 1,027/2020, 1,164/2020 (finalized procedure), 1,198/2020 and 1,179/2020 from the Federal Senate).
LGPD provides a wide regulation for personal data protection, including collection, storage, registration, monitoring, processing and disclosure of users’ personal data. The law requires that personal data processing activities comply with a number of principles, such as purpose, transparency, security, free access by the data subject, prevention of damages and non-discrimination.
Currently, one of the most important sectoral laws is the Brazilian Civil Rights Framework for the Internet (Law 12.965/2014, the “Internet Law”) which establishes principles, guarantees, rights and obligations for the use of the Internet in Brazil. In addition, Decree 8.771 of May 11, 2016, which regulates the Internet Law, sets forth the rules related to the request of registration data by public administration authorities, as well as the security and confidentiality of records, personal data, and private communications.
Besides that, there are other sectorial laws and regulations concerning rights to privacy and data protection, including, but not limited to:
- Civil Code (Law 10.406/2002) grants general privacy rights to any individual and the right to claim against any attempt to breach such rights by any third party;
- Consumer Code (Law 8,078/1990) provides for the principles of transparency, information and quality of data on its provisions;
- Positive Credit Registry Act (Law 12.414/2011) permits databases of ‘positive’ credit information (i.e., fulfilment of contracted obligations) but prohibits the registry of excessive information (i.e., personal data which is not necessary for analyzing the credit risk) and sensitive data;
- Complementary Law No. 166/2019 that amends the Positive Credit Registry Act, authorizing the inclusion of natural persons and legal entities in positive registration databases, without their prior request;
- Telecommunications Act (Law 9.472/1997) grants privacy rights to consumers in relation to telecommunications services;
- Wiretap Act (Law 9.296/1996) establishes that interception of communications can only occur by court order upon request by police authorities and the Public Prosecutor’s Office for purposes of criminal investigation or discovery in criminal proceedings;
- Bank Secrecy Act (Complementary Law 105/2001) requires that financial institutions (and similar entities) hold financial data of individuals and entities in secrecy, except under judicial order issued for purposes of investigation of any illegal acts or discovery in criminal proceedings;
- Resolution 3/2009 of the Internet Steering Committee in Brazil (CGI.br), establishes principles for ensuring privacy and data protection on the use of the internet in Brazil, mainly regarding activities developed by internet service providers;
- Resolution 124/2006 of the National Supplementary Health Agency imposes a fine on health insurance companies up to BRL 50,000 for the breach of personal information related to the health conditions of a patient.
There are also important laws under the Brazilian Congress’ analysis, like the Proposal for Constitutional Amendment No. 17/2019, which complements item XII of article 5, and adds item XXX to article 22 of the Brazilian Federal Constitution to include protection of personal data within the citizens’ fundamental rights and to set the Union’s exclusive jurisdiction to legislate about this subject.
In general, the Federal, State and Local Public attorneys take the lead as regards the enforceability of the aforementioned legislation. Consumer Protection authorities also play a relevant role on the enforceability of the legislation applicable to consumers.
-
Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?
Brazilian law does not require any prior licensing or registration for data processing activity. On the other hand, companies are required to get licenses/authorizations to be issued by the competent regulatory agencies as regards, for example the provision of telecommunication, banking, health and other regulated activities/services. Those are the so-called regulated service sectors.
-
How do these laws define personal data or personally identifiable information (PII) versus special category or sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
The LGPD defines:
- Personal data as information regarding an identified or identifiable natural person;
- Sensitive information such as personal data concerning racial or ethnic origin, religious beliefs, political opinions, philosophical membership of trade unions or religious, philosophical or political organizations, data concerning health or sex life, genetic or biometric data, when related to a natural person.
Other key definitions are:
- Data subject: a natural person to whom the personal data object of processing refers to;
- Data controller: natural person or legal entity, of public or private law, responsible for making decisions about the processing of personal data;
- Data processor: natural person or legal entity, of public or private law, that processes personal data in the name of the controller;
- Data protection officer: person appointed by the controller and the processor, who acts as a channel of communication between the controller and the data subjects and the supervisory authority;
- National authority: agency of the public administration responsible for supervising, implementing and monitoring compliance with this Law in the national territory.
-
What are the principles related to, the general processing of personal data or PII?
Every processing activity of personal data shall observe good faith and the following principles: i) purpose; ii) adequacy; iii) necessity; iv) free access; v) quality of the data; vi) transparency; vii) security; viii) prevention; ix) non-discrimination; and x) accountability.
Also, the LGPD establishes that processing of personal data shall only be carried out in the following cases:
- By means of the data subject’s consent;
- For compliance with legal or regulatory obligation by the controller;
- By the public administration for the processing and shared use of data required for the implementation of public policies;
- For the conduction of studies by research entities, ensuring, whenever possible, the anonymization of personal data;
- When necessary for the performance of a contract or preliminary proceedings related to a contract to which the data subject is a party, at the request of the data subject;
- For the regular exercise of rights in judicial, administrative or arbitral procedures;
- For the protection of the life or physical safety of the data subject or a third party;
- For the protection of health, in procedures carried out by health professionals or sanitary entities;
- When necessary to serve the legitimate interests of the controller or of third parties, except in the event of prevalence of fundamental rights and liberties of the data subject, which requires protection of the personal data;
- When the fundamental rights and liberties of the data subject requires personal data protection;
- For credit protection including provisions of relevant legislation.
The personal data shall be eliminated after termination of the processing thereof, within the scope and technical limits of the activities. The storage of personal data after the processing is authorized for the following purposes:
- Compliance with a legal or regulatory obligation by the controller;
- Study by a research entity, ensuring, whenever possible, the anonymization of the personal data;
- Transfer to third parties, provided that all legal requirements set forth in the Law are complied with;
- Exclusive use of the controller, with forbidden access to third parties, and provided the data has been anonymized.
In addition, sectoral legislation, such as the Consumer Code, National Tax Code, Labor Legislation, among others, provides different rules regarding data storage.
Specifically for internet application, the Internet Law establishes that application service providers must keep records of internet access (i.e., the set of information regarding date and time of use of a particular internet application from a particular IP address) applications under secrecy, in a controlled and safe environment, for a minimum term of six months and in the provision of internet connections, the autonomous system administrator shall keep records of the connection logs under secrecy for at least one year.
-
Are there any circumstances where consent is required or typically used in connection with the general processing of personal data or PII and, if so, are there are rules relating to the form, content and administration of such consent?
Consent is one of the legal bases provided in the LGPD to process personal data and has specific rules to its use. In this regard, for example, when we are processing personal data, consent must be a free, informed and unambiguous manifestation by the data subject for a specific purpose, given in writing or by another means that demonstrates his/her manifestation of will; on the other hand, the processing of sensitive personal data requires a specific and highlighted consent, for specific purposes.
If consent is provided in writing, the contractual clause must appear highlighted from the other contractual clauses. Additionally, to process child and adolescent data as well, at least one of the parents or legal representative shall give his/her specific and highlighted consent.
Finally, one of the mechanisms that allow international transfers is the specific and highlighted consent given by the data subject, with prior information about the international nature of the operation, being clearly distinct from other purposes.
-
What special requirements, if any, are required for processing sensitive PII? Are there any categories of personal data or PII that are prohibited from collection?
It is not prohibited to collect and process sensitive personal information. However, the processing of sensitive personal data may only occur if the data subject or his/her legal representative consents, in a specific and highlighted way, for such specific purposes. Without the data subjects’ consent, the processing of sensitive personal data must follow one of the events listed below, whenever it is indispensable:
- For compliance with legal or regulatory obligation by the controller;
- By the public administration for the processing and shared use of data required for the execution of public policies;
- For the conduction of studies by research entities, ensuring, whenever possible, the anonymization of personal data;
- When necessary for the performance of a contract or the regular exercise of rights in judicial, administrative or arbitral procedures;
- For the protection of the life or physical safety of the data subject or a third party;
- For the protection of health, in procedures carried out by health professionals or by health entities;
- For the guarantee of the prevention of fraud and safety of the data subjects, in processes of identification and authentication of registration in electronic systems, observing the data subject rights, and except in the event of prevalence of fundamental rights and liberties of data subjects that require protection of personal data.
Also, it is important to note that communication or shared use between controllers of sensitive personal data referring to health for the purpose of obtaining economic advantage is prohibited. Exceptions are made in case of provision of health services, pharmaceutical assistance and health care, including auxiliary diagnostic and therapeutic services, for the benefit of the interests of data subjects, and to enable data portability when required by the data subject or the financial and administrative transactions resulting from the use and provision of these services, provided there is no risk selection in the contracting or exclusion of beneficiaries of private health care plans by operators in the processing of health data.
-
How do the laws in your jurisdiction address children’s personal data or PII?
According to the Child and Adolescent Statute (Law 8,069/1990 – “ECA”), children and adolescents have a peculiar condition of being in development. In this sense, the LGPD gives them stricter data protection rules and determines that processing of personal data belonging to children and adolescents shall be done in their best interest, pursuant to the rules below and applicable legislation.
Accordingly, the LGPD set forth the following rules to process children’s and adolescents’ personal data:
- The processing of children’s and adolescents’ personal data requires a specific and highlighted consent of at least one of the parents or by the legal guardian;
- When processing data based on consent, controllers shall keep public the information on the types of data collected, the way it is used and the procedures for exercising the rights established in the LGPD;
- Children’s and adolescents’ personal data may be collected without consent when it is necessary to contact the parents or legal guardian, used only once and without storage, or for the children’s protection. Under no circumstances shall the data be transferred to third parties without the proper consent;
- Data controllers shall not condition the participation of data subjects in games, internet applications or other activities to the provision of personal information beyond what is strictly necessary for the activity;
- The controller shall make all reasonable efforts to verify that the person responsible for the child or adolescent has given the consent, considering the available technologies;
- Information on the processing of children’s and adolescents’ data shall be provided in a simple, clear and accessible manner, taking into account the physical-motor, perceptual, sensory, intellectual and mental characteristics of the user, with the use of audiovisual resources when appropriate, in order to provide the necessary information to the parents or legal guardian and appropriate to the understanding of the child.
-
Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
The LGPD does not apply to the processing of personal data:
- Carried out by a natural person for strictly personal and non-economic purposes;
- Carried out exclusively for journalistic, artistic or academic purposes;
- Carried out exclusively for purposes of public safety, national defense, state security, or activities of investigation and prosecution of criminal offenses;
- Originated from outside the national territory and which are not the object of communication, shared use of data with Brazilian processing agents or subject to international transfer of data with another country that is not the country of origin, provided that the country of origin has a level of personal data protection suitable for the provisions of this LGPD.
-
Does your jurisdiction impose requirements of 'data protection by design' or 'data protection by default' or similar? If so, please describe the requirement and how businesses typically meet the requirement.
The LGDP establishes that processing agents shall adopt security, technical and administrative measures able to protect the personal data from unauthorized access and accidental or unlawful situations from the design phase of the product or service until its implementation.
The concept of privacy by default is implicit in the LGPD as companies are subject to the following principles, among others:
- Purpose: processing for legitimate, specific and explicit purposes, previously informed to the data subject, with no possibility of subsequent processing incompatible with these purposes;
- Necessity: limitation of the processing to the minimum necessary to achieve its purposes, covering data that are relevant, proportional and non-excessive in relation to the purposes of the data processing.
- Accountability: demonstration by the processing agent of the adoption of effective measures capable of proving compliance with the rules of personal data protection and its enforcement, including the effectiveness of such measures.
Business typically meet these requirements through an adequacy project to LGPD, where they need to: i) keep records of personal data processing operations carried out by them; ii) prepare a Data Protection Impact Assessment (DPIA), with a description of the types of data collected, the methodology used for collection and for ensuring the security of information and the analysis by the controller regarding the adopted technical and administrative measures, safeguards and mechanisms of risk mitigation; and iii) adopt good practices of privacy and be transparent.
-
Are owners or processors of personal data or PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
Both the controller and the operator must keep records of the personal data processing operations they carry out, especially when based on legitimate interest. Also, it is highly recommendable to the controllers and operators to have an updated data mapping, to present a Data Protection Impact Assessment (DPIA) whenever required, complying with the principle of accountability.
-
When are you required to, or when is it recommended that you, consult with data privacy regulators in your jurisdiction?
There is no legal provision requiring or recommending consultation with regulators to process personal data. However, according to LGPD, it is possible to consult with the data privacy regulators – in this case, the Brazilian Data Protection Authority (“ANPD”) – about questions and queries regarding personal data. It is also possible for the data subject to petition against the controller before the ANPD, regarding his/her personal data, after proving that the complaint was not solved within the legal term.
It is important to note that the ANPD has already been created, through the Law No. 13,853/2019, but it has not been formed yet. Until the present moment, Brazil has a national data protection authority, but it does not act because it depends on the composition of its members.
-
Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?
The National Data Protection Authority may require that the controller must prepare a data protection impact assessment (DPIA), including sensitive data, referring to its data processing operations, in accordance with regulations, with due regard for trade and industrial secrets. According to the LGPD, the DPIA shall contain the description of all personal data processes that could generate risks to civil liberties and fundamental rights, as well as measures, safeguards and mechanisms to mitigate these risks.
Also, when processing is based on the legitimate interest, it must be carried out in accordance with the processing of data strictly necessary for legitimate purposes, considered from concrete situations, therefore, the Nacional Authority may request for the controller a data protection impact assessment (DPIA).
-
Do the laws in your jurisdiction require appointment of a data protection officer (or other person to be in charge of privacy or data protection at the organization) and what are their legal responsibilities?
According to the LGPD, the controller shall nominate/elect/recommend a data protection officer to be responsible for the processing of personal data. The identity and contact information of the officer shall be publicly disclosed, in a clear and objective manner, preferably on the controller’s website.
The activities of the data protection officer consist of:
- Accept complaints and communications from data subjects, provide clarifications and adopt measures;
- Receive communications from the National Authority and adopt measures;
- Guide employees and contractors regarding the practices to be taken in relation to the protection of personal data;
- Perform other duties determined by the controller or established in complementary rules.
In addition, the National Authority may establish complementary rules about the definition and attributions of the data protection officer, including cases of waiving the need of a data protection officer, according to the nature and size of the entity or the volume of data processing operations.
-
Do the laws in your jurisdiction require businesses to providing notice to individuals of their processing activities? If so, please describe these notice requirements (e.g. posting an online privacy notice).
Yes. The data subject has the right to easy access of the information about the processing of the respective data, which should be provided in a clear, adequate and ostensible manner concerning it, including other aspects provided for in regulations for compliance with the principle of free access:
- The specific purpose of processing;
- Form and duration of the processing, observing business and industrial secrets;
- Data controller identification;
- Information about the shared use of data by the controller and for which purpose;
- Responsibilities of the agents that will carry out the processing;
- Rights of the data subject, explicitly mentioning the rights provided in the LGPD.
If there is a change about specific purposes of the processing, type or duration of the processing, identification of the controller and information regarding the shared use of data, the controller shall inform the data subject, with a specific highlight of the content of the changes. In the cases in which the legal basis of the processing is consent, whenever there are changes in the purposes of the processing of personal data that are not compatible with the original consent, the controller shall previously inform the data subject of the changes of the purpose, and the data subject may revoke the consent whenever there may exist disagreements with the changes.
Also, if the processing of personal data is a condition for the supply of a product or service or for the exercise of a right, the data subject shall be informed of this fact and of the means by which the exercise of the rights set forth in the LGDP may be carried on.
-
Do the laws in your jurisdiction draw any distinction between the owners/controllers and the processors of personal data and, if so, what are they? (E.g. are obligations placed on processors by operation of law, or do they typically only apply through flow-down contractual requirements from the owners/controller?)
LGPD defines controllers and processor as “processing agents” and distinguishes their concepts. A data controller is a natural person or legal entity of public or private law that has the competence to make decisions regarding the processing of personal data and the data processor is a natural person or legal entity of public or private law that processes personal data on behalf of the controller.
Furthermore, LGPD foresees that the processor shall carry out the processing according to the instructions provided by the controller, which shall verify the obedience of the own instructions and the rules governing the subject.
The Brazilian Data Protection Act also set the processing agents’ responsibilities as the controller or the processor who, as a result of carrying out activities of processing personal data, causes material, moral, individual or collective damage to others, in violation of the legislation for the protection of personal data, is obligated to redress/repair it.
The data processor is jointly liable for any damages caused by the processing if it fails to comply with the obligations of the data controller, or fails to follow the lawful instructions of the controller in which case the processor is deemed equivalent to the controller, except if they prove that:
- They did not carry out the processing of personal data that is attributed to them;
- Although they carried out the personal data processing attributed to them, there was no violation of the data protection law;
- The damage results from the exclusive fault of the data subject or any third party.
At last, the controller or the processor who neglects to adopt security information measures foreseen in the law shall be held liable for the damages caused by the violation of the data security, like data breaches.
-
Do the laws in your jurisdiction require minimum contract terms with processors of personal data or PII or are there any other restrictions relating to the appointment of processors (e.g. due diligence or privacy and security assessments)?
There is no legal provision requiring minimum contract terms or other restrictions related to hiring service providers. Companies shall negotiate contract limits and restrictions between themselves. Nonetheless, the LGPD provides general guidelines related to security issues for data processors and data controllers and establishes that this matter can be further regulated by the national authority.
According to LGPD, the service providers (Controllers and Processors) may formulate rules for good practice and governance that set forth conditions of organization, procedures, complaints, and petitions for data subjects, technical standards, and specific obligations for the involved parties, among others.
Also, when creating these rules, the controller and the processor should consider some items in the moment of the creation and implementation of good practice rules and data governance, regarding the data processing, as nature, scope, purpose, probability, and the risks and benefits that will result from the processing of data subject’s data.
-
Please describe any restrictions on monitoring or profiling in your jurisdiction including the use of tracking technologies such as cookies. How are these terms defined and what restrictions are imposed, if any?
There is no definition or specific regulation for tracking technologies, such as ‘cookies’ in Brazil. However, if the information gathered by tracking technologies is able to make identifiable a natural person, they fall within the scope of data protection laws.
-
Please describe any laws in your jurisdiction addressing email communication or direct marketing. How are these terms defined and what restrictions are imposed, if any?
Although there is no legal rule concerning spam, the Internet Steering Committee (CGI.br) provides a guideline of good practices to avoid spam:
- To send e-mails only to customers who have opted for registration in the mailing list;
- Do not use third-party disclosure lists, or buy them from mailing lists sellers;
- Do not reuse disclosure lists, i.e. do not send e-mails to customers registered on mailing lists from another service, even if they are from the same company;
- To respect customers’ options given by registration forms, in writing or online;
- To respect a consumer’s option to be unsubscribed from the mailing list;
- Do not start the first contact with customers by e-mail, i.e. sending the first e-mail without prior authorization characterizes the practice of spam.
Additionally, Brazil has a Self-Regulation Code for E-mail Marketing Practice signed by representative entities of marketing companies, internet service providers and consumers, which permits soft opt-in only if there is evidence of previous commercial relationship between the sender and recipient. In this case, the express consent is not required but an option to “opt-out” must be provided. The sender must provide its opt-out policy and inform the deadline for removal of the recipient’s e-mail address from the data base, which may occur within two business days if it is requested by the “unsubscribe link” or within five business days if it is requested by other means. Also, the Brazilian Advertising Self-Regulatory Council reflects well the need to apply to advertisements on the Internet the same policy adopted for ‘conventional’ advertisements.
Lastly, it bears mentioning that Law No. 13,226/2008, enacted by the State of São Paulo, creates a registration list for blocking telemarketing calls with the purpose of preventing companies making marketing calls not authorized by the consumer.
-
Please describe any laws in your jurisdiction addressing biometrics, such as facial recognition. How are these terms defined and what restrictions are imposed, if any?
The Brazilian Data Protection Act foresees biometrics data as a sensitive category of personal data. In the law, it is considered sensitive data: racial or ethnic origin, religious beliefs, political opinions, philosophical membership of trade unions or religious, philosophical or political organizations, data concerning health or sexual life, genetic or biometric data, when related to a natural person.
Processing Biometric Data shall observe the specific list of legal basis and other provisions, because of the high risk involved in processing activities with this category of personal data.
There is no specific law about facial recognition in Brazil, but there is the Bill no. 4612 of 2019 that intends to regulate the development, application, and use of facial and emotional recognition technologies, as well as other digital technologies aimed at the identification of individuals and behavior prediction or analysis. This project is still proceeding in the House of Representatives and, if approved, has the potential to complement the provisions of Biometric data in the Brazilian legislation, in special, LGPD.
-
Is the transfer of personal data or PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does cross-border transfer of personal data or PII require notification to or authorization form a regulator?)
LGPD regulates transfer of data outside jurisdiction. International transfer of personal data is only allowed in the following cases:
-
- To countries or international organizations that provide a level of protection of personal data that is adequate to the provisions of the LGPD;
- When the controller offers and proves guarantee of compliance with the principles, rights of the data subject and the regime of data protection established in the LGPD, in the form of:
a) Specific contractual clauses for a given transfer;
b) Standard contractual clauses;
c) Global corporate rules;
d) Regularly issued stamps, certificates and codes of conduct;-
- When the transfer is necessary for international legal cooperation between public intelligence and investigation bodies, in accordance with instruments of international law;
- When the transfer is necessary for the protection of the data subject’s or a third party’s life or physical safety;
- When the National authority authorizes the transfer;
- When the transfer is the result of a commitment assumed in an international cooperation agreement;
- When the transfer is necessary for the execution of a public policy or legal attribution of a public service;
- When the data subject has provided specific and highlighted consent for international data transfer, with prior information about the international nature of the operation, with this information being clearly distinct from other purposes;
- For compliance with legal or regulatory obligation by the controller, when necessary for the performance of a contract or preliminary proceedings related to a contract to which the data subject is a party, at the request of the data subject and for the regular exercise of rights in judicial, administrative or arbitral procedures.
Considering that LGPD is not into force yet, the companies are still adapting to the law provisions and there is not a common standard between the businesses. Also, the ANPD is not in operation, which makes some of the possibilities and requirements of the law more difficult, like the Standard Contractual Clauses that will be applied by the National Authority.
-
-
What security obligations are imposed on personal data or PII owners/controllers and on processors, if any, in your jurisdiction?
The LGPD establishes that processing agents shall adopt security, technical and administrative measures able to protect personal data from unauthorized access and accidental or unlawful
situations of destruction, loss, alteration, communication or any type of improper or unlawful processing.
The National Authority may establish minimum technical standards to make the provisions above applicable, taking into account the nature of the processed information, the specific characteristics of the processing and the current state of technology, especially in the case of sensitive personal data, as well as the data protection principles.
The controllers and processors shall ensure the security of the information as provided for in the LGPD, even when the processing is over. Besides, the software or systems used for processing personal data shall be structured to be in compliance with the security requirements, standards of good practice and governance, general data protection principles and other sectorial regulatory rules.
Also, the Internet Act provides security requirements for internet service providers. Decree 8.771/2016 provides the security standards for handling personal data and private communications, as follow:
- Definition of responsibilities and authentication mechanisms so as to ensure individualization of the persons who will have access to and handle data, as well as detailed access logs;
- Creation of detailed inventory of access to connection records and access to applications containing time, duration, identity of the designated employee or individual responsible for the access in the company and the accessed file; and
- Management solutions of records through techniques that ensure the inviolability of data, such as the use of encryption or equivalent protection measures. The safeguard and availability of connection logs and access data, as well as PII and the content of private communications, must meet the security requirements to preserve intimacy, privacy and image of the parties directly or indirectly involved.
Moreover, the Brazilian Central Bank issued Resolution 4.658/2018, which provides a cyber-security policy and the requirements for contracting services of data processing, data storage and cloud computing to be observed by financial institutions and other institutions licensed by the Brazilian Central Bank.
-
Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?
Although the LGPD does not provide a definition of “security breach”, it addresses the issue.
Generally, any security incident that may result in any relevant risk or damage to the data subjects may be considered a “security breach” and the data controller must communicate to the National Authority and the data subject about it, within a reasonable period.
-
Does your jurisdiction impose specific security requirements on certain sectors or industries (e.g. telecoms, infrastructure)?
There are several sectorial laws and regulations concerning security requirements for specific regulated sectors and industries, such as, but not limited to:
- The Brazilian Civil Rights Framework (Law 12.965/2014, the “Internet Law”), which provides security requirements for internet service providers, and the Decree 8.771/2016, that provides security standards for handling personal data and private communications for internet service providers;
- Decree 9.637/2018, which institutes the National Information Security Policy and provides for the governance of information security, and the Normative Ruling 4/2020 of the Institutional Security Office, which provides on the minimum requirements cyber security requirements to be adopted when establishing 5G networks;
- Decree 9.573/2018, which approves the National Critical Infrastructure Security Policy, and the Decree 10.222/2020, which approves the National Strategy of Cyber Security;
- Complementary Law 105/01, which provides for the secrecy of operations in financial institutions, the Resolution 3.380/06 of the Central Bank of Brazil (BACEN), which provides on the implementation of an operational risk management structure for financial institutions, and the Resolution 4.658/2018 of BACEN , which provides on the cyber security policy and the requirements for hiring data processing and storage services and cloud computing to be observed by financial institutions and other institutions authorized to operate by BACEN;
- Ordinance 271/2017, which provides the Information Security and Communications Policy of the Ministry of Health (POSIC/MS), and Ordinance 1.966/18, which defines information and communication security standards within the Ministry of Health;
- Provisional Measure No. 2.200-2/01, which establishes the Brazilian Public Key Infrastructure – ICP-Brazil, to ensure the authenticity, integrity and legal validity of documents in electronic form, support applications and qualified applications that use digital certificates, as well as secure electronic transactions;
- Circular 249/04 and 285/05 of the Superintendence of Private Insurance – SUSEP, which determine internal controls of activities and information systems insurance companies, capitalization companies and public pension entities and establish information security policy requirements, as well as Circular 599/2020 of SUSEP, which establishes that the request for accreditation by an entity registering insurance operations, open supplementary pension, capitalization and reinsurance must present an executive summary of data secrecy and cyber security policies and a declaration that these policies comply with the legislation and regulations in force;
- Resolution 656/15 of the National Telecommunications Agency (Anatel), which establishes standards on Risk Management of Telecommunications Networks and Use of Telecommunications Services in Disasters, Emergency Situations and Public Disaster;
- NBR ISO/IEC 27001 and 27002 approved in 2013 by the Brazilian Association of Technical Standards (ABNT), which provide on security techniques, information security management systems and Code of practice for information security management.
Anatel also has the Public Inquiry No. 13 in progress, which deals with minimum cyber security requirements for terminal equipment that connects to the internet and for infrastructure equipment of telecommunication networks.
-
Under what circumstances must a business report security breaches to regulators, to individuals, or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator and what is the typical custom or practice in your jurisdiction?
Until the LGPD becomes effective, Brazil does not have a specific provision that requires notification to the regulator or individuals in the case of security breaches, nor an authority for
personal data protection. When the LGPD becomes effective, the communication shall be made within a reasonable time, as defined by ANPD.
The Computer Emergency Response Team Brazil (CERT.br) presents some recommendations for the notification of security incidents, giving guidance about what to notify, who to notify, formats for the notification, among other instructions.
Despite the fact that data breach notification is only recommended (not legally enforceable), it is assumed and expected that any security breaches that may harm the privacy, the private life and the rights granted to those whose data are being collected, must be informed to the people affected, so that individuals may take action to maintain the privacy of their personal data or information, without extinguishing the provider’s liability for any damages arising from such security breach.
Additionally, the Special Unit for Data Protection and Artificial Intelligence (ESPEC), linked to the Federal Public Prosecutors Office, suggests companies to notify data breaches. For this purpose, the Commission provides a webpage where companies can communicate security incidents and breaches of personal data.
-
Does your jurisdiction have any specific legal requirement or guidance regarding dealing with cyber-crime, such as the payment of ransoms in ransomware attacks?
Brazil does not have a unique legislation about how to deal with cybercrimes, presenting sectorial laws on various subjects.
In this regard, Law 12,737/12 amended the Brazilian Criminal Code (Decree-Law 2,848/1940) and provided for the criminal classification of computer-related crimes, such as the intrusion of a computing device, for example.
In the same way, Law 12,735/12 determined the installation of police stations and specialized teams to combat digital crimes. In conjunction with the police stations specialized in cybercrime, there are non-governmental institutions that work in partnership with the Government and the Public Prosecutor’s Office to combat cybercrime, such as SaferNet Brazil, which offers a service for receiving anonymous reports of crimes and violations against Human Rights on the Internet.
Other normative instruments can be nominated, such as Law 11,829/08, which institutes the crime of child pornography on the Internet, and Law 13,.185/15, which establishes a mandatory program to fight the cyberbullying.
Also, the Bill 154/2019, which amends the Brazilian Criminal Code to establish a generic aggravating factor for cybercrimes, due to the extended range of the practice, is being discussed in the House of Representatives.
The payment of ransoms in ransomware attacks and other cybercrimes related to money laundering, financial pyramids, crimes related to cryptocurrencies, among others can be addressed by the Judiciary on the infractions provided for in the Brazilian Criminal Code or in specific regulation. These legislations do not expressly address a response to cybercrimes but can be used to deal with these violations.
-
Does your jurisdiction have a separate cybersecurity regulator? If so, please provide details.
Brazil does not have a separate cybersecurity regulator. In this regard, cybersecurity challenges might be dealt with by public authorities, such as the Public Prosecutor’s Office, or by the Judiciary, when the demand is brought to its attention, with the help of independent agencies or entities, such as Computer Security Incident Response Teams (CSIRTs). In cases of incidents of cybersecurity involving the Brazilian Public Administration, for example, the Computer Network Security Incident Treatment Center of the Federal Public Administration (CTIR) should be contacted.
-
Do the laws in your jurisdiction provide individual data privacy rights, such as the right to access and the right to deletion? If so, please provide a general description of the rights, how they are exercised, what exceptions exist and any other relevant details.
The LGDP sets forth that all natural people are ensured the ownership of their personal data and the guarantee of the fundamental rights to freedom, intimacy and privacy. It also establishes that data subjects have the right to obtain from the controller, at any time and upon request:
-
-
- Confirmation of the existence of the processing;
- Access to the data;
- Correction of incomplete, inaccurate or outdated data;
- Anonymization, blocking or erasure of unnecessary or excessive data or data processed in noncompliance with the provisions of the LGPD;
- Portability of data to another service or product provider, upon express request, in accordance with the regulations of the national authority, observing commercial and industrial secrets ;
- Deletion of the personal data processed with the consent of the data subjects, except in cases of:1. Compliance with a legal or regulatory obligation by the controller;
2. Conduction of studies by a research entity, ensuring, whenever possible, the anonymization of the personal data;
3. Transfer to third parties, provided that all legal requirements set forth in this Law are complied with;
4. Exclusive use of the controller, with forbidden access to third parties, and provided the data has been anonymized; - Information about public and private entities with which the controller has shared data;
- Information about the possibility of denying consent and the consequences of the denial;
- Revocation of consent;
- Opposition to processing carried out based on one of the situations of waiver of consent, if there is noncompliance with the provisions of LGPD;
- Review of decisions taken by the controller solely on the bases of automated processing of personal data that affects the data subject’s interests, including decisions intended to define his/her personal, professional, consumer or credit profile or aspects of his/her personality.
-
All the rights aforementioned shall be exercised through the express request by the data subject or his/her legal representative, to the processing agent. This request shall be fulfilled without costs to the data subject, within time periods and under the terms provided for in future regulation.
Data subjects have the right to petition in relation to their data against the controller before the national authority. The defense of the interests and rights of data subjects may be carried out in court, individually or collectively.
The rights of confirmation of existence and access to data will be provided immediately, in a simplified format; or within a period of 15 (fifteen) days as from the date of the data subject’s request, by means of a clear and complete declaration that indicates the origin of the data, the nonexistence of record, the criteria used and the purpose of the processing, subject to commercial and industrial secrecy.
Information and data may be provided by electronic means or in printed form. Also, when the processing is based on consent or in a contract, the data subject may request a complete electronic copy of its personal data, observing commercial and industrial secrecy, in a format that allows its subsequent utilization, including for other processing operations.
In addition, the Consumer Code sets forth that individuals have the right to access all data stored about themselves in consumer-related databases, and request changes, corrections and even removal from the database. This right to access might also be exercised before consumer-defense entities.
Finally, according to the Internet Law, users have the right to request at the end of their contract with internet application providers the definitive exclusion of personal data, respecting the mandatory log retention rule.
-
-
Are individual data privacy rights exercisable through the judicial system or enforced by a regulator or both?
The Federal Constitution establishes that the law shall not exclude from the Judiciary’s assessment injury or threat to rights; therefore, the defense of the interests and rights of data subjects may be exercised in court, individually or collectively, in accordance with the provisions of the relevant legislation, regarding the instruments of individual and collective protection.
In addition to this guarantee, LGPD stipulates that data subjects have the right to petition in relation to their data against the controller before ANPD. The right to access might also be exercised before consumer-defense entities.
-
Does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances?
According to the Federal Constitution, any individual can file a judicial action pursuing compensation for economic and moral damages for violation of privacy or intimacy.
Furthermore, the Brazilian Code of Civil Procedure determines that the exercise of the right of action depends on interest and legitimacy of the claimant.
Additionally, the Federal Constitution assures Brazilians and foreign nationals the right to rectify their data, and the Consumer Code provides that individuals have the right to access all data stored about themselves, and request changes.
-
Are individuals entitled to monetary damages or compensation if they are affected by breaches of data privacy laws? Is actual damage required or is injury of feelings sufficient?
According to LGPD, the controller or processor which, as a result of carrying out their activity of processing personal data, causes material, moral, individual or collective damage to others, in violation of personal data protection legislation, is obliged to redress it. Also, the controller or the processor who neglects to adopt measures to avoid security incidents shall be held liable for the damages caused by the violation of the data security that caused the damage.
Therefore, individuals affected by breaches of the law are entitled to compensation or monetary damages. Usually actual damage is required and injury of feelings must be proved to justify compensation.
-
How are the laws governing privacy and data protection enforced?
Even if ANPD has already been created, since it has not been composed yet, there is no specific active authority in charge of data protection in Brazil. For the time being, when LGPD comes into force, law enforcement authorities, such as the Public Prosecutor’s Office, consumer protection authorities and specific regulatory agencies will enforce privacy and data violations.
However, even if LGPD has not already come into force, it is important to note that, for the last couple of years, the Special Unit for Data Protection and Artificial Intelligence (ESPEC) and the National Consumer Bureau (SENACON) opened several cases and investigations against companies that suffered security incidents and data breaches in Brazil or processed personal data and sensitive personal data in potentially or effectively harmful ways to the data subjects.
-
What is the range of fines and penalties for violation of these laws?
The LGPD provides that the ANPD will impose administrative sanctions on processing agents for breaches of the rules, namely:
- Warning, with an indication of the time period for the adoption of corrective measures;
- A simple fine of up to 2% (two percent) of a private legal entity, group or conglomerate’s revenues in Brazil, for the prior financial year, excluding taxes, up to a total maximum of BRL 50,000,000.00 (fifty million reais) per infraction;
- A daily fine, observing the total limit referred above;
- Publication of the infraction after duly ascertained and confirmed its occurrence;
- Blocking of the personal data to which the infraction refers to until its regularization;
- Deletion of the personal data to which the infraction refers to;
- Partial suspension of the operation of the database to which the violation refers to for a maximum period of 6 (six) months, extendable for the same period, until the controller’s regularization of the processing activity;
- Suspension of the exercise of the processing activity of the personal data to which the infraction refers to for a maximum period of 6 (six) months, extendable for the same period;
- Partial or total prohibition of the exercise of activities related to data processing.
Also, the Internet Law states that, without prejudice to any other civil, criminal or administrative sanction, the non-compliance with data protection rules can result in the following sanctions that may be applied on an individual or cumulative basis:
- A warning, with a deadline for the adoption of corrective measures;
- A fine up to 10% of the gross income of the economic group in Brazil in the last fiscal year, taxes excluded;
- Temporary suspension of the activities that entails the events set forth in any operation related to treatment of data;
- Prohibition to execute activities that entail processing of data.
The Consumer Code determines a penalty of six months to one-year imprisonment or fine, or both, to those who block or hinder access by the consumer to respective information contained in files, databases or records, or those who are expected of knowing that information relating to the consumer as contained in any file, database, record or registration is incorrect and, nevertheless, fail to immediately rectify it. The same statute sets forth administrative penalties imposed by the authorities in charge of protecting consumer rights, and such penalties include fines, intervention and counter-advertising.
The Bank Secrecy Law (Complementary Law 105/2001) establishes a penalty of one to four years’ imprisonment and a fine for financial institutions (and similar entities) that breach the secrecy of the financial operations of, and the financial services provided to its users.
The Brazilian Criminal Code (Decree-Law 2.848/1940), as amended by Law 12.737/2012, sets forth the penalty of three months to one-year imprisonment and fine to those who invade another computer device connected or not to the internet through improper breach of security mechanism and for the purpose of obtaining, tampering or destroying data or information without the explicit or tacit authorization of the device owner or installing vulnerabilities to gain any illicit advantage.
-
Can personal data or PII owners/controller appeal to the courts against orders of the regulators?
There is no express provision about this possibility in the LGPD or any other legislation that refers to data protection in Brazil. However, taking into consideration that the Federal Constitution establishes that the law may not exclude from the Judiciary’s assessment injury or threat to rights, data subjects could appeal to the courts against orders of the ANPD, provided that the data subject proves his/her right of action (interest and legitimacy).
Brazil: Data Protection & Cyber Security
This country-specific Q&A provides an overview of Data Protection & Cyber Security laws and regulations applicable in Brazil.
-
Please provide an overview of the legal and regulatory framework governing privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the relevant laws)?
-
Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?
-
How do these laws define personal data or personally identifiable information (PII) versus special category or sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
-
What are the principles related to, the general processing of personal data or PII?
-
Are there any circumstances where consent is required or typically used in connection with the general processing of personal data or PII and, if so, are there are rules relating to the form, content and administration of such consent?
-
What special requirements, if any, are required for processing sensitive PII? Are there any categories of personal data or PII that are prohibited from collection?
-
How do the laws in your jurisdiction address children’s personal data or PII?
-
Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
-
Does your jurisdiction impose requirements of 'data protection by design' or 'data protection by default' or similar? If so, please describe the requirement and how businesses typically meet the requirement.
-
Are owners or processors of personal data or PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
-
When are you required to, or when is it recommended that you, consult with data privacy regulators in your jurisdiction?
-
Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?
-
Do the laws in your jurisdiction require appointment of a data protection officer (or other person to be in charge of privacy or data protection at the organization) and what are their legal responsibilities?
-
Do the laws in your jurisdiction require businesses to providing notice to individuals of their processing activities? If so, please describe these notice requirements (e.g. posting an online privacy notice).
-
Do the laws in your jurisdiction draw any distinction between the owners/controllers and the processors of personal data and, if so, what are they? (E.g. are obligations placed on processors by operation of law, or do they typically only apply through flow-down contractual requirements from the owners/controller?)
-
Do the laws in your jurisdiction require minimum contract terms with processors of personal data or PII or are there any other restrictions relating to the appointment of processors (e.g. due diligence or privacy and security assessments)?
-
Please describe any restrictions on monitoring or profiling in your jurisdiction including the use of tracking technologies such as cookies. How are these terms defined and what restrictions are imposed, if any?
-
Please describe any laws in your jurisdiction addressing email communication or direct marketing. How are these terms defined and what restrictions are imposed, if any?
-
Please describe any laws in your jurisdiction addressing biometrics, such as facial recognition. How are these terms defined and what restrictions are imposed, if any?
-
Is the transfer of personal data or PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does cross-border transfer of personal data or PII require notification to or authorization form a regulator?)
-
What security obligations are imposed on personal data or PII owners/controllers and on processors, if any, in your jurisdiction?
-
Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?
-
Does your jurisdiction impose specific security requirements on certain sectors or industries (e.g. telecoms, infrastructure)?
-
Under what circumstances must a business report security breaches to regulators, to individuals, or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator and what is the typical custom or practice in your jurisdiction?
-
Does your jurisdiction have any specific legal requirement or guidance regarding dealing with cyber-crime, such as the payment of ransoms in ransomware attacks?
-
Does your jurisdiction have a separate cybersecurity regulator? If so, please provide details.
-
Do the laws in your jurisdiction provide individual data privacy rights, such as the right to access and the right to deletion? If so, please provide a general description of the rights, how they are exercised, what exceptions exist and any other relevant details.
-
Are individual data privacy rights exercisable through the judicial system or enforced by a regulator or both?
-
Does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances?
-
Are individuals entitled to monetary damages or compensation if they are affected by breaches of data privacy laws? Is actual damage required or is injury of feelings sufficient?
-
How are the laws governing privacy and data protection enforced?
-
What is the range of fines and penalties for violation of these laws?
-
Can personal data or PII owners/controller appeal to the courts against orders of the regulators?