Although the protection of personal data has been addressed in the law of Marco Civil of Internet – a civil-rights framework for internet users and providers, sanctioned by President Dilma Rousseff in April 2014 – there is no specific law in Brazil regarding this subject. A draft bill is currently in public consultation until July 5. It includes proposals related to the collection, storage and processing of these data.
Over 100 countries, including in regions like Europe and Latin America nations such as Uruguay, Argentina and Paraguay, already have specific laws on protection of their inhabitants’ data.
Experts recognize the importance of individuals taking control of their personal data. However, the approval of this law may increase costs for Internet companies and other service providers, since this will create more bureaucracy to obtain access to user data.
Nowadays, for someone to have access to a service or participate in a social network, or even buy a product, either in the Internet or out of network, users are often required to fill in registration forms and provide personal data. This data is frequently used to map a behavioral profile of individuals, and is often sold to other companies that have a commercial interest in these customers.
Limits of Existing Legislation
“The ‘Marco Civil of Internet’ law wasn’t devised to cover details on privacy and user data protection. A specific law about this subject will allow Brazil to have uniform rules on data protection on the Internet or out of network,” said Carlos Affonso Souza, professor of Law at UERJ University and director of the Technology and Society Institute (ITS).
One of the points included in the draft bill is the need for prior consent of individuals to collect and use their personal data or any “sensitive data,” which could lead to some kind of discrimination related to sexual, religious or political orientations.
The draft bill also proposes that companies expressly indicate the purpose of such data collection and further inform customers about its destination, for example, whether it might be sold to third parties.
In the case of a user cancelling a service or leaving a social network, the companies must delete their user data from their databases, explained Souza.
Souza questions whether having the written consent of the clients makes sense in the face of technologies such as the Internet of Things and big data analysis. “Today with the use of Internet Protocol version 6, in which electronic devices will communicate with each other, the requirement for users’ authorization to use their personal data can make processes more bureaucratic and, in such cases, would be impossible,” he said.
Such a requirement may increase costs to companies. “Companies will have to inform customers, once this is requested, on what data they maintain stored. They will have to invest in back office departments and increase the level of data storage security in order to avoid information leakage, once they can be legally liable for this,” said Marcio Cots, member of the Legal Board of the Brazilian Association of Commerce (ABComm) and partner at COTS Attorneys.
Companies must also have a person responsible for operations and personal data processing policies as well as for communication with the competent body.
“In the European Directive of Data Protection, for example, the client consent may be exempted when there is an interest in this or by prior agreement,” Souza said. “Of course, it is important to allow individuals to have control over their personal data, but it is necessary to achieve a good balance.”
In the case of anonymous data, where it is impossible to identify the holder, the consent regarding the use of personal data is dispensed with. Souza warns that it is necessary to provide security for the owner of the data so that this same data can’t be identified again. “Currently, with the use of technology, it is possible to identify individual personal information from anonymous data,” he said.
Data Access Rights
Companies that collect publicly accessible personal data from the Internet, in social networks, will also have to obey the law. Even if data is collected in a secondary manner, without the user consent, the user would still have the right to access the data or rectify it. “The data should be used for specific purposes and deleted after that,” explained attorneys Renato Leite Monteiro and Renato Opice Blum of Opice Blum Associate Attorneys.
Another controversial point of the draft bill is the possibility of cancelling, dissociating or blocking personal data that may be considered unnecessary or excessive, when that is requested by the owner of the information. “The question, however, is what could be classified as excessive or unnecessary. The Internet allows us to access knowledge and this can create room for the application of the right to be forgotten, when the holder of data requests the removal of past facts from the Internet, alleging that they have been forgotten by society,” Souza said.
Furthermore, there is also a discussion about the creation of a competent agency that would be responsible for enforcing the law. In Europe, the European Data Protection Supervisor (EDPS) is responsible for supervising the enforcement of the law. But in Brazil there is doubt about the need to create an independent agency and also about who should be its members. “The creation of an autonomous and independent agency to supervise the application of the general law is essential to its effectiveness. Among 100 countries that have general laws, 99 have authorities with these characteristics,” said the attorneys from Opice Blum.
The law on personal data protection not only provides the tools available for citizens to control their personal data, but also aims to boost the digital economy by creating clear rules and a secure legal framework. “Legal certainty is a great incentive for the economy. Companies that use personal data for commercial purposes may continue to do so, as long as they don’t exceed the limits established to prevent abuses and violations of individual rights,” the Monteiro and Blum emphasized.
After the public consultation, the draft bill will be sent to the Brazilian National Congress and the expectation is that it will be voted on before the end of the year. One the law is published, companies and public entities will have 120 days to adapt to the new rules.