Key statutes, regulations and adopted international standards
The Brazilian Constitution protects the private life of the individual as a fundamental right. In the past, this was given effect by a sectoral regulation on privacy, data protection and cybersecurity matters. In August 2018, Congress passed legislation to change the data protection regime in Brazil (LGPD), which will become effective on 16 August 2020.
The LGPD is influenced by the EU General Data Protection Regulation (GDPR) and regulates the use of personal data in Brazil. It applies to data processing operations carried out by individuals and legal entities, both public and private, regardless of their location or the location of the data and regardless of the means of data processing. However, personal data collection and data processing must occur in Brazil. Processing must also be aimed at providing goods or services to individuals located in Brazil. There are exceptions for processing operations carried out by individuals for private and non-economic purposes; for journalistic, artistic or academic purposes; for public security or national defence purposes; or for the purposes of criminal investigations and prosecutions. Processing operations involving personal data originating from other countries, or for other countries, where the data only passes through Brazil without any other processing operation carried out, are also not subject to the LGPD.
On 29 May 2019, the Brazilian Congress passed Conversion Law No. 7/2019, which approved the Presidential Provisional Measure No. 869/2018 (PM 869), creating the National Data Protection Authority (ANPD) and amending certain provisions of the LGPD.
To the extent not conflicting with LGPD, other sectoral laws on privacy and data protection may continue to apply, including the following statutes:
- the Civil Code (Law No. 10,406/2002), which establishes the principle that privacy is inherent to an individual’s personality;
- the Wiretap Act (Law No. 9,296/1996), which establishes that the interception of communications can only occur when authorised by a court order, on request by police authorities and the Public Prosecutor Office, for purposes of criminal investigation proceedings;
- the Consumer Protection Code (Law No. 8,078/1990), which regulates the privacy of consumer relations and databases;
- the Internet Act (Law No. 12,965/2014), which only applies to personal data collected through the internet, under which the only lawful grounds to process data subject to the Internet Act is the data subject’s informed, free and expressed consent (with the requirements for a valid consent following the LGPD rules and other lawful grounds for processing in the LGPD being applicable);
- the Telecommunications Act (Law No. 9,472/1997), granting consumers the right to privacy in relation to telecommunications services;
- the Bank Secrecy Act (Complementary Law No. 105/2001), which obliges financial institutions to keep the financial data of individuals and entities confidential, except when required to disclose the information by a judicial order issued for the purposes of criminal proceeds or for investigating any illegal acts;
- National Monetary Council Resolutions 4,480 and 4,474, of 2016 regulating, respectively, the opening and closing of bank accounts by electronic means and the digitalisation of documents, which provide for specific cybersecurity rules;
- National Monetary Council Resolution No. 4,658/2018, which provides that financial institutions shall implement and maintain a cybersecurity policy, an incident-recovery plan and observe certain requirements for engaging data processing, storage and cloud service providers;
- the Good Payers Registry Act (Law No. 12,414/2011), which provides that individuals can be included on a good payers registry without their consent, while prohibiting the inclusion of sensitive data and personal data that is not necessary for analysing the credit risk;
- the Medical Ethical Conduct Code (Resolution No. 2,217/18 of Federal Council of Medicine), which protects the confidentiality, subject to limited exceptions, of patients’ information and medical records, and governs the use of computer systems for the handling and retention of such data, authorising the electronic storage of documentation instead of paper; and
- the Information Access Act (Law No. 12,527/11), which governs the use and processing of data by the public administration and establishes rules and procedures by which individuals may request details of the information collected by the public administration.
The Brazilian Data Protection Authority
As mentioned above, the ANPD is an administrative body that was created to enforce the LGPD and has technical autonomy, despite being connected to the cabinet of the presidency. The ANPD is not only responsible for enforcing the LGPD, but also overseeing and issuing guidelines to any data protection laws. Since the ANPD is not yet operational, it has not yet enacted regulations and does not currently have enforcement actions in place.
The ANPD has specific powers to issue guidelines for compliance with the requirements imposed by LGPD and apply administrative sanctions.
In addition, the ANPD is responsible for:
- examining complaints from data subjects against controllers after the data subject proves that it has submitted a complaint to the controller that was not solved within the period established in the regulations;
- encouraging the adoption of standards for services and products that facilitate data subjects’ control over and protection of their personal data, considering the specificities of the activities and the size of the controllers;
- promoting actions for cooperation with data protection authorities from other countries;
- issuing rules and proceedings on the protection of personal data and privacy, as well as on data protection impact reports for cases in which the processing represents a high risk to the guarantee of the general principles of protection of personal data;
- conducting audits, within the scope of the inspection activity, on the processing of personal data by processing agents;
- entering into, at any time, a commitment with processing agents to eliminate irregularity, legal uncertainty or litigation;
- issuing simplified and differentiated rules, guidelines and procedures, including different deadlines, so that small enterprises, as well as disruptive business initiatives, start-ups or innovation companies, may adapt to LGPD; and
- communicating any relevant criminal violations it becomes aware of to the competent public authorities.
Through the LGPD, the ANPD has exclusive jurisdiction to interpret and enforce the law. It also provides that the ANPD may articulate with other government bodies in relation to data protection matters but shall remain the central body concerning the interpretation of the LGPD.
The main idea of having the ANPD interpreting and enforcing the LGPD in an exclusive way is so that the decisions on the matter are in harmony and also to prevent other government authorities issuing LGPD-based decisions.
The effect of local laws on foreign businesses
Any foreign businesses that perform processing activity in national territory are subject to the LGPD, even if their headquarters or data centre are located outside of Brazil.
Core principles on personal data
Data subjects’ rights
The holders of personal data obtained new rights through the LGPD, which includes the right to obtain from the controller at any time, upon request:
- confirmation of the existence of the data processing and access to the data to be informed in a simplified format within 15 days as of the data subject’s request;
- rectification of incomplete, inaccurate or outdated data;
- anonymisation, blocking or elimination of data that is unnecessary, excessive or processed in violation of the LGPD;
- data portability, observing commercial and industrial secrecy, subject to the ANPD regulations;
- information regarding public and private legal entities with whom the controller has shared the data subject’s data; and
- withdrawal of consent and deletion of data processed under the data subject’s consent, except when retention is authorised by the LGPD.
Moreover, when decisions related to personal data are made solely based on automated processing, data subjects have the right to request the review of such decisions. The review may be performed by automated means, not necessarily by individuals.
Data processing principles
LGPD contemplates the following principles for processing personal data:
- Purpose: processing may take place for legitimate, specific and explicit purposes that the data subject is informed of, without the possibility of further processing in a manner that is incompatible with those purposes.
- Adequacy: processing must be compatible with the purposes that the data subject was informed of, according to the context of the processing.
- Necessity: processing must be limited to the minimum amount necessary for fulfilling its purposes, using pertinent, proportional and non-excessive data.
- Freedom of access: data subjects may access their data without charge;
- Data quality: data shall be accurate, clear, relevant and up to date.
- Transparency: the data subject shall receive clear, accurate and easily accessible information regarding the processing and the respective processing agents.
- Security: processing agents shall use technical and administrative measures suitable to protect personal data from unauthorised access, accidental or illicit destruction, loss, change, communication or dissemination.
- Prevention: processing agents shall adopt measures to prevent damages to the data subjects.
- Non-discrimination: processing data for illegal or abusive discriminatory purposes are not allowed.
- Liability and accountability: data processors must be able to demonstrate that effective measures for ensuring compliance with data protection rules have been adopted.
Lawful grounds for data processing
The LGPD contemplates the following grounds for data processing activities carried out by a private enterprise:
- compliance with legal or regulatory obligations;
- the performance of a contract or preliminary procedures relating to a contract;
- to exercise rights in court, administrative or arbitration proceedings,
- the protection of life or the physical safety of the data subject or third party;
- the protection of health, exclusively in procedures performed by healthcare professionals, health services or sanitary authorities;
- legitimate interest; or
- the protection of credit.
Further to the above, the LGPD covers two other lawful grounds: for studies performed by public or non-profit research organisations, and for the government when implementing public policies and administrative agreements.
The ANPD may enact additional regulation and guidance on the scope of each lawful ground, including, without limitation, the balancing test for controllers to invoke legitimate interest as a lawful ground for data processing.
The LGPD establishes that ANPD may request a data protection impact assessment from controllers, whenever the data processing is justified by the controller’s legitimate interest.
The role of the data protection officer
Controllers must appoint a data protection officer (DPO) to act as a communication liaison between the controller, data subjects and the ANPD.
The DPO shall receive complaints and communications from data subjects; provide information and adopt new measures; receive communications from DPOs and take action; advise the company’s employees and contractors on obligations concerning personal data; and perform other duties determined by the controller or established in complementary rules.
The DPO can be either a natural person or a legal entity. However, the LGPD does not specify the minimum qualifications to perform this role or the situations in which the appointment of a DPO may be waived. ANPD may waive the DPO appointment requirement depending on the nature and size of the controller or the volume of data processing operations.
Data protection breaches
Data controllers and operators are obliged by the LGPD to adopt measures that are both technically and organisationally capable of guaranteeing a level of security that matches the risk represented by the processing of personal data, and to certify the protection of the data collected against unauthorised access or unlawful breaches, which includes the destruction, loss, alteration, communication or dissemination of data.
If a data breach occurs, the ANPD and the holder of personal data must be notified by the controller within a reasonable time. The exception to this is only where the breach does not represent a high enough risk to the rights and freedoms of the holder of personal data and where data is either encrypted or pseudonymised.
Once notified, the ANPD will assess the nature and severity of the breach, its immediate consequences, the number of data subjects affected, the jurisdictions impacted and other effects. If it is considered necessary, the ANPD will request that the controller takes supplementary procedures to reverse or mitigate the incident and make widespread disclosure of the incident in the media.
Controllers and operators will be jointly and severally liable for the security incidents they cause and subject to the application of administrative sanctions, ranging from simple notification to fines of up to 2 per cent of the group’s gross revenues in Brazil, limited to 50 million reais. In addition, data subjects may claim damages against the controller or operator.
Brazil has the following surveillance laws, which also touch on the access and retention of personal identifiable information.
The interception of communications in Brazil is regulated by Law No. 9,296/96, which allows interception in computer and telematic systems for criminal investigation purposes, subject to judicial authorisation.
The Internet Act (Law No. 12,965/14) requires connection providers and internet application providers to retain users’ connection and access records for one year and six months, respectively. In any event, the availability of these records shall be preceded by judicial authorisation.
Law No. 12,850/13, which provides for organised crime, also provides that fixed or mobile telephone operators must keep the identification records of the origin and destination numbers of international, long distance and local telephone calls available for law enforcement and public prosecutors for a period of five years.
Accordingly, Resolutions 426/05 and 477/07 of Anatel, the National Telecommunications Agency, also require that telephone service providers maintain all data relating to the provision of the service for a minimum period of five years.
Access to registration data
In the case of money laundering investigations (Law No. 9,613/98) and organised crime (Law No. 12,850/13), law enforcement authorities and the public prosecutors may have access, regardless of judicial authorisation, to the registration data of investigated persons.
The Internet Act also provides that administrative authorities have access to registration data maintained by internet connection providers without the need for court order.
In February 2019, the Minister of Justice proposed the Anti-Crime Bill to modify more than 14 criminal laws and toughen measures to fight corruption and organised crime. Among the various articles that will be amended by the bill are article 9 of the Law of Criminal Executions, which provides that ‘those convicted of willful offences, involving severe violence against an individual or heinous crimes shall be subject to genetic profile identification by DNA extraction’ and article 7 of Law 12,037/2009, which provides for the storage time of such information in a confidential database managed by the government.
If the proposal is approved, all persons convicted of wilful crimes, even without final judgment, shall be subject to compulsory DNA collection; and the storage period of the collected genetic information (the genetic profile) will be 20 years, starting from the execution of the court decision.
In December 2017, an e-commerce website suffered an information security incident that resulted in the breach of personal data such as name, date of birth, address, social security number and order information from approximately 2 million customers. The Special Unit for the Protection of Personal Data and Artificial Intelligence (ESPEC) has launched a civil investigation on the incident and extent of the damage.
To avoid public civil action being filed, the company agreed to paying 500,000 reais in compensation for collective moral damages. In addition, the signed agreement provided for the implementation of security measures such as website risk and vulnerability management, LGPD compliance actions, updated cybersecurity policy and consumer guidance on personal data protection measures.
Failure to comply with these obligations may result in a civil claim for damages relative to collective moral damages of 10 million reais and property damage of 85 million reais – 5 reais for each person who has had their personal data compromised.
In July 2018, an ESPEC investigation revealed that personal data had been leaked from almost 20,000 account holders of a Brazilian bank, including banking information such as account number, password, address, social security number and telephone number.
The Federal District Prosecutor’s Office filed a public civil action seeking to convict the bank and force it to pay 10 million reais in collective moral damages for ‘not taking the necessary precautions to ensure the security of the personal data of its clients and non-clients’.
In order to end the lawsuit, the bank signed an extrajudicial settlement, which will be aimed at charities and public agencies that work to fight cyber crime. The terms of the agreement are unavailable as the case remains confidential.
Updates and trends
In 2018, the Special Unit for the Protection of Personal Data and Artificial Intelligence (ESPEC) of the Federal District Public Prosecution Service was created. ESPEC is in charge of investigating violations of rights related to privacy and data protection, and prosecutes to enforce collective and diffuse rights.
In spite of its recent creation, ESPEC has proven to be one of the most active agencies in prosecuting companies for breaches of privacy rights (eg, use of geo-localised media, sale of registration information list, lack of data subjects’ consent) and security incidents. Since April 2018, more than 35 investigations have been initiated.
Regulation of the Good Payers’ Registry Act
The Law No. 12,414/2011 (the Good Payers Registry Act) established the good payers’ registry, which is a database that collects information related to the financial and payment history of consumers in different types of obligations with financial institutions and service providers.
On 9 July 2019, the Good Payers Registry Act was amended by Complementary Law 166/2019, to allow the automatic inclusion of individuals in the good payers’ registry without consent. On 25 July 2019, Presidential Decree No. 9,936/2019 was enacted, regulating some important aspects of the Good Payers Registry Act. Further, on 29 July 2019, the National Monetary Council issued Resolution No. 4,737/2019, which established some requirements for individual’s registration.
Despite automatic registration, the individual will keep the right to opt-out of the good payers’ registry. According to the Decree No. 9,936/2019, that opt-out request may be exercised at any time and by electronic means, and database managers must cancel or suspend access to credit score by consultants (ie, those who consult the database) within two business days. Database managers must also transmit the request to the other database managers, which must comply with such request within two business days as of the receipt of the communication.
Database managers should only render the credit score available to consultants, which will be in the stored financial information. Before changes were made to the good payers’ registry system, there was no limit to the types of information that could be accessed by third parties. The access to the full payment and financial history will be possible only with the prior and specific consent of the participant.
Decree No. 9,936/2019 also establishes security procedures and periodic testing by an independent entity. Data breaches and other security incidents involving the Good Payer’s Registry might have to be reported to ANPD, the Brazilian Central Bank and the National Consumer Secretariat. The communication shall be sent within two business days as of the knowledge of the data breach or security incident and contain:
- information on the data subjects involved;
- a description of the nature of the affected personal data;
- the measures that were or will be adopted to reverse or mitigate the effects;
- the risks related to the incident; and
- an indication of the technical and security measures used to protect the data, including encryption procedures.