Brazil: Privacy

Key statutes, regulations and adopted international standards

The Brazilian Federal Constitution protects privacy rights in articles 5, X and XII,[1] stating that they are fundamental rights of an individual. In May 2020, in a historic judgment about a provisional measure authorising telephone companies to share personal data with the Brazilian Institute of Geography and Statistics, the Brazilian Supreme Court, by a majority, recognised data protection as a fundamental right. This represents an important advance in the privacy and data protection culture in Brazil.

The key statute that regulates the processing of personal data in Brazil is the Brazilian General Data Protection Law (Law No. 13,709/2018) (LGPD), which is the first specific legislation on the subject in Brazil, signed into law on 14 August 2018, and effective as from 18 September 2020. The text follows the worldwide trend of strengthening personal data protection, guaranteeing a series of rights to data subjects, as well as imposing important obligations on processing agents. The purpose of this regulation is to boost economic and technological development in Brazil, providing greater legal certainty to operations involving the processing of personal data. The LGPD replicates key points of the EU General Data Protection Regulation (GDPR), and forces companies to implement substantial changes on how they process personal data.

Similar to the GDPR, the LGPD also provides for the principle of extraterritoriality. It applies not only to companies established in Brazil, but also to entities that process or collect data within Brazilian territory and to companies that aim at offering or supplying goods and services to individuals located in Brazil. The LGPD does not apply, however, when the processing of data is for private or non-economic purposes, or is carried out exclusively for journalistic, artistic and academic purposes; public safety, national defence or state security purposes; or investigating and prosecuting criminal offences. The LGPD also provides for exceptions where the data processing originates outside Brazilian territory and is not subject to any further processing in Brazil, in such a manner that the data is only in transit through Brazil.

Besides the LGPD, other sectoral laws and statutes in Brazil also address privacy and data protection rights:

  • the Civil Code (Law No. 10,406/2002) states that the private life of the natural person is inviolable, as an inherent ‘personality right’;
  • the Internet Act (Law No. 12,965/2014 and Decree No. 8,771/2016) regulates the processing of personal data collected through the internet, especially by internet and connection services providers;
  • the Consumer Protection Code (Law No. 8,078/1990) regulates the privacy and protection of data of consumers, guaranteeing that consumers must have full access to their information (article 43);
  • the Wiretap Act (Law No. 9,296/1996) determines that the interception of communications can only occur when authorised by a court order for purposes of criminal investigation proceedings;
  • the Habeas Data Act (Law No. 9,507/1997) provides for the data subjects’ right to access or to amend personal information maintained in government data bases;
  • the Telecommunications Act (Law No. 9,472/1997) regulates the consumers’ rights to privacy in relation to telecommunications services;
  • the Bank Secrecy Act (Complementary Law No. 105/2001) ensures the confidentiality of financial data, allowing disclosure only upon a judicial order issued for the purposes of conducting or investigating illegal acts;
  • the Information Access Act (Law No. 12,527/2011 and Decree No. 7,724/12) regulates the constitutional right of citizens to access public information and is applicable to the three branches of the union, the states, the federal district and the municipalities;
  • the Good Payers Registry Act (Law No. 12,414/2011) creates a ‘good payers’ registry and provides that personal data may be used and disclosed for credit-risk analysis without the need for consent, in order to create the registry, with the exception of sensitive data or data that is excessive or not compatible with the purpose;
  • Resolution No. 4,685/2018 of the National Monetary Council regulates the need for financial institutions to implement cybersecurity policies and the requirements to be observed by those institutions when contracting data storage services, data processing services or cloud computing services;
  • Resolution No. 4,480/2016 of the National Monetary Council regulates the opening and closing of bank accounts by electronic means;
  • Resolution No. 4,474/2016 of the National Monetary Council regulates the digitalisation of documents; and
  • the Medical Conduct Code (Resolution No. 2,217/2018 of the Federal Council of Medicine) protects the confidentiality of patients’ information and medical records, subject to limited exceptions, and regulates the use of computer systems for the handling and retention of such data, authorising the digitalisation and electronic storage of medical records.

Regulatory bodies responsible for enforcement of data protection rules

The regulatory body responsible for enforcement of data protection rules in Brazil is the National Data Protection Authority (ANPD). The original bill of the LGPD, to guarantee compliance with its rules, provided for the creation of the ANPD as a special agency connected to the Ministry of Justice, which would, among other things, be responsible for: preparing guidelines for the National Personal Data and Privacy Policy; issuing specific standards; supervising compliance; and enforcing penalties for non-compliance with the LGPD. However, the acting President at the time vetoed the creation of the agency, on the grounds that the provisions violated the Federal Constitution. In July 2019, with the sanction of the Provisional Measure (PM) 869/2018,[2] and its consequent conversion into law (Law No. 13,853/2019)[3] the ANPD was finally created.

Among other modifications set forth by the PM No. 869/2018, the most relevant change is that the law established a transitory legal nature for the ANPD. At first, it was created as a body of the direct federal administration associated with the Presidency, but the text provides for the possibility of its transformation within two years by the executive branch into a body of the indirect administration under a special autonomous regime. Nonetheless, the LGPD already ensures the ANPD’s technical and operative autonomy.

The ANPD comprises a board of directors, a National Council for Personal Data and Privacy Protection, an internal affairs office and an ombudsman office. It has powers to apply administrative sanctions and issue guidelines for LGPD compliance. Even though the ANPD has powers to enforce LGPD’s sanctions, other regulatory bodies may enforce privacy-related regulations and different penalties under sectorial laws (eg, the Brazilian consumer defence authorities). Besides those powers, the most relevant responsibilities of the ANPD are:

  • receiving claims from data subjects against controllers after the data subject demonstrates that the complaint submitted to the controller was not solved in the time frame established in the regulation;
  • promoting knowledge about the rules and public policies concerning the protection of personal data and data security measures, as well as studies on national and international practices for the protection of personal data and privacy;
  • encouraging the adoption of standards for services and products that facilitate the control of data subjects regarding their personal data, which should take into account the specificities of the activities and the size of those responsible;
  • promoting cooperation initiatives with data protection authorities of other countries, of international or transnational nature;
  • issuing regulations and proceedings for the protection of personal data and privacy, as well as for data protection impact assessment reports in cases in which the processing represents a high risk to the guarantee of the general principles of personal data protection;
  • performing audits, or determining their occurrence, regarding the processing of personal data carried out by processing agents, including public authorities;
  • entering into agreements with processing agents in order to eliminate irregularities or legal uncertainties in processing operations;
  • enacting rules, guidelines and simplified and special procedures, including deadlines, so that micro enterprises, small businesses and disruptive business initiatives can adapt to the LGPD; and
  • coordinating with public regulatory authorities to exert their authority in specific sectors of economic and governmental activities bound to regulation.

Although the ANPD is not yet operational, in August 2020 the President approved its establishment and organised its internal structures,[4] as will be further explained. Moreover, the board of directors has been nominated and approved.

Effect of local laws on foreign businesses

The LGPD applies to all foreign businesses that offer services or products to Brazil or perform any processing activity in the Brazilian territory, regardless of whether such businesses have headquarters or data processing centres in Brazil.

In addition, the LGPD sets forth specific requirements for international transfers of personal data; among them is the possibility of transferring data when the destination country has comprehensive data protection laws. Once the LGPD is implemented, it is possible that Brazil will be deemed a country with an adequate level of protection by the European Commission, which will facilitate cross-border transfers of personal data to and from Brazil, especially with EU companies.

Personal data and personally identifiable information: core principles

Core principles of the LGPD

The LGPD sets forth 10 principles that must guide all personal data processing:

  • purpose: legitimate, limited, explicit and informed purposes for processing;
  • adequacy: processing must be compatible with the informed purposes;
  • necessity: processing must be done only when necessary, in line with data minimisation;
  • free access: free and integral access of data subjects to the processed data, subject to specific requirements;
  • quality of data: accurate, clear and up-to-date data;
  • transparency: clear and precise information to data subjects;
  • security: effective technical and administrative measures for data safety and security;
  • prevention: adoption of measures to avoid damage to data subjects such as periodic reviews, training, etc;
  • non-discrimination: not processing for any discriminatory purposes; and
  • liability and accountability: evidence of effective measures for compliance with the LGPD.

Types of data

The LGPD defines personal data as ‘information related to an identified or identifiable natural person’, the former meaning direct personal data, which can promptly identify the individual without further information, and the latter meaning the set of information capable of identifying a person within a context. The LGPD governs all uses of personal data, including public data voluntarily made available by the data subject, which, although released from the requirement of obtaining consent, is still subject to the LGPD’s principles and provisions regarding the data subject’s rights.

The LGPD also sets forth the concept of sensitive personal data, which requires more careful processing since it has the power to create or trigger discrimination against the data subject. Under the LGPD, the following information is deemed sensitive personal data:

  • racial or ethnic origin;
  • religious belief;
  • political opinion;
  • membership of a union or organisation of a religious, philosophical or political character;
  • data related to health or sexual life; and
  • generic or biometric data, when linked to a natural person.

The lawful legal bases for processing personal data and sensitive personal data differ. The legal basis for processing non-sensitive personal data is article 7[5] of the LGPD, while the legal basis for processing sensitive personal data is article 11[6] of the LGPD. For sensitive personal data, the LGPD provides for the possibility that the ANPD could prohibit the shared use of data by controllers with the objective of obtaining an economic advantage.[7]

The LGPD also defines ‘anonymised data’ as data that does not contain elements identifying the data subject and pseudonymised data, which has the characteristic of reversibility. Anonymised and pseudonymised data will only be deemed personal and, therefore, subject to the LGPD, when the anonymisation process to which it was submitted is reversed or can be reversed with reasonable efforts.

International transfers of data

The international transfer of personal data is regulated by Chapter V of the LGPD. Companies are allowed to transfer data to another country in the following cases:

  • to countries or international organisations that provide the appropriate level of protection of personal data;
  • where the controller provides and demonstrates guarantees of compliance with the data protection principles and the rights of the data subject;
  • where the transfer is required for international legal cooperation between government intelligence, investigation and police bodies, in accordance with international law;
  • where the transfer is required to protect the life or physical integrity of the data subject or any third party;
  • where the ANPD authorises such transfer – the ANPD is not yet operational, but this is likely to happen soon;
  • where the transfer results in a commitment undertaken under an international cooperation agreement;
  • where the transfer is required for enforcement of a public policy; and
  • where the data subject has provided specific and evident consent for such transfer, with previous information on the international nature of the operation, clearly distinguishing it from any other purposes.

As indicated above, the LGPD provides for the possibility of the data controller guaranteeing compliance with the principles, rights and regime of data protection by the following specific means: specific contractual clauses; standard contractual clauses; global corporate standards; and properly issued certificates and codes of conduct, with the standards and terms for such clauses, certificates and codes of conduct to be eventually approved by the ANPD.


The ANPD may require data controllers to provide a DPIA containing the description of the personal data processing activities that could generate risks to the civil liberties and fundamental rights of data subjects, as well as measures, safeguards, and mechanisms to mitigate those risks. According to paragraph 1º of article 38 of the LGPD, the DPIA must contain a description of the types of data collected; the methodology used for collection and to guarantee the security of the information; and an analysis of the controller in relation to the measures, safeguards and risk mitigation mechanisms adopted.

Data retention

According to the principle of necessity, as established in the LGPD, the processing of personal data should be limited to the minimum necessary for the purposes of data collection and use. Storing data for a period longer than what may be required for the provision of services and by the applicable Brazilian legislation may be considered a violation of the necessity principle and the provisions on the termination of processing provided for in article 15 of the Law. Article 15 establishes that the termination of data processing shall occur when the purpose of the processing has been fulfilled or when data is no longer necessary or pertinent to achieve the specific purpose sought by the processing activity. That means that retaining personal data for undefined periods or obtaining a single consent for using data for multiple processing purposes are not acceptable practices under the LGPD.

Automated processing, profiling and data analytics

Law No. 13,853/2019, which arose from MP 869/2018, changed the original wording of article 20 of the LGPD, which, until then, provided that data subjects could require a natural person to review any automated decisions that affected their interests. Now, the article states that ‘data subjects have the right to require the review of decisions made solely on the basis of automated processing of personal data that affects their interests, including decisions intended to define their personal, professional, consumer or credit profile or aspects of their personality’.

Thus, with the current and final wording, although the data subjects have the right to require the revision of automated decision, it is not a requirement that the review be performed by a natural person rather than by another automated system – or even by the exact same automated process. However, paragraph 1° of Article 20 of the LGPD also provides that ‘whenever requested to do so, the controller shall provide clear and adequate information regarding the criteria and procedures used for an automated decision, subject to commercial and industrial secrecy,’ and the failure to provide such information may trigger an audit by the ANPD to verify whether there is any discrimination in the automated process.

The LGPD does not provide for specific rules or requirements regarding profiling or data analytics; however, it expressly states that data used to form a behavioural profile of a specific identified natural person may be deemed personal data for the purposes of the LGPD.

Communications and marketing

The LGPD does not address communications and marketing specifically. However, it is expected that the ANPD will provide further guidance on various specific situations, including clear directions and requirements for communications and direct marketing. Until then, the prevailing interpretation of the LGPD is that communications that are directly related to a contract or to the provision of services, goods (or both), as well as essential or legally mandatory communications, are considered commercial communications and can be sent regardless of specific consent, either on the legal basis of compliance with legal and regulatory obligations, or on the basis of a contract between the controller and the data subject.

As regards direct marketing, as a general rule, consent would be required. However, there have been calls for the flexible interpretation of the Law on this point, based on arguments that the strict need for consent could significantly diminish companies’ ability to advertise, communicate to the public and launch new products on the market, and on the basis that advertising is an important tool to communicate with the public and has the power to escalate demand, widen competition and even bolster innovation, playing an important role in economic development. According to those arguments, it may be possible for companies to justify direct marketing activities in Brazil on a legitimate interest basis,[8] instead of obtaining previous and express consent, whenever there is a pre-established commercial relationship with the customer and it would be reasonable to assume that receiving marketing communications from the company would be within the data subject’s expectations. However, the applicability of ‘legitimate interest’ as a lawful basis for personal data processing is an exception to the fundamental rights and freedoms of the data subject, which require protection of personal data.

It is conceivable that direct marketing would fit the concept of ‘legitimate interest’ in the LGPD, since it is an essential tool for the promotion of companies’ activities and, if done responsibly, in a way that does not infringe personal rights and freedoms, and if within the data subject’s reasonable expectations, may provide a service that truly benefits the data subjects, by creating a better and more personalised user experience and providing consumers with more relevant products and services. However, that interpretation of the LGPD is still subject to the ANPD ratification.

In any case, the obligations imposed on the controller by the LGPD will subsist; therefore, the data subjects must be provided with facilitated access to information about the processing activities that will enable the provision of services or goods they have requested, and the processing of their personal data must be kept secure, to a minimum and in compliance with the entirety of LGPD’s requirements.

It is highly recommended, regardless of the legal basis supporting the processing, that the data subject is offered the possibility to opt-out from the processing of their data for direct marketing. This is not only to address LGPD’s requirements, but also to comply with the Brazilian Self-Regulatory Code for Email Marketing Practice,[9] which provides for the possibility of a soft opt-in for email marketing purposes but requires all communications to present a facilitated opt-out possibility to the consumer. Although the Code is not mandatory, it sets a strong good-practice standard for the Brazilian market as regards direct marketing activities.

Individuals’ rights.

The LGPD provides for the data subject’s rights in article 18 and states that such rights shall be exercised by means of an express request to the controller. According to paragraph 4°, if the controller is not able to provide an immediate response to the request, it shall either send a reply to the data subject indicating that it is not the responsible data processing agent and if possible identify the party responsible or, alternatively, the controller may point out the reasons preventing it from providing an immediate response to the data subject’s request.

One way or another, the controller may not ignore the request and must adopt all necessary measures to provide answers to all reasonable requests made from data subjects based on article 18, which includes:

  • rights to obtain confirmation of the existence of the processing;
  • access to the data;
  • correction of incomplete, inaccurate or out-of-date data;
  • deletion of personal data processed whenever processing had been previously provided by the data subject, except if the controller has another legal basis for processing, according to article 16[10] of the Law; and
  • revocation of consent as provided in paragraph 5º of article 8 of the Law.[11]

In addition, the LGPD grants data subjects the right of portability: every individual has the right to request the data controller to transfer his or her personal data to another controller. Data controllers must, therefore, create a specific procedure to transfer data to other controllers that provide the same or similar services.[12]

The LGPD also provides data subjects the right of having automated decision-making reviewed. There must be an option to guarantee the revision of the criteria for making decisions whenever it involves the use of personal data.

In line with the GDPR, the LGPD also grants data subjects the right to be notified whenever a data breach occurs. The only difference between the two regulations is that the LGPD does not define a specific deadline for the notification to be delivered; it only states that it must be within a reasonable time, which shall be later defined by the ANPD (article 48, paragraph 1º of the LGPD), while the GDPR fixed a 72-hour deadline.

With regards to compensation for damages, the LGPD is not as precise as the GDPR. It provides for a liability regime, but it does not indicate the means to obtain compensation. Conversely, the GDPR, in article 82, states that: ‘Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.’ Although the LGPD mirrors the rights provided by the GDPR, in many cases it still lacks clear interpretation, such as on the matter of compensation. Overall, the expectation is that the ANPD will soon clarify certain points that the LGPD did not provide for and will provide additional guidelines and rules to complement the environment for data protection in Brazil.

Role of data protection officer

The data protection officer (DPO) under the LGPD is the person appointed by the controller and processor to act as a communication channel between the controller, data subjects and the ANPD. The DPO can be either an employee of the company or an outsourced provider – popularly known as ‘DPO as a service’.

The main responsibilities of the DPO, as established by article 41 of the LGPD, are as follows:

  • accepting complaints and communications from data subjects, providing explanations and adopting related measures;
  • receiving communications from the ANPD and addressing the authority’s requests;
  • providing training to the entity’s employees and contractors regarding best practices to ensure compliance with the legislation; and
  • carrying out other duties as determined by the controller or set forth in complementary rules.

Under paragraph 3° of the LGPD, the ANPD may issue guidance on the definitions and attributes of the DPO, including exemptions from the need to appoint a DPO, according to the nature and size of the entity or the volume of data processing operations.

Under the GDPR, the DPO must have a high degree of autonomy and independence, with direct access to senior management of the company and is subject to confidentiality commitments. The DPO should also not have additional functions that would create a conflict of interest. Conversely, in Brazil, the requirements to appoint a DPO are much simpler and less restrictive.

Nevertheless, a DPO may face internal disciplinary measures for negligence or failure to comply with the LGPD that may impact on his or her employment. Whether the DPO is an employee of the controller or not, his or her actions are considered independent and specifically related to the LGPD. Although the LGPD does not cover extensively the powers, limits and liabilities of the DPO, the activity is understood as framed under the terms of article 653 of the Brazilian Civil Code, being that the party empowered to perform a specific task on behalf of others is responsible for his or her mandated acts. Although the DPO is not personally responsible, as are the controller and the operator, for ensuring and demonstrating that their activities are performed in accordance with the regulations, under the Brazilian Civil Law, when the person in charge acts with negligence, he or she can be challenged by the employer and by third parties to repair damages.

Procedure for and consequences of data protection violations and breaches

Law No. 14.010/2020, which was approved and published in June 2020, has already determined that the administrative sanctions provided for in the LGPD will only be effective as from 1 August 2021. From this date on, in the event of a data protection violation or breach, an administrative procedure will take place and the application of sanctions will observe the criteria provided for in paragraph 1° of article 52 of the LGPD.[13] Moreover, the LGPD provides for the necessity of having administrative procedures with full defence for the aggrieved parties available (article 52, paragraph 1º, LGPD).

Under the LGPD, the following penalties can be applied by the ANPD, as per article 52:

  • a warning;
  • a simple fine of up to 2 per cent of revenues in Brazil, for the prior financial year, excluding taxes, up to a total maximum of 50 million reais per infraction;
  • a daily fine, up to the maximum of 50 million reais;
  • publicising the infraction once it has been duly ascertained and its occurrence has been confirmed;
  • blocking the personal data that is the subject of the infraction until the infraction is fixed; and
  • deleting the personal data that is the subject of the infraction.

Like the GDPR, the LGPD provides for an escalated system of penalties, starting with a warning and ending with a fine. In this regard, another grey area yet to be clarified by the ANPD is what will be considered ‘one infraction’, namely the leak of one name or a list of names, the unauthorised disclosure of one telephone number or a list of numbers belonging to a group of data subjects concerned, etc. In that sense, the LGPD permits a certain leeway and proportional escalation of penalties, even though the methodology itself is not defined in the regulation. The basis for the calculation of penalties is yet to be established by the ANPD after public consultation, as per article 53, paragraph 4º of the LGPD.

Recent trends and updates

The LGPD is in force and effect since 18 September and administrative sanctions under the LGPD will be applicable as of 1 August 2021. The board of directors has been approved and nominated and it is expected that the agency will be soon operational.

Surveillance laws

The Brazilian Internet Law provides by article 13 the requirement for internet service providers to retain internet connection logs for one year. For-profit application service providers are required to store logs of access to applications for a period of six months under article 15 and paragraph 2 allows for the extension of retention periods in certain circumstances. In money laundering investigations, under Law No. 9.613/98, police authorities and the Public Attorney’s Office can request directly that service providers grant them access to users’ subscription data, which comprises their name, affiliation and address. Similarly, under article 38 of ANATEL Resolution No. 596/12, the agency may directly request access to account information and call records of users from service providers.

In a similar way, paragraph 3 of article 10 of the Internet Law provides that subscription data (name, affiliation and address) from connection and service providers can be accessed without court order by administrative authorities with legitimate competence, and paragraph 1º establishes that law enforcement authorities must obtain a court order to access both connection logs from service and connection providers, as well as for accessing the content of private communications. Unlike access to logs and the content of digital communications, access to subscription data does not require a court order. Beyond that, Resolutions Nos. 426/05, 477/07 and 614/13 of ANATEL require service providers to retain metadata pertaining to landline and mobile telephone services.

Those rules are not exhaustive and other regulations applicable to the banking system and criminal offences will also make provision with regards to surveillance. Nevertheless, the surveillance system and regulations in this regard keep evolving and will be soon be more complex as a result of the entry into force of the LGPD and the exercise of the ANPD’s legal powers to audit data controllers and to oversee compliance with the LGPD.

Relevant cases

Because the LGPD has only recently entered into force, there are not many cases based on its provisions. Nevertheless, a few cases already show the change in Brazilian legal culture on privacy and the adoption of principles for data protection coming from other laws, which have now matured into the principles of the LGPD. Although the ANPD is still in the process of being established, other bodies such as the Federal Prosecutors Office of the Federal District and Territories (MPDFT), the consumer protection defence bodies (PROCON) and the National Consumer Secretariat (SENACON) are already enforcing data protection and privacy principles in Brazil. One recent case is the decision of the Brazilian Federal Supreme Court (STF) on the Referendum on the Precautionary Measure in Direct Action of Unconstitutionality No. 6,389 from the Federal District,[14] which suspended the PM No. 954. The decision concerned the sharing of personal customer data of telephone companies with the Brazilian Institute of Geography and Statistics (IBGE) for use in official statistics. By 10 votes to one, the STF plenary endorsed the preliminary injunction previously granted by Minister Rosa Weber, rapporteur of the actions against the PM, which obliged telecom companies to grant IBGE access to the names, telephone numbers and addresses of their consumers – individuals or companies – for ‘home interviews’ for job vacancies (ie, interviews conducted remotely, not face-to-face), which would measure unemployment in the country. Considered personal data by the Minister, such information, if disclosed without prior authorisation, could cause ‘irreparable damage to the privacy and, therefore, constitutional rights of more than one hundred million users’.

That decision, when mentioning the violation of basic fundamental rights provided for in article 5, item X, of the Brazilian Federal Constitution – intimacy, private life, privacy and reputation – and the principles of the LGPD, indicates that Brazil is getting closer to countries where the right to data protection is already established in the legal system.

Another decision rendered by the Court of the State of Rio Grande do Norte (procedure No. 0807803-08.2019.8.20.0000) ordered the reinstatement of an Uber driver, who was wrongfully excluded from the platform, owing to a automated decision of the software. Even though the customers had rated as good service provided by the driver, the software unlinked him from the platform, without giving him the opportunity to defend himself, or even to perform his right of review or revision of the decision. In that sense, the case reflects the principles established by Law no. 13.853/2019, amending the LGPD, with regards to the possibility of reviewing an automated decision.

The impact of the covid-19 pandemic

In a scenario of uncertainty caused by the arrival of covid-19, governments and private entities have discussed the possibility of using data as a resource for response to the pandemic, which raises a number of concerns regarding privacy and the protection of data. In this context, the government (union, states and municipalities) released information to the public explaining that the use of personal data is key to model and enforce public policies to prevent and control the dissemination of the virus.

In this context, there are many public and private sector initiatives to deal with the pandemic and prevent the dissemination of the virus. Among them is the partnership between Rio de Janeiro’s city government and the telecom TIM, to track geolocation data. The system allows the identification of concentrations and movements of people in the territories affected by the pandemic. With real-time data, government agencies will be able to assess the effectiveness of the measures implemented and coordinate new decisions.[15]

However, it is important to address the problematic nature of this level of surveillance and, for that reason, the processing of personal data in the context of fighting the virus must be specific and is only justified for this purpose. The idea of ‘legacy surveillance’ and the increase in the use of personal data for other purposes, once the emergency is over, must be vigorously rejected, and a regulatory framework and an established culture for data protection are the greatest remedies that our society can rely on to avoid the risk of consolidating a ‘chronic surveillance’ state.[16]

In this regard, the European Data Protection Board (EDPB) produced ‘Guidelines 4/2020 on the Use of Location Data and Contact Tracing Tools in the Context of the COVID-19 Outbreak’.[17] The EDPB understands that data used to fight the pandemic must empower, not control, stigmatise or repress citizens. Although these guidelines are based on foreign legislation, they may help to find solutions in the Brazillian context, such as the processing of anonymised data instead of personal data, for the purposes of tracking individuals.


1 Article 5: ‘All are equal before the law, without distinction of any kind, guaranteeing to Brazilians and foreigners residing in the country the inviolability of the right to life, freedom, equality, security and property, in the following terms: . . . X – intimacy, private life, honour and people’s image are inviolable, the right to compensation for material or moral damage resulting from their violation being ensured; . . . XII – the secrecy of correspondence and telegraphic communications, data and telephone communications is inviolable, except, in the latter case, by court order, in the hypotheses and in the form that the law establishes for purposes of criminal investigation or criminal procedural instruction.’

5 Article 7: ‘The processing of personal data can only be carried out in the following cases: I- by providing consent by the holder; II for the fulfilment of legal or regulatory obligation by the controller; III by the public administration, for the treatment and shared use of data necessary for the execution on public polices foreseen in laws and regulations or supported by contracts, agreements or similar instruments, observing the provisions of Chapter IV of this Law; IV for carrying out studies by a research body, guaranteeing whenever possible, the anonymisation of personal data; V when necessary for the execution of a contract or preliminary procedures related to a contract to which the holder is a party, at the request of the data subject; VI for the regular exercise of rights in judicial, administrative or arbitral proceedings, the latter under the terms of Law No. 9,307, of September 23, 1996 (Arbitration Law); VII for the protection of life or physical safety of the holder or third party; VIII for the protection of health, exclusively, in a procedure performed by health professionals, health services or health authority; IX when necessary to serve the legitimate interests of the controller or third party, except in the event that the fundamental rights and freedoms of the holder prevail that require the protection of personal data; or X for credit protection including the provisions of the relevant legislation.’

6 Article 11: ‘The processing of sensitive personal data may only occur in the following cases: I when the holder or his legal guardian consents, in a specific and prominent way, for specific purposes; II without providing consent of the holder, in the cases in which it is indispensable for: a) compliance with legal or regulatory obligation by the controller; b) shared processing of data necessary for the implementation by the public administration, of public policies provided for in laws or regulations; c) conducting studies by a research body, guaranteeing, whenever possible, the anonymisation of sensitive personal data; d) regular exercise of rights, including in contract and in judicial, administrative and arbitration proceedings, the latter under the terms of Law No. 9,307, of September 23, 1996 (Arbitration Law); e) protection of the life or physical safety of the holder or third party; f) guardianship of health, exclusively, in a procedure performed by health professionals, health services or health authority; or g) guarantee of fraud prevention and security of the holder, in the processes of identification and registration authentication in electronic systems, safeguarding the rights mentioned in art. 9 of this Law and except in the event that the fundamental rights and freedoms of the holder prevail that require the protection of personal data.’

7 §3° ‘The communication or shared use of sensitive personal data between controllers with the objective of obtaining an economic advantage may be subject to prohibition or regulation by the national authority, after consultation with the sectoral bodies of the Public Power, within the scope of their powers.’

8 Article 10. ‘Controller’s legitimate interest can only be grounds for processing personal data for legitimate purposes, based on particular situations, which include but are not limited to: I support and promotion of the controller’s activities; and II protection, in relation to the data subject, of the regular exercise of his rights or provision of services that benefit him, respecting his legitimate expectations and fundamental rights and freedoms, under the terms of this Law.’

10 Article 16. ‘Personal data shall be deleted following the termination of their processing, within the scope and technical limits of the activities, unless their storage is authorised for the following purposes for the following purposes: I – compliance with a legal or regulatory obligation by the controller; II – study by a research entity, ensuring, whenever possible, the anonymisation of the personal data; III – transfer to third parties, provided that the requirements for data processing as provided in this Law are obeyed; or IV – exclusive use of the controller, with access by third parties being prohibited, and provided the data has been anonymised.’.

11 Article 8 ‘The consent provided in Item I of Art. 7 of this Law shall be given in writing or by another means that demonstrates the manifestation of the will of the data subject . . . §5 Consent may be revoked at any time, by express manifestation of the data subject, through a facilitated and free of charge procedure, with processing carried out under previously given consent remaining valid as long as there is no request for deletion, pursuant to Item VI of the lead sentence of Art. 18 of this Law.’

12 Perrone, Christian; Strassburger, Sabrina. ‘Privacy and data protection – from Europe to Brazil’. Panor. Braz. law - Year 6 -Numbers 9 and 10 – 2018 – pp 82–100. p. 11.

13 Article 52. §1: ‘The sanctions shall be applied following an administrative procedure that will provide opportunity for a full defence, in a gradual, single or cumulative manner, in accordance with the peculiarities of the particular case and taking into consideration the following parameters and criteria: I – the severity and the nature of the infractions and of the personal rights affected; II – the good faith of the offender; III - the advantage received or intended by the offender; IV – the economic condition of the offender; V – recidivism; VI – the level of damage; VII – the cooperation of the offender; VIII – repeated and demonstrated adoption of internal mechanisms and procedures capable of minimising the damage, for secure and proper data processing, in accordance with the provisions of item II of §2 of Art. 48 of this Law; IX – adoption of good practices and governance policy; X – the prompt adoption of corrective measures; and XI – the proportionality between the severity of the breach and the intensity of the sanction.’

14 Brasil. Superior Tribunal Federal. Referendo na Medida Cautelar na Ação Direta de Inconstitucionalidade 6.389 Distrito Federal. Rel. Min. Rosa Weber. Data de julgamento: 24 abr. 2020. Voto Conjunto ADIs 6.389, 6.390, 6.393, 6.388 e 6.387 pelo Min. Gilmar Mendes. Available in:

Get unlimited access to all Global Data Review content