In the past few weeks, the Brazilian House of Representatives passed Bill of Law No. 5,276/2016 (Bill) to provide protection to personal data in digital form. The Bill is the successor of Bill of Law No. 4,060/2012, which had been in the works for several years. The Bill follows the global trend towards enacting national data protection laws or strengthening existing ones. It also addresses, in part, various concerns involving the increased practice of collecting and processing personal data for interest-based advertising purposes, a practice that the House considered too aggressive or invasive. The Bill now must be reviewed by the Senate.
This Bill is part of a larger initiative regarding the protection of digital information which started in 2014 with the passage of the Marco Civil da Internet, Brazil’s first omnibus internet regulation. Prior to the passage of the Marco Civil, internet regulation in Brazil looked much like it does in the United States; a patchwork of federal, state, and local laws, several of which were written to regulate privacy and telecommunications and later adapted for the internet. More comprehensive laws tended to focus on specific industry sectors such as health information, financial information, employee information, information concerning children, as well as attorney-client communications.
The Marco Civil introduced into Brazilian law the concept of requiring consent from users to collect and process personally identifiable data, device information, app usage, and other web browsing behavior. Importantly, the Marco Civil codified net neutrality, shielded websites from liability for the posts of its users, and imposed various responsibilities on controllers related to the storage and deletion of personal data.
The Bill, which would expand the protections of the Marco Civil da Internet and more specifically address protection of personal data, contains numerous references to concepts also found, for example, in the EU General Data Protection (GDPR), such as:
- the requirement that the data controller establish a legal basis for the processing of personal data;
- restrictions on the cross-border transfer of personal data;
- ensuring that controllers only share data with third-parties that ensure adequate data protection; and
- the creation of a National Data Protection Authority.
The Bill would create several technical requirements for the protection of personal data that take into account the state of the technologies and nature of the data collected. It would also grant additional protections to sensitive data such as race and genetic information, permitting processing only with the prior express consent of the data subject.
The Bill would provide data subjects with the right to block the processing of personal data unless the data is necessary to fulfill a legal obligation or contract. If processing is necessary for such purposes, the data controller would be permitted to share that personal data with third parties that contribute to the achievement of those purposes. If there is no such necessity, the data could no longer be processed unless it has been anonymized.
Additionally, the Bill would provide for the possibility of establishing self-regulatory institutions for individual industry sections and create penalties for controllers and processors who do not comply with the regulations.
The Brazilian Senate is also considering the passage of a similar legislation, Bill No. 330/2013. Given the similarities between these two bills, Brazil appears poised to enact a national data protection law in the near future. Across the Andes, Chile is also in the process of updating its existing data protection law to meet all basic data protection concepts found in similar data protection laws. With a significant portion of Central and South American countries, such as Argentina, Colombia, Costa Rica, Mexico or Uruguay, already equipped with data protection laws that incorporate most of the principles found in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980 & 2013), Latin America’s markets may soon have data protection laws that are consistent with each other and that provide strong protection for individuals. As this trend continues throughout Central and South America, American companies could soon face pressure to meet data protection standards similar to OECD Guidelines and other seminal documents such as the EU GDPR for all their users in these growing markets.Special thanks to Maxwell A. Calehuff for his assistance with this Alert.