There are five bills to regulate protection of personal information in Brazil.
In 2010, the first version of a Draft Bill in matters of Protection of Personal Information (“APLPDP”) was issued aiming at protecting the rights of the owners of such data and imposing duties upon the agents involved in practicing the data management in Brazil just like what happened to the Marco Civil of Internet (Act no. 12.965/14), the text of such APLPDP was also published for open search by means of the online platform of the Justice Department, which has received countless contributions and modifications. In 2016, APLPDP was transformed into Bill no. 5.276/2016 (“BILL 5276/16”) and had its initial processing before the House of Representatives.
The House of Representatives had previously received another Bill in 2012, not related to the APLDPD, Bill no. 4.060/12 (“BILL 4060/12”), “providing for the personal data management as well as other requirements”. In November 2016, both bills mentioned, BILL 4060/12 and BILL 5276/16 were appended, and are currently being processed with priority before the House of Representatives.
Ultimately, three other bills in matters of protection of personal information are being jointly processed before the Federal Senate: Bills no. 330/2013 (“BILL 330/13”), no. 131/2014 and no. 181/2014. BILL 330/13 carries concepts quite similar to BILL 5276/16, and, shall presumably be the text chosen by the Senate special commissions for submission to the full bench.
We shall provide below the questions raised by BILL 4060/12, BILL 5276/16 and BILL 330/2012 mostly susceptible to cause impacts upon the technology and innovation market.
CONCEPT OF PERSONAL INFORMATION
Both BILL 330/13 and BILL 5276/16 carry similar concepts on the definition of protected “Personal Information”. Such Bills would define as Personal Information any data of an identified or identifiable individual (the “Owner” of the Personal Information), also possibly “Sensitive Personal Information” – that related to health, sexual, political or religious orientations, genetic information, among others. On the other hand, there would be “Blinded Information” as well, i.e. an owner that cannot be identified.
BILL 4060/12, on the other hand, carries a concept of “Personal Information” restricted to data involving any party (not determining whether individual or legal entity) the identification of which is accurate and determined (i.e. only “identified”, but not “identifiable”), and “Sensitive Personal Information”, which is similar to that of the other two Bills. This specific Bill has no definition for “Blinded Information” or similar.
Finally, it is also important to note that Decree no. 8.771/2016 (“D8771/16”), which regulated the Marco Civil of Internet, also carries a concept of “Personal Information” similar to that of BILL 330/13 and BILL 5276/16. However, there is no possible definition for “Sensitive Information” or “Blinded Information”
CONDITIONS FOR DATA MANAGEMENT
The analyzed Bills distinguishes several practices to be generically considered as “data management”:
- in common, all such Bills measure the data evaluation and extraction;
- both BILL 4060/12 and BILL 330/13 consider the following practices: storage; ordering; preservation; comparison; organization; selection;
- likewise, both BILL 330/13 and BILL 5276/16 consider management: collection; usage; modification; deletion; transfer and transmission;
- finally, severally, BILL 4060/12 includes the updating practice, while BILL 330/13 provides for (either temporary or permanent) suspension and disclosure to (determined or undetermined) third parties; and BILL 5276/16 considers production, receipt, classification, reproduction, access, distribution, processing, filing, evaluation or control of the information and communication of Personal Information, as management practices.
All Bills determine that their respective management concepts would apply in the national territory, even if the data is stored abroad. BILL 330/13 makes reference to data management which is aimed at provision of services to the Brazilian public, not exempting the foreign companies from liabilities. BILL 5276/16, in turn, in addition to adopting a definition similar to that of BILL 330/13 deals with management of data belonging to individuals located in Brazil (either Brazilian or not).
The data management for journalistic, historic or scientific purposes or in case of public security and national defense are not subject to such Bills. BILL 5276/16 also excludes from the list Personal Information used for strictly personal purposes.
The following represent requirements for data management:
- consent by the Owner (although, in BILL 4060/12 the consent is required only for Sensitive Information);
- warranty by the Owner of management lock-up, as requested;
- management must be compatible with the determined purposes and the beneficial expectations of the owner, being conducted only during the time necessary for such compliance, as regulated by Bills 330/13 and 5276/16. Such level of detail is not comprised in BILL 4060/12, which only requires loyalty and good-faith by the party in charge of the management;
- after the management is concluded, the Personal Information may be used if blinded or for the purposes authorized by the law, otherwise, it shall be deleted.
AGENTS INVOLVED IN DATA MANAGEMENT
In regard to the agents involved in data management, all Bills have the character of the “Party in Charge” as that party, either individual or legal entity, in charge of making decisions related to data management. In its turn, BILL 330/13 and BILL 5276/16 also define an “Operator” as that party, either individual or legal entity, in charge of effectively carrying out the management under the guidance of the Party in Charge, while BILL 4060/12 generically assumes subcontractors of the Party in Charge.
BILL 5276/16 goes further in relation to the others, by adding a “Head”, who would be the individual in charge of representing the Party in Charge before the Owners.
In relation to the accountability for the data security assigned to such, BILL 4060/12 asserts that the Party in Charge shall adopt measures in “proportion to the current state-of-the-art”, while the remaining bills have more specific obligations, such as confidentiality obligations for all stakeholders and the obligation to issue reports on management as requested.
CONSENT
Consent by the Owner for use of Personal Information is already a requirement of the Marco Civil of Internet. However, the Marco Civil imposed the duty to detail the form of such consent upon the future Personal Information Act.
The most basic of the three Bills in such regard is BILL 4060/12, only mentioning an express “approval” by the Owner when requested by the Party in Charge the management of Sensitive Data.
BILL 330/13 and BILL 5276/16, in turn, look to greater protection to the Owner, by establishing several requirements to consent, which shall be free, express and informed. In addition, both bills provide for expanded disclosure in the Privacy Policies whereby such consent is obtained, which shall specify, for example, the intended purposes for use of the Personal Information, who is to be granted access to such and information for contact of the Party in Charge. Both bills also provide for special standards in case of the Sensitive Information (the consent of which shall be segregated from the remaining Personal Information).
RIGHTS OF THE OWNER TO PERSONAL INFORMATION
All Bills acknowledge the right of the owner to obtain information on the steps of the data management. However, Bills 330/13 and 5276/16 provide for further support to the owner, because the person must be aware of the management conducted with their data, as well as be authorized to require specific, detailed information. If not sufficient, the Owner may request for the data to be reviewed and corrected free from any burden.
BILL 4060/12 in its turn only provides for access to a privacy policy of the Party in Charge which shall provide information regarding the use of the collected data. In addition to such protection, it contains, only generically, “loyalty” and “good faith” principles of the Party in Charge along with the Owner.
LIABILITY
While BILL 5276/16 and BILL 4060/12 determine liability for damages caused to the owners similar to the fault-based liability provided for in the civil code, BILL 330/13 is more rigorous, by determining the strict liability of the Parties in Charge of the data management (i.e. liability which is independent from evidence of the fault of the Party in Charge).
SANCTIONS
If the determined regulations are breached, without limitation to the applicable administrative, civil and criminal penalties, Bills 330/13 and 5276/16 also provide for sanctions, such as: warning, fine, suspension or cancellation of the Personal Information or the database.
BILL 4060/12 in its turn only provides for the sanctions already comprised in the Consumer Defense Code and in the Civil Code.
CONCLUSION
In general, we noticed both BILL 330/13, issued by the Senate, and BILL 5276/16, issued by the House of Representatives, (submitted to public inquiry), intend to provide an increasingly extensive protective list to individuals who own data, while more clearly presenting the liabilities assigned to the Parties in Charge of the data management. However, such liabilities also tend to be more burdensome to market players, in which BILL 4060/12, although more generically, therefore, less safely, is intended as more liberal.
In such environment, some singular aspects should be mentioned which evidence the liberal trend of the BILL 4060/12:
- no requirement to obtain the consent by the owner to transfer Personal Information among databases (provided that the interests of the Owner are abstractly secured);
- possibility to share data (Either sensitive or not) between companies from the same economic group;
- express self-regulation provision by the market;
- determination of Owner’s liability for the integrity of the information provided to the Parties in Charge.
By the end of 2016, the conclusion that the Brazilian political scenario shall bring to the future Personal Information Act is yet uncertain. Over the last years, we have constantly noticed the “data protection” subject being on and off the spotlight of the legislative and executive branches – BILL 330/13, for example, was filed in 2015; BILL 5.276/2016 in turn was hurriedly approved during the last days of Dilma Rousseff’s presidential term.
Regardless of the uncertainties, one thing is assured by both current and future law: the technology industry companies shall go through a stage of adaptations and challenges to preserve the legal and continuous exercise of their activities.