Public Consultation on the Revised Draft Bill on Privacy and Data Protection
On January 28, 2015, Brazil’s Ministry of Justice submitted the revised Draft Bill on Privacy and Data Protection (“Draft Bill”) for public consultation. An earlier version of the Draft Bill had been submitted for public consultation in 2010, and there were reportedly over 700 comments on its provisions in response. The main aspects of the revised Draft Bill are summarized below.
Applicability. Under the Draft Bill, the proposed rules will apply to any processing of data, regardless of the country where the data processor or the database is located, as long as the data is processed or collected in Brazil. Collection will be deemed as having occurred should the owner of the data be located in Brazil. Currently, a less stringent requirement applies: compliance with Brazilian law is mandatory only for data processing over the Internet if collection physically takes place in Brazil, and provided the collecting entity (i) offers services in Brazil or (ii) at least one entity of the same economic group is located in the country (see Law No.12,965/2014, Article 11).
Principles. Processing of personal data must comply with the following principles: (i) purpose, (ii) suitability, (iii) necessity, (iv) free access, (v) data quality/accuracy, (vi) transparency, (vii) security, (viii) prevention of any potential harm to the owner of the data; and (ix) non-discrimination.
Personal data owner rights. Personal data owners have the following rights under the Draft Bill: (i) to receive confirmation that data has been processed, (ii) to access the data, (iii) to correct the data; and (iv) to dissociate from specific persons, block or cancel unnecessary, excessive or irregularly processed data.
Consent. The Draft Bill sets forth a broad consent requirement for treatment of personal data, and forbids that it be required as a condition for the provision of products and/or services. Moreover, consent must be granted separate from other contractual clauses, and must be issued for specific purposes.
Communication and interconnection. Consent is also required for the transferring or sharing (“interconnection” under the Draft Bill) of previously collected data between private entities and/or private and public entities. Under the Draft Bill, the transfer of data between public entities is subject to the same general provisions applicable to transfers involving at least one private entity. Whereas the wording of the relevant provision lacks clarity, we understand it to mean that consent is also mandatory in this instance, except when more specific legal provisions dispose otherwise.
The rules in the Draft Bill even if approved will not revoke specific provisions dispensing with consent for the transfer of certain data (e.g., provisions creating exceptions to banking secrecy laws in favor or parliamentary investigative committees or credit databanks, or the supply of information to Brazilian financial intelligence units under local anti-money-laundering legislation).
International data transfer. International data transfer is only allowed to countries that award a level of protection equivalent to that of Brazil. Data transfer to other countries would require special consent by the data owner, preceded by a relay of information concerning the risks involved. Companies of the same economic group can submit their global data protection policy to the relevant Brazilian authorities, which may grant a general authorization for intragroup transfers, thus eliminating the need for specific consent.
Transfer of data from foreign countries to Brazil requires that proper consent for the transfer be obtained under the law of the country of residence of the transferor. In any case of international data transfer, the transferee and transferor are jointly and severally liable for any damages linked to the transfer.
Administrative agency. The draft refers to a “competent agency” responsible for overseeing compliance with the rules but does not specify the agency, already existent or to be newly created.
Administrative sanctions. Under the Draft Bill, possible sanctions are: (i) fines; (ii) public divulgation of infringement; (iii) dissociation of personal data (i.e., proscription that personal data is directly or indirectly associated with an individual); (iv) blocking of personal data; (v) suspension of processing personal data for up to 2 years; (vi) cancellation of personal data; (vii) prohibition of processing sensitive data for up to 10 years; (viii) prohibition of operating a database for up to 10 years. Criteria such as nature of the rights affected, recidivism, and the severity and extent of the infraction shall be taken into account to establish the applicable sanction.
The deadline for the public consultation on the Draft Bill is April, 30, 2015 (http://participacao.mj.gov.br/dadospessoais/).
L&S Authors
(1).jpg)
.jpg)
.jpg)
