Personal Data Protection Regulation in Brazil: Potential Conflict Between Laws
A new version of the Draft Bill for the Protection of Personal Data (DBPPD) has been made available for public consultation, with a final deadline for contributions by April 30th, 2015. The text is based on a first version dated 2011, which was enriched with some contributions made at that time. During these four years since, the discussion surrounding the Brazilian Regulatory Framework for the Internet (Law No. 12,965 dated April 23, 2014) arose. Debate over Law No. 12,965 was heightened, in part due to press coverage on the violation of Brazilian company and private individual information protection by foreign governments. Resultantly, the enactment of the Law preceded the DBPPD.
It was widely agreed that the Regulatory Framework for the Internet should include data protection provisions. Therefore, the regulation contains the “Records, Personal Data and Private Communications Protection” section dedicated to this subject. Other provisions to the Law regulate this subject matter, such as those stated in items VII, VIII, IX and X of its Article 7. The generally applicable language of its Article 10 also states unequivocally that the protection framework established by the Law encompasses not only connection and Internet application access logs, but also personal data and private communication content.
The DBPPD aims to protection personal data defined therein in general terms, encompassing any data related to an identified or identifiable individual, such as through identification numbers, geographic data or electronic identifiers. It is clear that its definition of personal data includes Internet protocol addresses (IP addresses), connection and Internet application access logs, and other types of data protected by the Brazilian Regulatory Framework for the Internet.
Data protection/privacy is a concern of the utmost importance and is already regulated in Europe (via Directive 95/46/EC) and in the Unites States under several laws. However, overregulation may be detrimental to the application and/or efectiveness of this important legal framework in Brazil.
Overlap is identified in comparing the Regulatory Framework for the Internet to the DBPPD, which may harm the application of both should the DBPPD be enacted as it was drafted when made available for public consultation last March. Some examples are:
- the Regulatory Framework for the Internet does not differentiate between “personal” and “sensitive” data, while under the DBPPD broader protection is granted to the latter. For the use of sensitive data, under the DBPPD special consent from or the providing of additional information to individuals is required.
- in accordance with the Regulatory Framework for the Internet, three entities may be accountable in the case of non-compliance: (i) the autonomous system administrator, (ii) the Internet connection provider and (iii) the Internet application provider. Contrastingly, under the DBPPD personal data processing agents, namely the controller and the processor, will be held responsible;
- penalties for non-compliance with the provisions of the Regulatory Framework for the Internet related to data protection differ from those established in the DBPPD. The Regulatory Framework for the Internet envisages the application of a warning, a fine up to 10% of the gross income of the responsible economic group in Brazil or temporary suspension or barring of its activities. Under the DBPPD possible penalties are one-off or daily fine, public disclosure of the infringement, suspension of infringing party’s activities relative to personal data for up to two years and, in case of sensitive data, for up to 10 years, barring of database operation for up to 10 years and the dissociation, blocking or cancellation of the personal data in question; and
- under the Regulatory Framework for the Internet, its regulation is applicable whenever at least one of the terminals involved in the collection or storage of the data is based in the Brazilian Territory, there is an offer targeted at Brazilian individuals or at least one company of the economic group making the offer is headquartered in Brazil. Under the DBPPD, its regulation is applicable whenever the individual is within the Brazilian Territory when the data is collected, regardless of where the operation takes place.
The DBPPD does not state the timeframe for the maintaining of personal data, while the Regulatory Framework for the Internet states that connection logs shall be kept for a time period of one year and Internet application access logs for six months (both of them in confidentiality). In contrast to the examples cited above, the apparent conflict between the Regulatory Framework for the Internet and the DBPPD – should the text of the DBPPD be approved as drafted – could be resolved in this instance by the application of the interpretation principle establishing that the specific law (the Regulatory Framework for the Internet) prevails over the general law (the DBPPD). In this case, the applicable time period for the maintaining of Internet traffic-related data – connection and Internet application access logs – is that provided for in the Regulatory Framework for the Internet, while the DBPPD would regulate the time period relative to other types of data.
With regard to other potential conflict between the aforementioned regulation, it is expected necessary changes to the DBPPD will be made towards its resolution. It is also expected that the Executive Branch will avoid regulating matters in the forthcoming decree not specifically related to the Internet.
Despite these precautions, there is still some concern considering that almost all data – personal or sensitive, as they are defined in the DBPPD – is currently stored on the Internet and, as a consequence, the Regulatory Framework for the Internet might be applied in the majority of cases.
L&S Authors
(1).jpg)
.jpg)
.jpg)
