Legal framework for data privacy and security in Brazil

The Judiciary is today the main regulator of data privacy and protection in Brazil. Will legislation fill the gaps any time soon?

The question of protecting users’ privacy and regulating information security is becoming paramount for policymakers as insurmountable amounts of private data go online. Users want guaranteed privacy rights, and companies want to develop their business models based on digital information without fearing regulatory intervention. Meanwhile, governments disagree on the balance between protecting the rights of citizens, monitoring unlawful activities, and restricting what business can do with private data. As governments are starting to realize, inaction is not an option. Distrust undermines the full potential of the Internet for society and commerce.

In Brazil, the general regulatory trend leans towards favoring the protection of personal data and consumer rights. Offline privacy is protected by the 1988 Constitution. In recent years, different levels of Brazil’s Judiciary have applied the constitutional principle to online privacy cases, creating important court precedent that addresses legislative gaps.

Brazil, currently, has two main legislative initiatives concerning data privacy and security, both of which were drafted by the Ministry of Justice:

• Internet Bill of Rights (Marco Civil da Internet). In 2011, President Rousseff sent this draft to Congress as an ordinary bill sponsored by the Executive branch. In Congress, however, the bill turned out to be controversial and has been stalled in the Federal Chamber of Deputies since then, despite a request for urgency issued in December 2013. As the name suggests, the Civilian Framework aims at setting basic rights for Internet users, and responsibilities for network and application providers. The bill proposes the inviolability of personal information and establishes that the regulation of the Internet in Brazil should be grounded on the recognition of several principles: openness and collaboration, free enterprise, free competition, and consumer protection.
• Draft Data Protection Law. This legislation aims at protecting individual dignity and fundamental rights with respect to the handling of personal data. The bill has yet to be submitted to Congress. The draft law defines personal data as any information related to an identifiable person and determines that personal data can only be collected with the explicit consent of the data owner and for a specific purpose. This law would determine that only “clearly needed data” can be mined, and the processing of such data be limited to the purpose of the collection. Consequently, owners of data would have the right to know the results of data processing, as well as the identity of the entity using the data.

Brazilian policymakers must realize that there is a great public policy opportunity for shaping the development of an entire industry that, albeit already large, is still nascent. As they seek to protect the use of personal data, they must ensure that this is done in a way that fosters innovation and the growth of commerce. Data privacy regulation should allow consumers and companies to benefit from the use of personal data in a secure and privacy-respectful way at the same time that fundamental rights to privacy are assured.