The beginning of 2018 has witnessed strong discussions on privacy and personal data protection in the US and Europe, mainly due to the Cambridge Analytica and Facebook scandal, and the entry into force in May of the new European General Data Protection Regulation (GDPR).
In this sense, it was expected that the constant cases of privacy and data protection violations – whether through abusive practices of companies or through data leaks, as in the recent Equifax case that affected 143 million US consumers – would contribute to forward this debate in Brazil, fostering the adoption of a personal data protection law, like the Bill nº 5.276/2016, in our country, which currently does not have one. However, it seems that we are going in the opposite direction when we analyze the Bill 441/2017, proposed by the Senate, which modifies Brazilian banking secrecy rules, and reforms the Brazilian Positive Registration Law – credit score – nº 12.414/2011, which disciplines databases for the formation of credit history of natural and legal persons.
According to the public note issued by the Coalizão Direitos na Rede (Network Rights Coalition), of which IRIS is also a signatory, Bill nº 441/2017 promotes 3 major changes in our current legislation, the first two are related to the concept of consent, which will be the main topic of this text, and the other one that extinguishes joint and several liability among the database manager, the sources and the consultant.
The first change seeks to authorize the automatic inclusion of all adults and economically active brazilians in the “good payers” databases of Serasa, Boa Vista – both are credit score companies – and the Credit Intelligence Manager (a credit bureau formed by the five largest banks operating in Brazil ). Thus, when the word “automatic” is used, it means the inclusion of various types of personal data of Brazilian citizens, without their prior consent, like name, filiation, address, individual taxpayer identification number; public services payment information (e.g. water bill, electricity bill); and financial information (e.g. bank transactions, number of credit cards, loans).
So, the reform would change the current legal regime for credit score in Brazil – which nowadays still requires prior consent of the consumer before he/she can be included in a credit database (article 4º, of Law nº 12.414/2012) – for an opt-out model, which would automatically include the consumer in a database. But the database manager has also an obligation to inform the consumer about its registration, and allow him to choose, if he wishes, the withdrawal of database at any time, article 2, of the Bill nº 441/2017.
As for the second main change, the Bill seeks to modify the banking secrecy law to allow free sharing of financial information between credit bureaus without the consent of the consumers involved. The Coalition’s note explains that data of bank account transactions and payments made with credit cards could be exchanged between institutions in order to form consumer credit scores.
Although, it must be pointed out that that the defender of this Bill claim that it will reduce brazilian net interest spread, increase financial inclusion and mitigate transaction costs, as explained by Arruda and Franco.
Prior consent, ultimately, is one of the pillars of nowadays data protection laws. One of the possible interpretations for the idea of ”consent” is based on the assumption that an individual’s personal data is not a mere commodity that can be used limitless by a third party, but rather that it is, to some extent, still linked to the personality of a person. Therefore he or she must have a minimum control over “if” and “how” their data will be used.
This principle, although limited to the context of the internet users, is expressed in the Brazil’s Internet Bill of Rights (Marco Civil da Internet) legislation by the Civil Internet Framework, which guarantees consent as one of the fundamental rights of internet users:
“Article 7. Access to the Internet is essential to the exercise of citizenship and users are assured the following rights:
IX – the expressed consent for the collection, use, storage and processing of personal data, which shall be specified in a separate contractual clause;”
Credit score databases are not necessarily formed by information gathered through internet applications, however they share the same data protection principles.
In a similar way,it is interesting to highlight the legal treatment established by the GDPR regarding the consent of European citizens for the processing of personal data, collected or not through the Internet:
- ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;”
Article. 7 – Conditions for consent
(1) Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
(2) If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
(3) The data subject shall have the right to withdraw his or her consent at any time.
According to these legal definitions, the term “consent” is commonly followed by adjectives with broad meanings such as “free,” “expressed,” and “informed,” among others, which are the subject of intense legal discussions. Even though, these discussions should seek to ensure both the protection of personal data, and the legal certainty for innovations and new business models to develop.
However, this was not the case when you look at the discussions of the Bill nº 441/2017, because Congress has suppressed any debate about the need to protect consumer personal data. As the researcher and lawyer Rafael Zanatta, from the Brazilian Institute for Consumer Protection (Instituto Brasileiro de Defesa do Consumidor) explained:
“This bill was discussed without going through any consumer rights committee. It was stitched between banks, bureaus, parliamentarians and the economic team of the Temer’s government [President of Brazil]. The proposal does not guarantee basic rights to consumers and brings harmful changes, which have been widely denounced by the Instituto Brasileiro de Defesa do Consumidor [Brazilian Institute for Consumer Protection]”
Ultimately, what this text soughts is not the elimination of any form of personal data use by companies or new business models, but rather that Congress must be transparent and invites to debate the social actors affected by the reform. After all, it is in society’s interest that the use of personal data allows new services for the consumer, but also that they guarantee the rights to privacy and data protection of citizens.