The first half of 2018 was marked by legal frameworks regarding the personal data protection and online privacy. More specifically, we have seen the approval and entry into force of specific legislation for data protection, emanated by some of the countries with more relevance in the international scenario today.
Initially, in March, the CLOUD Act – the acronym for Clarifying Legal Use of Data Abroad – was approved in the United States.The main focus of the law was to modernize certain aspects of data protection legislation, privacy and monitoring by government agencies, and reflect current practices in the cloud computing industry. The Act, by amending the current Stored Communications Act (SCA) of 1986, propose an overhaul to the MLATs’ (Mutual Legal Assistance Treaties) models – currently employed for the international transfer of data in cases in which they are required for a criminal investigation.
The reasoning, in short, was the inefficiency of the MLATs, which usually take up to two years to ensure the effective transfer of the requested data between the authorities of the two countries involved in the issue. In this sense, the purpose of the CLOUD Act, which had as its background the US vs. Microsoft Ireland case, was to facilitate the conclusion of agreements for the delivery of communications content between the US and countries that are considered to be holders of a data protection environment adequate to US standards.
GDPR presents very specific guidelines regarding the processing of personal data by Internet application providers, setting high fines for noncompliance with these statements. In addition, users’ rights with respect to their own data, including the need for express prior consent to have such data submitted by third parties, as well as the right to immediate deindexation as requested by the individual, are positively assessed.
It is also worth mentioning that, like the CLOUD Act, GDPR provides for facilitated international data transfer to countries which, according to the EU judgment, have a healthy environment of digital safeguards and guarantees. The legal parameters of the new regulation, in addition to inaugurating an unprecedented depth for data protection, also have a significant extension in terms of application, the effect of which may extend to other countries, far beyond the European Union.
In this context of intense discussion in other countries, although Brazil pioneered the Civil Internet Framework, it had not yet consolidated specific and comprehensive legislation on data protection. This has come to be considered a major obstacle to the country, and has even been a reason for loss of international financial investment due to “legal isolation”.
For this reason, the Bill of Law of the Chamber (PLC) nº 53/2018, denominated “General Law of Data Protection (LGPD)”, began to process as an emergency in the Legislative. This is because the need to solve this relevant legal gap in the Brazilian order, and to allow greater interaction with the European and American digital scenarios and business models involving internet and cloud computing, became evident.
The importance of approving this law is even greater when one considers that the concept of “adequate protection and digital safeguards” in both the CLOUD Act and GDPR mentions the need for specific laws for data protection and privacy in the countries concerned. The General Data Protection Act, therefore, inserts Brazil into the global regulatory trends in the Big Data era. In this regard, IRIS has produced a study analyzing the situation of the main bill on the subject – PL 5276/2016 – and data protection regimes under international transfer.
Context of data protection before the law
Prior to the approval of the LGPD, the regulation on the protection of personal data in Brazil was dispersed through the legal system. In a survey produced at the end of 2017, there were more than 40 sectoral norms that dealt with the issue in the country. In addition to the principles of privacy protection set out in the Constitution, one could see provisions on the Civil Internet Framework (“Marco Civil da Internet – MCI”) – Law no. 12.965 / 2014 -, its regulatory decree – Decree No. 8,771 – and the Consumer Protection Code – Law No. 8,078 / 1990.
In the normative treatment scenarios involving the Internet, MCI has made great strides in protecting the user in order to try to reconcile the protection of privacy and personal data and the development of applications based on their treatment. Article 7, VII of the MCI, inspired by the consent form of the former European Union Directive 95/46 / EC, provides that the provision of personal data to third parties by connection and application providers may be by means of free, express and informed consent, and by means of other hypotheses provided bythe law that do not require consent, such as, for example, in guaranteeing the performance of a contract or in the performance of the party’s interest.
With regard to the MCI, it also establishes the users’ right to request the exclusion of their data at the end of the relationship between the parties – right of opt-out – (Article 7, X), and under what conditions a company is obliged to provide certain data to public authorities, through a court order (Art. 10), among other protections.
With regard to the Consumer Protection Code (CDC), the citizen’s right to have clear and adequate information on the products and services provided (articles 6, 8 and 12) can be highlighted. Thus, this guarantee can be understood as the right of the consumer to be informed about how his data is processed by a certain company, even if the use of his personal data is a consideration necessary to the use of a certain service – which could be mistakenly understood as free.
Another guarantee foreseen in the CDC (Article 43) is the access by the consumer to the information existing in registers of personal and consumer data. In this case, the consumer must be notified in advance of the opening of the registry, in addition to having the right to correct any inaccurate information.
Finally, certain levels of protection of users’ data could still be observed in the absence of a specific legal framework: in the constitutional action of Habeas Data; in regulations on credit analysis of natural and legal persons (Law No. 12,414 / 2011); in specific resolutions on health data (for example, CFM Resolution No. 1,821 / 07 on electronic medical records) and financial data (Decree 4.499 / 2002 on banking secrecy); among others.
Thus, in spite of systematizing data protection, in order to inaugurate specific institutes and guarantees, and to assign relevant normative stature on the subject, it can not be affirmed that the theme is unprecedented in Brazil, since we had some previous protection standards. It can, therefore, be considered that the LGPD appears as a natural evolution in a legislative process that dates back years, but that only now has taken more concreteness and substance. The legal experiment between us implemented by the National Congress aligns the practice of the Brazilian State to other countries, in addition to that already carried out by our Mercosur neighbors, such as Argentina, which has its general data protection law since 2000 (Law No. 25,326).
How did LGPD get approved?
The Bill of the Chamber n ° 53 originates from PL nº 4060/2012. This, by Milton Almonti (PR / SP), was dealt with by the Chamber of Deputies as a matter of urgency (Article 155 of the Internal Rules of the Chamber of Deputies – RICD) and, throughout the course, was joined by different bills (such as the Bill nº. 5276/2016 and the Bill nº. 3558/2012).
Between May 2015 and May 2018, several public hearings were requested by parliamentarians – among them, deputies Sergio Zveiter (PSD-RJ), Sibá Machado (PT-AC) and Alessandro Molon (REDE-RJ). At these hearings, representatives of civil society organizations (ABAP, ABERT, IDEC, Intervozes), academy (UERJ, FGV, USP), government (CGI.br, MCTIC) and private sector (Mozila, Facebook, Uol) were invited. The scandal surrounding Cambridge Analytica and Facebook also prompted a public hearing by MP Bruna Furlan (PSDB-SP) to address the impact of illegitimate use and collection of personal data of Brazilians. Thus, it can be affirmed that the bill in question was appreciated In the scope of the Chamber of Deputies, being made 7 amendments to the original text.
In the Senate, the Bill nº 4,060 / 2012 received the name of Bill of the Chamber nº 53/2018. The Bill 53 dealt with in this legislative house jointly of the Bill nº 330/2013. The Rapporteur of the Committee on Economic Affairs, Senator Ricardo Ferraço, in his report, attaches great importance to the PLC by stating that the approval of the law “is not a legislative option, but an unavoidable necessity.” The Bill 53 has 65 articles distributed in 10 chapters, approved in terms of the content voted in the Chamber of Deputies. Senator Ricardo Ferraço justifies the approval of the full text by the Senate (except for small editorial amendments), the urgent need for a specific data protection law and a political context in which the return of the matter to the Chamber could mean ” definitive postponement of this matter, in the face of the electoral year. “
The text was submitted to presidential sanction on 07/17/2018 and has until 06/08/2018 for veto or sanction, according to Art. 66, § 1º, of the Federal Constitution.
Central devices of the Brazilian Law
In a systematic way, the general data protection law has the following relevant provisions, inserted in the Brazilian legal system:
- Scope: the law refers to personal data of natural person and legal entity (Article 1);
- Application: the law is applied to treatment operations: i) carried out in national territory; ii) intends to offer or supply goods and services to individuals in national territory; iii) data collected in national territory; iv) coming from outside the national territory and object of communication of Brazilian treatment agents (Art 3 and 4);
- International data flow: In case of a treatment operation coming from outside the national territory (Article 4, IV) and international data transfer (Article 33, I), it is necessary that the country has an adequate degree of protection of personal data;
- State: The processing of personal data for the sole purpose of public security, national defense, state security, or investigation and prosecution of criminal offenses shall be governed by specific legislation (Article 4, I);
- Use of data by the public authority: The law reinforces that, in the treatment of data for compliance with legal obligation or use of public administration, the data subject must be informed of the hypothesis of treatment (Art 7, §1). Also detailed are the rules of data processing by the public authority (Chapter IV, Sections I and II). These points emphasize the bill’s care to the use of data by public agencies;
- Legal concepts: The law details and conceptualizes the rights of the users regarding their personal data already guaranteed by art 7 of the MCI (Art 6, 9, 17 and 18);
- Consent: It requires that the transfer of data obtained after consent of the individual must rely on the specific consent of the holder for this sharing or subsequent/derivative use. This situation recalls the Cambridge Analytica case, because the ThisisYourDigitalLife app, despite having consent to collect data from users, did not have the consent to pass this data on to C.A. (Article 7, §5);
- Sensitive data: The legislation is more rigid regarding the handling of sensitive data, since it prevents such operation for execution and preliminary contract procedures, meet legitimate interest and credit protection. In the case of personal data, these situations make possible the treatment (Article 11). In addition, it allows the prohibition or regulation of the treatment of sensitive data with the objective of obtaining an economic advantage (Article 11, §3º);
- Protection of minors: It has a specific section concerning the data of children and adolescents, including the need, for the treatment of personal data of this group, of consent by at least one parent or legal guardian. Furthermore, it imposes the duty of the controller to make all reasonable efforts to verify that consent has been given by the responsible party (Section III);
- Automated decision: The law guarantees the possibility of reviewing decisions taken solely on the basis of automated processing of personal data (Article 20);
- Responsibility: It assigns the responsibility for recording personal data processing operations to the controller and the operator of the treatment, setting up joint and several liability in case of compensation for violation of the current legislation (Articles 37 and 42). The law opts for a model of responsibilities defined from the act or activity practiced by the data controller and the data processing operator in order to favor both predictability and security of business models;
- Proof: Enables the judge, in the civil proceeding, to reverse the burden of proof because of the hypothesis of the data subject (Article 42, §2);
- Sanctions: The law objectively provides for administrative penalties for infractions of the law, and does not remove sanctions provided for in specific legislation (Article 52); among them, the possibility of applying a fine of up to 2% of the billing of the company involved (“legal entity of private law, group or conglomerate in Brazil”) in the last fiscal year, excluding taxes and not exceeding R $ 50 million and fixation of astreintes, as well as the blocking or elimination of illegally treated data and the suspension or prohibition of the database or treatment activity.
It has been stated that the approval of PLC No. 53/2018 was partly due to the entry into force of GDPR in the EU in May 2018. The new European regulation establishes, in a more detailed way than the old Directive 95/46 / EC (Article 25, §§ 1 and 6), that data transfers to countries outside the EU are basically allowed in two scenarios (Articles 44 to 50 of the GDPR): (i) if the third country also has a level of protection of personal data; and ii) even if it does not have it, the transfer may occur as long as the controller or processor of the data guarantees its protection according to EU regulation – by means of contractual clauses, for example.
Thus, the adoption of a general regulation of Brazilian data protection prevents Brazil from being excluded as a possible destination for the treatment of data from persons located in the EU, thus facilitating economic operations involving data between countries. This has already been pointed out by IRIS in a policy paper on the international data transfer, regarding the provisions of PL 5,276 / 2016, the content of which has been incorporated into the approved law. To a certain extent, this reasoning is true, since, as pointed out above, GDPR provides as a criterion for analysis of the level of protection of personal data of a country the existence of specific rules on the subject (Article 25, §2, a) . Further, at the item b of this legal provision, it is also a relevant criterion the existence of supervisory authorities that are able to effectively enforce the regulation of personal data protection.
Although the Bill n. 53/2018 provides for the creation of an independent Personal Data Protection Authority, it has been discussed the possibility of vetoing that part of the law by the President. Possible justifications range from budget constraints to issues of legislative competence (since the creation of an autarchy is the initiative of the President rather than of the Congress).
Thus, if the supervisory authority is not independent (this point is important, since the regulation also applies to the processing of data by the government) and not specialized, there is a risk that the law will not be applied properly. Experts analyze the issue, noting the relevance of the preservation of the autonomy and specialty of the protection body in Brazil. Professor Danilo Doneda (UERJ) also warns that, in the Civil House, it has been proposed to give inspection powers to some body linked to the Office of Institutional Security (GSI). That would be at least a contradiction, since it would be competent for an organ with prerogatives of espionage to carry out the task of guaranteeing the citizens’ privacy.
Professor Renato Leite Monteiro (Mackenzie) also warns that the LGPD makes 56 direct references to the National Data Protection Authority. Thus, its exclusion may render void various provisions of the law, making it difficult to apply systemically.
Thus, if a truly independent supervisory authority is not created, there is a great risk that the law will not be properly enforced. In addition, the chances of Brazil being classified by the European Union as a country that guarantees a level of protection equivalent to that of Europe, making it a less attractive place for investments in the area of data processing, are diminished. At this stage of the international debate already between the GDPR models in the European Union and the reforms introduced by the CLOUD Act in the United States, it would be an absolute loss of opportunity between Brazilian lands.
Considering the importance of a data protection authority, for the implementation of the LGPD and insertion of Brazil into the scenario of adaptation to data protection levels, in the global context of the Internet, IRIS has already positioned itself in defense of its creation. Its creation by the LGPD, therefore, deserves the presidential sanction and its veto could mean that the Brazilian law does not pass of dead letter, without including the country in significant levels of data protection or launching it to the complete ostracism among leading players in the competitive growing markets in the industry to make it competitive in data economy.