Personal data protection in the international scenario: brief comments on the american and european models and on brazilian law

To say that privacy and personal data protection debate have international dimension and relevance is a commonplace nowadays. However, the practical confirmation of the assertion made is useful for both understanding the current situation and making a draft of the issue’s global extent and its consequences. From recent history we detach two related facts: (i) the press disclosure of documents provided by Edward Snowden, supporting that the National Security Agency – NSA of the United States of America (USA) was undertaking an indiscriminate electronic surveillance worldwide; (ii) the presentation in June 2014 of the Office of the United Nations High Commissioner for Human Rights’ report “The right to privacy in the digital age” [i], endorsed by the 36th International Conference on Data Protection and Privacy Commissioners’ resolution [ii], in that it recognizes that international human rights law protects the right to privacy in the context of information and communication technologies advancements, and recommends addressing the challenges raised by means of dialogue among all stakeholders.

The two events actually are somewhat bound in a chain of cause and effect: to international level problems caused by the US state investigative apparatus’ informational voracity post-September 11, concern arises over the formulation of equally relevant solutions and initiatives.

These facts also point out the difference between two legal models of personal data protection or right to privacy legal cultures. The first one is based on the idea of freedom and, although the protection scope of constitutional privacy, focuses largely on the statutory law the protection of the US citizens’ right to get control over their personal information – whom, moreover, were not supposed to be the target of NSA’s monitoring. The second one is established on the pillar of dignity, recognizing the right to privacy’s fundamental nature, in order to build a regulatory and institutional framework that captures data privacy within the system of protection and promotion of human rights. Amid this reference duality, Brazil has taken serious steps in the direction signaled by the guidelines applicable to the Atlantic’s  east side.

Legal Privacy Protection in the United State: The North American model

There is a myth that in the United States there is no citizen’s privacy protection. The statement is exaggerated and inaccurate. Maybe the cultural differences, the meaning of privacy in the American Constitution, the range of privacy legal protection, and the extremism of the most passionate advocate may have lead to this wrong view. In a matter of fact, there is a substantial distinction between those systems. The United States, on the contrary, in contrast to Europe, the personal data protection is not a fundamental right.

The first reason that explains is the cultural difference. In Europe, the debates about privacy can cause as much uproar as the gun regulation in the United States. America indeed lacks social and political pressure over personal data regulation and due to its federative government the states sometimes legislate the privacy issues separately Apparently, there is less concern about the growing personal data collection by companies and government. The United States have a more hands on approach, which aims solution e protection of specific situations. The result is distinct legislation for each of this problems.

The Constitutional Right to Privacy, more often analyzed under the fourth amendment principles, guarantees to American citizens that no search or seizure will take place without a valid warrant issued under a probable cause. This right has its roots on the English Common Law, was born as a mean to contain the power of the crown over its subjects. When the Bill of rights Included the right to privacy in the Constitution they were likely more concerned about restricting the power of a tyrant government than to their personal life exposure. The recent discussion on the FBI v. Apple case is a good example of the grounds in which Privacy is discussed under the constitutional perspective.

Therefore, the scope of the debate in the United States of the Right to Privacy in linked to the State power to seek the personal life of an individual without the respect to the due process of law.

Looking at the infra-constitutional aspect of the privacy, the allegation of lack of personal data protection does not picture the reality. The second argument that helps to break up the myth is the numerous specific legislation to protect data. The children privacy is protected in the Children’s Online Privacy Protection Act – COPPA and regulates the data collection of kids under the age of 13 years – note that this is the minimum age to enroll the online services. The health data is regulated by Health Insurance Portability and Accountability Act – HIPAA. Another source of worry to Americans are the financial data. On the other hand, Social Security Number, Bank and Financial data have a specific law, the Gramm-Leach-Bliley Act, which ensures consumer data protection on this regard. Lastly,  we can point state laws as an important instrument to personal data protection. The Constitution of California and its protection to personal data is a good example of that.

The third argument that broke the myth of personal data protection absence in the United States concerns to the enforcement of data protection laws. On this regard,Americans uphold that they have better and more efficient means than the europeans. They allege that the collective actions and FTC – Federal Trade Commission  performance assure the effectiveness of american privacy protection.

In fact, there is a constant concern of companies with respect to its compliance to privacy laws and industry best practices in order to avoid collective actions and the FTC investigations. The collective action is an significant cause of concern to companies in the legal systems who adopts it. For instance, big companies in the United States face, or have faced, collective actions because of personal data protection including Google, Facebook, Snapchat and twitter.

Besides that, the FTC has a noteworthy role on the privacy protection laws enforcement. It controls, monitors and enforce the privacy protection laws, including the right of bring action against breach of the law. This agency has an active role as in consumer protection and already has investigated numerous companies. Nonetheless its lack of legislative power, it issue guides and good practices measures for companies and consumers regarding their duties and rights. Companies tend to comply to this guidance to avoid the dangers to the businesses and FTC actions.

Worth to mention, that event before the lack of a personal data protection federal and general law, the FTC use general provision laws and torts to justify action against companies. Deceptive and Unfair practices are a good example of how FTC use general provisions to enforce consumer privacy protection.

Personal data protection in the European Union law and the Council of Europe: the European model

For a proper understanding of European data protection law is essential to take at the bottom line the fact that establishing regulatory standards for personal information processing by automated or not automated means is a matter of protection of fundamental rights and freedoms for the Council of Europe’s and the European Union (EU) Member States.

The European Convention on Human Rights – ECHR of 1950 provides for the “right to respect for his private and family life, his home and his correspondence” (article 8, 1.). Because of the advances in information technology and the emergence of computerized databases, the right to privacy here conceived as a negative freedom has developed for within its legal protection ambit also encompass the claims of individuals whose personal information collected and processed made them vulnerable to social discrimination. The various resolutions of the 70’s issued by the Committee of Ministers of the Council of Europe, and the Convention 108 of the Council of Europe (1981) and European Court of Human Rights – ECHR decisions [iv] expresses this understanding.

In the  dominion of the European Union, which adheres to the Council of Europe, the right to personal data protection follows this same orientation in its primary and secondary law, specially and respectively, in the Charter of Fundamental Rights of the European Union – separating the right to respect for private and family life (Article 7) of the right to protection of personal data (Article 8) – and in the Directives 95/46/EC and 2002/58/EC, both of the European Parliament and the Council. The latter EU acts already changed or will change after the approval of new data protection general rules on April 27, 2016, the Regulation 2016/679, which is the result of years of discussions initiated with the purpose of updating the European data protection rules in accordance with the intense progress of information and communication technologies after 1995 and the new digital economy business models.

The 1995 directive aimed at, according to the Court of Justice of the European Union – CJEU, ensuring “that the level of protection of the rights and freedoms of individuals with regard to the processing of personal data is equivalent in all Member States. […] The approximation of the national laws applicable in this area must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the EU”[v]. Such high desired protective level is complemented by the work of administrative bodies with supervision and advisory skills, for example. Besides the European Data Protection Authority’s existence, each Member State is obliged to structure their respective authority with national jurisdiction.

The right to personal data protection in the Brazilian legal system

The protection of personal data in the Brazilian legal system, despite approaching the European model, as it recognizes its status as a fundamental right, also provides a fragmentary regulation, which offers insufficient privacy protection to Brazilians in undue delay in the preparation of a general statute with regard to personal information processing, compared to countries in South America such as Argentina, Chile and Colombia.

The 1988 Constitution enshrined the right to privacy in the art. 5, items X and XI and provided in item LXXII the habeas data remedy in order to assure citizens the power to access and to correct their personal data that may be in governmental records and public databases – the procedure’s regulation took place with Act nº 9507/1997.

In 1990, under the North American Fair Credit Reporting Act influence, the Consumer Protection Code sought to protect the vulnerable person in the consumer market in front of the databases created, especially for credit reporting purposes, as we see in articles 43 and 44. Later, the Act nº 12.414/2011 enactment has supplemented the consumer information databases’ regulation with rules about consumers’ due performance data.

The 2002 Civil Code, in turn, only allocated the art. 21 to the right to privacy regulation, ignoring the personal data protection notion, which came to be, however, upheld by Act nº 12.527/2011 (Access to Information Act), applicable to the Public administration direct and indirect organs and entities – arts. 4, IV, 6, III, 31, 32, IV – and explicitly enshrined in the text of Act nº 12.965/2014 (Internet Bill of Rights) – arts. 3, II and III, 5, II, 8, 11.

It is necessary to mention the important Draft Bill nº 5.276/2016, now under debate in National Congress. It’s a legislative proposal for a comprehensive data privacy protection act, which addresses “on the processing of personal data by natural person or by public or private legal entity, in order to protect the fundamental rights of freedom and privacy and the free development of the natural person’s personality “(art. 1). The project has a clear inclination to the personal data protection model applied in the EU law, as the national regulations of other South American countries.

[i] OFFICE OF THE UNITED NATIONS HIGH COMMISSIONER FOR HUMAN RIGHTS. The right to privacy in the digital age. 2014. Available at http://www.ohchr.org/Documents/Issues/DigitalAge/A-HRC-27-37_en.doc.
[ii] U.S. Federal Trade Commission abstained from voting.
[iii] About the case see https://en.wikipedia.org/wiki/FBI–Apple_encryption_dispute.
[iv] See, for example, ECHR, Leander v. Sweden , nº 9248/81, 26 march 1987.

[v] CJEU, joined cases C-468/10 and C-469/10, Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF) e Federación de Comercio Electrónico y Marketing Directo (FECEMD) v. Administración del Estad,  24 november 2011, paras. 28 e 29.