The Emerging Brazilian Data Protection Framework

By Daniel Oppermann

According to the Brazilian Institute of Geography and Statistics or IBGE (Instituto Brasileiro de Geografia e Estatística), about 70% of Brazilians (starting at the age of 10) are currently using the Internet at least once every three months. These 181 million individuals are not just communicating, working, studying trading and entertaining themselves online. They are also casually leaving personal data, such as their phone numbers , their images and videos of themselves and others, on countless servers in and outside the country. They are offering their buying patterns to ecommerce providers, handing over their names, addresses, locations and tax numbers to online delivery apps, gaming platforms, social media companies, news sites and many other offline businesses for free.

Although a large part of Internet users in Brazil is at least slightly aware if not concerned about possible risks involved with online activities, this is not sufficient so far to let them consider the concrete risks deriving from privacy violation to which they may be exposed due to their online activities and careless personal data sharing practices.

Importantly, not just online but also offline behaviour is creating large amounts of data about individuals, every day, every minute. Every walk through the streets of Cuiaba, Fortaleza, Curitiba or many other cities is leaving traces if people carry connected devices like cell phones or connected “wearables” with them.

Every coffee purchased in Manaus, every açaí in Santarém, every chocolate-brigadeiro in Ribeirão Preto, every peanut-pé-de-moleque in Nilópolis and every shirt in Wanderlândia is creating data once purchased and paid by credit or debit cards which are widely used throughout the country.

It was not açaí, brigadeiro or shirts, though, that raised awareness in Brazil regarding the importance of privacy and data protection. An important wake-up call was the realization of the widespread surveillance practices, which became known in 2013 as the “NSA scandal”. In such context, it was revealed that even Brazil’s President Dilma Rousseff had her phone tapped, just as hundreds of millions of Internet users all over the world whose user data were recorded by a number of Western security agencies.

Rousseff´s speech at the UN General Assembly  was followed by the NetMundial meeting in São Paulo and the adoption of the Marco Civil da Internet (the Brazilian Digital Rights Framework) and the general debate around the revelations of former NSA contractor Edward Snowden contributed to the growing awareness on privacy risks in the country. Such debate was revamped by the Facebook and Cambridge Analytica scandal in March 2018.

Important to note is, however, that data protection concerns in Brazil are usually focusing on cyberspace and the Internet. Very little discussion is dedicated to issues such as how personal data, routinely collected by stores in exchange of discounts, are utilized and with whom they are shared or to what extent surveillance cameras that are present in front of many if not most buildings can be deemed as secure.

Although the 2013 Snowden revelations raised awareness of citizens and public representatives in Brazil and beyond regarding privacy and online data protection, there were others who had already put the issue on the table before. In 2012, parliamentarian Milton Monti from the state of São Paulo had presented a Data Protection Bill in Brasília which together with a 2016 draft law, initiated by the Rousseff administration and developed through an open consultation, became the basis for the public debate which resulted in the General Data Protection Law or LGPD (Lei Geral de Proteção de Dados) signed by President Michel Temer in August 2018.

The LGPD will enter into force in August 2020 and will be the first comprehensive data protection framework in Brazil. Therefore, private and public organizations are now looking onto the new framework with great interest while they prepare to comply with the new legislation.

Once the new LGPD will be in force, it will provide juridical certainty and offer all individuals – be they Internet users or not – a number of rights allowing them further control over their data, which are collected and processed on servers and in data bases in and outside of Brazil.

In this context, the LGPD addresses and defines different types of data, including personal and sensitive personal data, whereas the latter includes, amongst others, data on race, ethnicity, religion, political views, health, and biometric data. Importantly, the LGPD foresees that personal data can be collected and processed as of part of international data transactions, and data servers can be located within or outside the Brazilian territory as long as the Brazilian legislation is respected.

A number of requirements defines if or how the law is applying to individual cases and situations. These requirements include the questions of where data is being processed (in or outside the country), if goods and services are involved and if the data subject (being the person whose personal data are processed), is or was located on Brazilian territory when the data were collected.

Exceptions are made, however, when specific requirements are fulfilled. This applies to situations in which data are processed for research and non-profit purposes as well as to certain professional situations including journalism or when data are anonymized.

Until the law will finally come into force, one special challenge will be the creation of the National Data Protection Authority or ANPD (Autoridade Nacional de Proteção de Dados). Originally, this agency was supposed to be created at the Ministry of Justice but such original provision was vetoed by President Temer. Instead, Temer decided that the agency should be established within the President’s office. A decision that critics have described as likely to jeopardize the independence of the ANPD. The establishment of a solid, accountable and independent ANPD is critical to allow compliance and specify an ample range of LGPD provisions. So far the ANPD is only foreseen on paper and, until the establishment of this body, it will not be possible to know if the LGPD can be seen a real success for Brazil.