Data protection in Brazil: overview

A Q&A guide to data protection in Brazil.

This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.

To compare answers across multiple jurisdictions, visit the Data Protection Country Q&A tool.

This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.

Claudio R Barbosa and Pedro Vilhena, Kasznar Leonardos Advogados
Contents

Regulation

Legislation

1. What national laws regulate the collection and use of personal data?

General laws

Brazil still lacks a general law concerning the protection of personal data. As part of a bigger effort towards regulating civil rights on the internet (which included the enactment of the Brazilian Civil Rights Framework for the Internet), the Ministry of Justice started working on a draft bill of Law on Data Protection in 2011.

The draft has undergone several periods of public consultations, whose contributions were gradually incorporated. The final draft was achieved and published in October 2015, and subsequently sent to the President's Chief of Cabinet, for consideration. A few more adjustments were made before the submission to the National Congress on 13 May 2016.

The draft was renamed Bill 5276/2016 and is currently being processed by the House of Deputies, where it is expected to be analysed by three commissions:

  • Commission of Constitution, Justice and Citizenship.

  • Commission of Science, Technology, Communications and Informatics.

  • Commission of Labour and Public Administration.

Public consultations and open debate are expected to take place following the bill's approval by the three commissions. While the procedural protocol for this bill has been tagged urgent, it is not possible, at this moment, to predict when the bill will be voted.

While the protection of personal data has yet to be fully recognised under the law, the Federal Constitution sets two fundamental rights that imply an important degree of protection for privacy. Under Article 5, Sections X and XII of the Federal Constitution determines the inviolability of privacy and private life, as well as guaranteeing the secrecy of correspondence and of telegraphic, data and telephone communications.

Sectoral laws

While lacking a general law on data protection, there are substantial levels of protection in several fields, under sectoral laws.

The most noticeable sectoral law is the Brazilian Civil Rights Framework for the Internet (Internet Act). The Internet Act contains a section regulating aspects of the protection of personal data processed online by connection providers and by internet application providers.

Further glimpses of protection of personal data can be found in the:

  • Consumer Protection Code, concerning the protection of personal data included in consumer-related databases (mostly regarding credit information).

  • Compliant Debtors List Act, concerning the collection, use and sharing of data registered in the credit databases of payers in good standing.

  • Tax Code, concerning tax secrecy.

  • Bank Secrecy Act, concerning the secrecy of banking operations.

  • Access to Information Act, concerning personal data registered in public databases.

Scope of legislation

2. To whom do the laws apply?

The Federal Constitution and the Civil Code apply to Brazilian individuals and entities, as well as to foreigners living in Brazil. Each sectoral law touches a specific group of people under given circumstances:

  • Brazilian Civil Rights Framework for the Internet applies to internet users and to internet service providers (especially to connection providers and internet application providers).

  • Consumer Protection Code applies to consumers and suppliers of services or goods.

  • Access to Information Act applies to the public administration, as well as to private individuals or entities having access to sensitive or personal data from the public administration.

  • Tax Code applies to tax authorities and taxpayers.

  • Bank Secrecy Act applies to financial institutions operating in Brazil.

  • Compliant Debtors List Act applies to private entities operating credit databases.

 
3. What data is regulated?

Currently, there is no definition of "personal data" under the law. The assessment of what data is regulated must be done in view of the specific protections granted by sectoral laws. The Brazilian Civil Rights Framework for the Internet protects personal data (generally, without a precise definition of what would be considered personal data), private communication content and access logs regarding both internet connection and applications. Under the Access to Information Act, any information registered in public databases relating to an identified or identifiable person can be considered a "personal data".

The Bill of Data Protection Act sets a tentative definition of personal data: "data related to an identified or identifiable person, including identification numbers, locational data or electronic identifiers whenever those relate to a person" (Article 5, Section I, Bill of Data Protection Act).

 
4. What acts are regulated?

The Brazilian Civil Rights Framework for the Internet regulates the processing of personal data, including the collection, storage, retention, treating and communication of personal data.

Further acts are regulated by the:

  • Consumer Protection Code (such as the storage of consumer information).

  • Access to Information Act (such as the processing of personal data in public files).

  • Tax Code (such as the disclosure of information regarding taxpayers under debt renegotiation plans).

  • Bank Secrecy Act (such as the processing of personal data by banks).

  • Compliant Debtors List Act.

It is expected that the eventual Data Protection Act will partially revoke some of the dispositions contained in the laws mentioned above, with the purpose of creating a uniform data protection regime.

 
5. What is the jurisdictional scope of the rules?

The provisions of the Brazilian Civil Rights Framework for the Internet apply to any operation related to the collection, storage, retention, treating and communication of personal data by connection providers and internet applications providers when at least one of these takes place in Brazil.

The Federal Constitution and the Civil Code apply to any privacy breaches taking place in Brazil. The Consumer Protection Code applies to consumer relationships entered into in Brazil. The Access to Information Act applies to the Brazilian public administration. The Tax Code applies to any taxable taxpayers and to the tax authorities. The Bank Secrecy Act applies to financial institutions operating in Brazil. The Compliant Debtors List Act applies to credit databases operating in Brazil.

The Bill of Data Protection Act foresees a broader jurisdictional scope and, if enacted with its current text, will apply to:

  • Any data processing taking place in Brazil.

  • Any data processing operation whose purposes are the offer of a good or service in the Brazil market.

  • Any data processing operation referring to data subjects located in Brazil.

  • Any data processing operation referring to data collected in Brazil.

 
6. What are the main exemptions (if any)?

Currently, there are no relevant exemptions to the specific rules set out in the laws mentioned above. Given its more general nature, the Bill of Data Protection Act establishes a set of exemptions, namely data processing carried out:

  • By a person for strictly personal purposes.

  • Exclusively with journalistic, artistic, literary or academic purposes.

  • Exclusively for national security, national defence or criminal repression purposes.

Notification

7. Is notification or registration required before processing data?

None of the laws protecting personal data require a prior notification or registration for any data processing activities. Under the Brazilian Civil Rights Framework for the Internet, the general requirement for data processing activities (such as the collection, use, storage and transfer of personal data) is the data subjects' consent.

 

Main data protection rules and principles

Main obligations and processing requirements

8. What are the main obligations imposed on data controllers to ensure data is processed properly?

The Brazilian Civil Rights Framework for the Internet (Internet Act) binds data controllers to a set of obligations that aim to ensure proper data protections. Data controllers must provide data subjects with clear and complete information regarding the obtaining, use, storage, processing and protection of their personal data (Article 7, Section VIII, Internet Act). Under the subsequent section, data controllers must obtain express separate consent to carry out any data processing operations. Data controllers must also keep logs confidential, unless otherwise required by a court order, as well as confirm which security and confidentiality measures are being taken to safeguard the data that is under control.

Bolder obligations are set out in the scope of the Bill of Data Protection Act, such as the mandatory appointment of data protection responsible and, in some circumstances, of a Chief Data Protection Officer (to be appointed as an official member of the Board of Directors). These new obligations will certainly be more closely monitored by the future regulation agency.

 
9. Is the consent of data subjects required before processing personal data?

Currently, data subjects must provide their express consent regarding the collection, use, storage and processing of personal data (Article 7, Section IX, Brazilian Civil Rights Framework for the Internet). The consent must be made in an emphasised clause, separate from the remainder of the agreement or of the terms of use. Consent cannot be implied.

The Civil Code requires the data subject to be over 18 years, able to decide its own acts and able to express its will. The following persons must be assisted in order to express valid consent:

  • Minors between 16 and 18 years.

  • Those with a reduced ability to decide on its own acts.

  • Those with incomplete mental developments.

Minors under 16 years of age must be represented by their parents.

More specific rules on consent will be enacted in the scope of the Draft of Data Protection Act.

 
10. If consent is not given, on what other grounds (if any) can processing be justified?

The partial regulation of data protection envisaged at the Brazilian Civil Rights Framework for the Internet (Internet Act) does not foresee any possible grounds that can justify a data processing operation, except for the data subjects' consent. In some cases, a court order can authorise a processing operation for the disclosure of personal data (Article 7, Sections II and II, Internet Act).

The full regulation set out in the Bill of Data Protection Act includes some exceptions to the general rule of consent, which allow for the processing of data on the following grounds (among others):

  • Fulfilment of a legal obligation of the data controller.

  • Protection of the data subject's or of a third party's life or health integrity.

  • Protection of the data subject's interests.

Special rules

11. Do special rules apply for certain types of personal data, such as sensitive data?

Special rules apply to the secrecy guarantees provided by the Constitution to bank information, correspondence and telegraphic, data and telephone communications, even if these are not recognised as sensitive data. The Brazilian Civil Rights Framework for the Internet does not mention sensitive data, so its regime of protection will apply to any personal data.

Special rules for "sensitive data" are set out in the Bill of Data Protection Act, which is defined as data relating to the subject's:

  • Racial or ethnic origin.

  • Religious beliefs.

  • Political opinions.

  • Affiliation to unions or political, philosophical or religious organisations.

  • Health.

  • Sexual life.

  • Genetic and biometric data.

The current wording of the Bill includes special rules applicable to sensitive data, such as:

  • The requirement of special separate consent.

  • Prior information to data subjects about the risks involved in the processing of their sensitive data.

 

Rights of individuals

12. What information should be provided to data subjects at the point of collection of the personal data?

The Brazilian Civil Rights Framework for the Internet (Internet Act) has two provisions concerning information to be provided to data subjects. Data subjects are entitled to clear and complete information, in service agreements, detailing the protection of logs (concerning both connection and application) (Article 7, Section VI, Internet Act). Data subjects are entitled to clear and complete information on the collection, use, storage, processing and protection of their personal data, which can only be used for purposes that (Article 7, Section VIII, Internet Act):

  • Justify their collection.

  • Are not prevented by law.

  • Are specified in the services agreement or in the terms of use of the internet application.

 
13. What other specific rights are granted to data subjects?

Article 7 of the Brazilian Civil Rights Framework for the Internet sets out the main rights and guarantees for internet users. Among these are rights related to data protection, such as:

  • I: inviolability of intimacy and private life, safeguarded the right for protection and compensation for material or moral damages resulting from their infringement.

  • II: inviolability and secrecy of the flow of users' communications through the Internet, except by court order, as provided by law.

  • III: inviolability and secrecy of user's stored private communications, except on a court order.

  • VI: clear and full information entailed in the agreements of services, setting out the details concerning the protection to connection records and records of access to internet applications, as well as on network management practices that may affect the quality of the service provided.

  • VII: non-disclosure to third parties of users' personal data, including connection records and records of access to internet applications, unless with express, free and informed consent.

  • IX: the expressed consent for the collection, use, storage and processing of personal data, which must be specified in a separate contractual clause.

  • X: the definitive elimination of the personal data provided to a certain internet application, at the request of the users, at the end of the relationship between the parties, except in the cases of mandatory log retention.

  • XI: the publicity and clarity of any terms of use of the internet connection providers and internet applications providers.

  • XIII: application of consumer protection rules in the consumer interactions that take place in the internet.

Further rights are established in the Consumer Protection Code, the Access to Information Act, the Tax Code, the Bank Secrecy Act and the Compliant Debtors List Act, each applying to the corresponding data protection dispositions.

 
14. Do data subjects have a right to request the deletion of their data?

Data subjects have a right to request the deletion of their data only if the circumstances allow the application of the Brazilian Civil Rights Framework for the Internet (Internet Act). This will be case if the right is listed in Article 7 as one of internet users' rights and guarantees (see Question 13). Data subjects can request the definitive exclusion of their personal data from internet application providers, at the end of their relationship. However, the right cannot supersede the mandatory log retention.

If the Internet Act is not applicable to the case, no equivalent provision can be found on the remaining laws ruling on sectoral data protection.

The Bill of Data Protection Act addresses the issue, creating a universal right to request the deletion of data.

 

Security requirements

15. What security requirements are imposed in relation to personal data?

The Brazilian Civil Rights Framework for the Internet (Internet Act) does not rule on specific security requirements, even if it lists among the obligations of connection and applications providers the need to provide clear information about the security and confidentiality measures. On the other hand, the recent Decree on the Internet Act effectively sets security guidelines for personal data storage and processing, namely:

  • Strict control for access to such data, with the definition of privileges of access and of personal liability for those accessing this data.

  • The provision of authentication mechanisms allowing the identification of the responsible for the data processing.

  • The creation of access logs containing the moment, the duration and the identity of the responsible for each access.

  • The use of technologies that guarantee the inviolability of the data, such as encryption and equivalent protection measures.

Additionally, the Internet Act requires autonomous system administrators to maintain connection records in a confidential, controlled and safe environment and certain application providers (those incorporated as a legal entity and which operate in an organised and professional manner) must keep application access logs confidential and in a controlled and safe environment.

There is no equivalent provision in the remaining laws ruling on sectoral data protection.

 
16. Is there a requirement to notify data subjects or any regulator of personal data?

None of the laws protecting personal data requires the notification of data subjects or regulating agency in case of data security breaches.

However, this scenario is expected to change if the Bill of Data Protection Act is approved in its current form, as the current text requires immediate reporting to the competent authorities in the case of any security incident that may result in damage to the data subjects.

 

Processing by third parties

17. What additional requirements (if any) apply where a third party processes the data on behalf of the data controller?

Consent is the only requirement here.

 

Electronic communications

18. Under what conditions can data controllers store cookies or equivalent devices on the data subject's terminal equipment?

While there is no disposition in the Brazilian Civil Rights Framework for the Internet specifically ruling over cookies and equivalent devices, the construal of privacy and data protection dispositions unequivocally lead to the conclusion that the storage of cookies on the data subject's terminals can only be considered legal if they are expressly consented.

 
19. What requirements are imposed on the sending of unsolicited electronic commercial communications (spam)?

There is no legal rule regulating the sending of spam under the law. However, Brazil's long history of self-regulation in advertising issues has led to the creation of a Self-Regulation Code for E-mail Marketing Practices. While not legally binding, the Code sets basic rules concerning the protection of internet users and the obligation of the inclusion of an opt-out link in every communication sent. Sanctions can include blocking the sender's domain name.

 

International transfer of data

Transfer of data outside the jurisdiction

20. What rules regulate the transfer of data outside your jurisdiction?

The law has yet to rule on international transfers of data. The protection of personal data under the Brazilian Civil Rights Framework for the Internet is still limited when compared to the complex system envisaged by the Bill of Data Protection Act. Therefore, it lacks some relevant provisions, such as a regulation concerning international transfer of data.

The Bill of Data Protection Act currently under discussion has a full Chapter destined to rule on international transfers. Article 33 of the Bill of Data Protection Act establishes that an international transfer would only be allowed if provided to countries with equivalent levels of data protection or when expressly consented by data subjects, after specific information concerning the international nature of the operation and the risks entailed has been given. The Bill of Data Protection Act also contains a limited number of exceptions and sets out a joint liability between assignors and assignees for any data treatment occurred after the transfer.

21.

 
21. Is there a requirement to store any type of personal data inside the jurisdiction?

Under the Brazilian Civil Rights Framework for the Internet (Internet Act), it is possible to store subjects' personal data anywhere. However, Article 11 of the Internet Act determines that the laws apply to any operation of data treatment if the data was collected in Brazil (even if stored abroad).

Also, regardless of where the data is stored, Article 10 of the Internet Act provides that the storage of data must comply with the protection of data subject's privacy, private life, reputation and image.

There is no equivalent provision in the remaining laws ruling on sectoral data protection.

Data transfer agreements

22. Are data transfer agreements contemplated or in use? Have any standard forms or precedents been approved by national authorities?

Data transfer agreements are neither contemplated nor in use. In view of the absence of specific rules, these agreements can be entered into they comply with the existing legal framework for the protection of personal data, including the:

  • Requirement to obtain the data subjects' consent.

  • Implementation of adequate security measures.

 
23. Is a data transfer agreement sufficient to legitimise transfer, or must additional requirements (such as the need to obtain consent) be satisfied?

Whenever the circumstances allow the application of the Brazilian Civil Rights Framework for the Internet, a legitimate data transfer requires data subjects' consent and the requirement cannot be outweighed by a data transfer agreement. There is no equivalent provision on the remaining laws ruling on sectoral data protection.

 
24. Does the relevant national regulator need to approve the data transfer agreement?

Brazil does not currently have a national data protection regulating agency. Current text of the Bill of Data Protection Act requires authority approval for international transfers destined to countries that do not provide equivalent levels of protection. No mention is made to domestic transfers.

 

Enforcement and sanctions

25. What are the enforcement powers of the national regulator?

As mentioned in Question 24, Brazil has yet to create a national agency regulating data protection. The Decree on the Brazilian Civil Rights Framework for the Internet grants:

  • Regulatory, monitoring and sanctioning powers to the National Telecommunications Agency.

  • Monitoring and sanctioning powers to the National Consumer Protection Secretary.

  • Sanctioning powers to the anti-trust authorities.

These powers are evidently related to the governmental bodies' original competences.

The Bill of Data Protection Act foresees a "relevant agency", whose enforcement powers include monitoring, auditing and regulatory activities, as well as the application of sanctions for non-compliance.

 
26. What are the sanctions and remedies for non-compliance with data protection laws?

Non-compliance with data protection regulations under the Brazilian Civil Rights Framework for the Internet can result in:

  • A warning.

  • A fine of up to 10% of the gross income of the economic group in Brazil in the precedent fiscal year, excluding taxes.

  • A temporary suspension of the activities that entail treatment of data.

  • The prohibition to perform such activities.

Moreover, under the general rules of civil liability, any aggrieved party can claim indemnification for material and moral damages arising from the illicit processing of personal data.

Finally, further sanctions are established in the:

  • Consumer Protection Code.

  • Access to Information Act.

  • Tax Code.

  • Bank Secrecy Act.

  • Compliant Debtors List Act.

Each applies to non-compliance with the corresponding data protection dispositions.

 

Online resources

Federal Consitution

W http://www.planalto.gov.br/ccivil_03/Constituicao/ConstituicaoCompilado.htm

Description. Brazilian Federal Constitution (official Portuguese text).

W http://www.stf.jus.br/repositorio/cms/portalstfinternacional/portalstfsobrecorte_en_us/anexo/constituicao_ingles_3ed2010.pdf

Description. Brazilian Federal Constitution (non-binding English text provided by the Brazilian Supreme Court).

Civil Code

W http://www.planalto.gov.br/ccivil_03/leis/2002/L10406compilada.htm

Description. Brazilian Civil Code (official Portuguese text).

Tax Code

W www.planalto.gov.br/ccivil_03/Leis/L5172.htm

Description. Brazilian Tax Code (official Portuguese text).

Consumer Protection Code

W www.planalto.gov.br/ccivil_03/Leis/L8078.htm

Description. Brazilian Consumer Protection Code (official Portuguese text).

Internet Act

W www.planalto.gov.br/CCIVIL_03/_Ato2011-2014/2014/Lei/L12965.htm

Description. Brazilian Internet Act (official Portuguese text).

W

Description. Decree on the Brazilian Internet Act (official Portuguese text).

Bill of Data Protection Act

W www.camara.gov.br/proposicoesWeb/prop_mostrarintegra?codteor=14574 59&filename=PL+5276/2016

Description. Brazilian Bill of Data Protection Act (official Portuguese text).

Compliant Debtors List Act

W www.planalto.gov.br/ccivil_03/_Ato2011-2014/2011/Lei/L12414.htm

Description. Brazilian Compliant Debtors List Act (official Portuguese text).

Bank Secrecy Act

W www.planalto.gov.br/ccivil_03/Leis/LCP/Lcp105.htm

Description. Brazilian Bank Secrecy Act (official Portuguese text).

Access to Information Act

W www.planalto.gov.br/ccivil_03/_Ato2011-2014/2011/Lei/L12527.htm

Description. Brazilian Access to Information Act (official Portuguese text).



Contributor profiles

Claudio R Barbosa, Partner, Co-Head of Internet Law Practice

Kasznar Leonardos Advogados

T +55 11 2122 6604
F +55 11 2122 6633
E claudio.barbosa@kasznarleonardos.com
W www.kasznarleonardos.com

Professional qualifications. Brazil, lawyer

Areas of practice. Intellectual property law; data protection law.

Non-professional qualifications. LLM in International Law, USP, 2002; LLM in Intellectual Property Law, GWU Law School, 2000; SJD in Commercial Law, USP, 2007; invited lecturer in several institutions.

Recent transactions

  • Advising companies in Brazil on implementing e-commerce, privacy policies and internal policies concerning data protection (including the leading construction material retailer chain and the leading agribusiness information company).

  • Advising a payment solutions start-up in connection with data protection issues in Brazil.

  • Reviewing the Information Security Policy of a major air carrier.

Languages. Portuguese, English, French

Professional associations/memberships

  • São Paulo Section of the Brazilian BAR Association (OAB/SP).

  • Brazilian Intellectual Property Association (ABPI).

  • International Technology Law Association (Itechlaw).

  • Centre for Studies of Law Firms (CESA).

Publications

  • From Brussels to The Hague: The Ongoing Process Towards Effective Multinational Patent Enforcement. IIC.International Review of Intellectual Property and Competition Law, v 32, p 729-761, 2001.

  • Propriedade Intelectual. Introdução à Propriedade Intelectual como Informação (Intellectual Property. Introduction to Intellectual Property as Information): 1. ed. Rio de Janeiro: Elsevier, 2009.

  • As infrações de propriedade industrial e o Marco Civil da Internet (Industrial property infringement and the Internet Act): Gustavo Artese (Coord.). Marco Civil da Internet. 1. Ed., São Paulo, Quartier Latin, 2015.

  • Informação e Globalização. (Information and Globalization): Alberto do Amaral Júnior. (Org.). Direito do Comércio Internacional. 1ed.São Paulo: Editora Juarez de Oliveira, 2002, v Único, p 35-58.

  • A proteção internacional da propriedade intelectual e aspectos incidentes no Mercosul (International protection of intellectual property and its aspects regarding Mercosur): Maristela Basso. (Org). Mercosul. Seus Efeitos Jurídicos, Econômicos e Políticos nos Estados-Membros. 2ed.Porto Alegre: Livraria do Advogado, 1997, v Único, p 287-317.

Pedro Vilhena, Associate, Co-Head of Internet Law Practice

Kasznar Leonardos

T +55 11 2122 6600
F +55 11 2122 6622
E pedro.vilhena@kasznarleonardos.com
W www.kasznarleonardos.com

Professional qualifications. Brazil, lawyer

Areas of practice. Data protection law; intellectual property law.

Non-professional qualifications. LLM in International European Intellectual Property Law, CEIPI - Strasbourg University; invited lecturer in several institutions.

Recent transactions

  • Advising companies in Brazil on implementing e-commerce, privacy policies and internal policies concerning data protection (including the leading construction material retailer chain and the leading agribusiness information company).

  • Advising a payment solutions start-up in connection with data protection issues in Brazil.

  • Reviewing the Information Security Policy of a major air carrier.

Languages. Portuguese, English, French, Spanish

Professional associations/memberships

  • São Paulo Section of the Brazilian BAR Association (OAB/SP).

  • Brazilian Intellectual Property Association (ABPI).

  • International Trademark Association (INTA) - Chair of the Latin American and the Caribbean SubCommittee on Non-traditional Marks.

Publications

  • A responsabilidade civil de provedores na internet (Liability of application providers on the internet). Correio Braziliense, June 26, 2016.

  • Companies face new challenges regarding data protection in Brazil. Global Data Hub, 1 May 2015.

  • Lessons from China. Managing IP, 30 April 2014.

  • The evolution of the Brazilian legal framework in view of major entertainment and sporting events. Intellectual Property and Entertainment Law, 1 September 2013.


{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1247648159396", "objName" : "ACT_OWNED - READ_ONLY - 4-520-1732", "userID" : "2", "objUrl" : "http://us.practicallaw.com/cs/Satellite/us/resource/4-520-1732?null", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "22e97be00:15b15fa47d7:-2d4c", "analyticsSessionCookie" : "22e97be00:15b15fa47d7:-2d4b", "statisticSensorPath" : "http://analytics.practicallaw.com/sensor/statistic" }