Brazilian legal system has several sectoral laws that ensure the inviolability of intimacy and privacy of Brazilian citizens, in accordance with the Brazilian Constitution, the Civil Code, and the Consumer Protection Code.

The Law 12,965/2014 (the Internet Bill of Rights or Marco Civil da Internet) was enacted to establish principles and rules for ensuring privacy and data protection on the use of the Internet in Brazil. The decree 8,771/2016, which regulates the law, established guidelines on security standards to be adopted in the retaining, storage, and processing of personal data and private communications, including the use of encryption.

However, Brazilian legislation currently in force is not adequate enough to provide legal certainty on the processing of personal data by public and private entities. The Internet Bill of Rights is a great step toward the implementation of the right to privacy on the Internet, but it does not assure data protection as a whole. Firstly, it is applied only to “Internet connection providers” and “Internet application providers” and does not encompass several important issues, such as the processing of sensitive data, interconnection, and transfer of personal data.

In turn, the Bill of Law 5,276/2016, which is being discussed in the National Congress, aims at solving this lack of legal certainty in the current context, in which personal data is being collected from the massive use of disruptive technologies. According to the Bill of Law, personal data processing activities shall comply with several principles, such as purpose, transparency, security, free access by the data owner, prevention of damages, and non-discrimination.

The consent is one of nine requirements to authorize the processing of personal data. The Bill of Law expressly provides that personal data processing is allowed under free, express, specific, and informed consent. However, certain flexibility is allowed in cases when it is necessary:

• (i) compliance with legal obligation;
• (ii) data sharing between governmental entities;
• (iii) historical, scientific, and statistic research;
• (iv) execution of contracts, as requested by the data owner;
• (v) use in judicial or administrative proceeding;
• (vi) life protection; and
• (vii) to fulfill legitimate interest of those responsible for processing the data.

Such flexibility, however, does not stop the individual from controlling her/his personal data.

The bill also provides special rules on sensitive personal data processing, which can only take place under special consent, or without consent in certain circumstances, such as fulfillment of legal obligation.

International transfer of data is only allowed by the Bill of Law for countries that provide a level of protection for personal data that is equivalent to the level established in Brazilian law. If the personal data is transferred to a country that does not provide a level of protection, special consent is required.

Security measures and good practices are also required by the bill, and individuals and companies shall be subject to the administrative penalties for any breaches of the standards established in the law, which may be applied by an enforcement authority for data protection to be created through the Brazilian government.

In view of this and despite the fact that there is no expectation as to when the Bill of Law will be approved, Brazilian and foreign companies that process personal data must attempt to implement policies on privacy and personal data protection, and ultima ratio be compromised with a transparent corporate governance. This is a sine qua non condition for the sustainable development of disruptive technologies such as the Internet of Things and artificial intelligence. Brazil currently has no regulation on international data transfer, although there are bills under consideration by the Brazilian Congress to regulate the processing of personal data, including international data transfers.

Nevertheless, Law No. 12.965 states that in any operation for the collection, storage, retention and treatment of personal data by internet application providers where at least one of these acts takes place in the Brazilian territory, Brazilian law must be mandatorily respected regarding the protection of personal data, even if the activities are carried out by a legal entity based abroad, provided that it offers services to the Brazilian public, or at least one member of the same economic group is established in Brazil. Thus, whether or not a foreign company intends to collect data in Brazil for transfer to other countries, Brazil’s Law No. 12.965 applies to the collection, storage, retention and treatment of the personal data collected.

Sources

• Law 12,965/2014 (the Internet Bill of Rights or Marco Civil da Internet)
• Recent Developments on Privacy and Data Protection in Brazil