Privacy is one of the basic rights guaranteed by the Brazilian Constitution and one of the principles
With the advent of technologies able to massively collect personal data, it’s worrisome that Brazilian organizations, whether public or private, have not yet raised the flag of privacy. An example of this was the cooperation agreement signed in 2013 that was later repealed
A change of paradigm is urgent and requires robust legislation on personal data protection.
Currently, the Brazilian legal system has several
The Law 12,965/2014 (known as the Internet Bill of Rights or Marco Civil da Internet) was enacted to establish principles and rules for ensuring privacy and data protection on the use of the Internet in Brazil. The
However, Brazilian legislation currently in force is not adequate enough to provide legal certainty
In turn, the Bill of Law 5,276/2016, which is being discussed in the National Congress, aims at solving this lack of legal certainty in the current context, in which personal data is being collected from the massive use of disruptive technologies. According to the Bill of Law, personal data processing activities shall comply with several principles, such as purpose, transparency, security, free access
The consent is one of nine requirements to authorize the processing of personal data. The Bill of Law expressly provides that personal data processing is allowed under free, express, specific, and informed consent. However, certain flexibility is allowed in cases when it is necessary: (i) compliance with legal obligation; (ii) data sharing between governmental entities; (iii) historical, scientific, and statistic research; (iv) execution of contracts, as requested by the data owner; (v) use in judicial or administrative proceeding; (vi) life protection; and (vii) to fulfill legitimate interest of those responsible for processing the data. Such flexibility, however, does not stop the individual from controlling her/his personal data.
The bill also provides special rules on sensitive personal data processing, which can only take place under special consent, or without consent in certain circumstances, such as fulfillment of
International transfer of data is only allowed by the Bill of Law for countries that provide a level of protection for personal data that is equivalent to the level established
Security measures and good practices are also required by the bill, and individuals and companies shall be subject to the administrative penalties for any breaches of the standards established in the law, which may be applied by an enforcement authority for data protection to be created through the Brazilian government.
In view of this and despite the fact that there is no expectation as to when the Bill of Law will be approved, Brazilian and foreign companies that process personal data must attempt to implement policies on privacy and personal data protection, and ultima ratio be compromised with a transparent corporate governance. This is a sine qua