Over 100 countries in the world already have regulations concerning Data Protection and Privacy. Currently, there is a complex and costly worldwide structure that was created and organized specially to deal with such related matters. This framework demands from companies, governments and other players a number of conditions and requirements to collect, treat, publish or transfer personal data.
In contrast to this worldwide trend towards establishing a specific data protection regulation, Brazil does not yet have a specific law on the matter; however, the new draft bill indicates that changes will soon take place.
After over 5 years of discussions with the society and economic players, the Brazilian Ministry of Justice, through the National Secretariat of Consumers (“SENACON”), made public, on October 20, the final version of the Draft Bill on Data Protection (“APL”), before forwarding the document to National Congress, to commence debates within the legislative process.
Based in a long process of discussion and Public Consultations, the new version of the Draft Bill contemplates over 2,000 contributions received from Brazilians and foreign interested parties.
The Draft Bill must, initially, pass through the Chief of Staff Office to subsequently be introduced as a Bill of Law to the National Congress, where it will follow the regular legislative procedure until its approval.
Bearing this in mind, the main questions approached by the new version of the Bill are highlighted below, so that every company can be prepared for possible impacts:
Consent: the APL establishes the obligation to obtain “free and unequivocal” consent as a requirement to the personal data treatment, with some exceptions, such as the data treatment that seeks the protection of life or physical safety of the personal data owner.
Moreover, sensitive data is subject to higher degree of care and protection due to its relevance (including personal data on ethical origins, religious convictions or political opinions), which means the consent must be “unequivocal, express and specific.”
In this sense, as a general rule, the company that is receiving the personal data must collect the informed consent of their clients before any handling of the data.
“ARCO” Rights (Access, Rectification, Cancellation and Opposition): the internationally known “ARCO Rights,” are reaffirmed.
With these rights, the data owners will be able to require, free of any charge, (i) information regarding the treatment that their data is subject to and the purpose of the proceeding; (ii) possible corrections, if the information is incomplete, inaccurate or outdated; (iii) the cancellation of their data to avoid inappropriate, excessive or unnecessary use; and (iv) present opposition to the treatment of their data.
Creation of agencies to supervise, implement and orient the matter: The Draft Bill sets forth the creation of 2 agencies – the so-called “Competent Body,” responsible for the supervision and implementation of the law, and the National Data Protection and Privacy Council, whose main function will be the issuance of data protection guidelines, including the suggestion of actions to be taken by the Competent Body.
This Council will have 15 members, including representatives from the civil society and the private business sector.
Requirement for the creation of an internal corporative data protection structure: The new version of the Draft Bill creates 2 positions that must be considered as internal references in corporations as to Data Protection matters: the responsible officer and the operator. These 2 positions require that companies keep a registry of all data treatment operations. In addition, the Competent Body will have the authority to determine the need to draft further documents concerning these operations.
The possible approval of the law, as proposed, will establish the need to create a specialized data protection structure within all corporations, pursuant to these new Brazilian rules.
International Data Transfer: The Draft Law also sets forth a few rules to regulate the international data transfer. This kind of transfer can only occur, in principle, to countries that can provide a comparable level of security.
In Brazil’s current legislation, there are no rules regulating said transfer. In this sense, numerous businesses are hosted in neighboring countries instead of in Brazil, since they already present consolidated data protection rules, equivalent to European standards, such as Argentina and Uruguay.
__________
*Leonardo Palhares is lawyer at Almeida Advogados.
*Caio Faria Lima is lawyer at Almeida Advogados.
Also with relevant contributions from Isabela Fernandes Pereira.
