Brazil's Proposed Privacy Law Raises Concerns

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Ed Taylor

July 30 — The Brazilian government may have its work cut out for it to amend its proposal for a personal data protection framework law after reviewing major concerns raised in public comments.

The public consultation period to evaluate the draft bill ended July 5 with comments showing serious concerns over several aspects of the proposal.

Attorneys who reviewed the comments told Bloomberg BNA that the suggestions for changes dealt primarily with the definition of what constitutes personal data, the rules on prior consent for the use of data, the jurisdictional scope of the proposed law, international transfers of data, the definition of liability and the creation of a Brazilian data protection authority.

With the comments now in hand, the government will create a final proposal to present to Brazil's Congress for approval in a process that attorneys said may take two years.

Personal Data 

One of the main questions that analysts said must be answered by a rewritten proposal is the definition of personal data.

“The draft should clarify what kind of data is within the scope of the law,” for example whether anonymous information is included, Julia Peixoto de Azevedo Arruda, a senior associate at Pinheiro Neto Attorneys in Sao Paulo, told Bloomberg BNA.

“The general impression is that the proposed definition is too broad and there is no clear guidance on how to anonymize data,” she said.

In their comments on the bill, the American Bar Association Sections of Antitrust Law and International Law agreed, saying the bill should be changed to “clarify the standards by which data will be considered anonymous rather than personally identifiable, thereby providing greater guidance on what data comes within the draft bill's core coverage.”

Consent 

On the question of prior consent, Renato Leite Monteiro, an associate at Opice Blum, Bruno, Abrusio & Vainzof Attorneys in Sao Paulo, told Bloomberg BNA the draft bill is considered by many to be too broad, especially in regards to consent and jurisdictional scope issues.

“The consent is very broad and applies to a wide range of data which would require clear and defined consent,” Monteiro said.

According to Arruda, “the need of specific consent for every handling has also been commented by players as something that might have the opposite effect of desensitizing individuals to the importance of data privacy.”

The American Bar Association recommended that “bases for lawful processing in addition to express written consent be considered, and that implied consent be recognized as adequate in appropriate contexts.”

Jurisdiction 

Public comments also raised points about the intended jurisdictional scope of the proposed law.

“The jurisdiction rules say that any data processing act performed in Brazil, regardless of the location of the database, falls under the bill,” Monteiro said.

Bojana Bellamy, president of Hunton & Williams LLP's Centre for Information Policy Leadership, recently said that the jurisdiction provisions would require “a foreign controller using Brazilian data” to obey Brazilian laws.

In its comment on the bill, the Centre said that the broad definition of jurisdiction “could create unexpected consequences and result in interpretations of the law that cause commercial disadvantages” for the Brazilian information technology sector “without equivalent benefits for privacy protection.”

International Transfers 

Regarding international transfers, the draft bill states that data transfers would only be permitted to countries with laws that provide the same level of protection granted by Brazil's law.

“Other means should be considered for allowing cross-border transfer of data,” Arruda said, pointing to comments on the draft bill citing European Union transfer mechanisms, including the use of standard contractual clauses, binding corporate rules and the U.S.-EU Safe Harbor Program.

The Washington-based Information Technology Industry Council in its comments warned that “the limits on international transfers established by the draft bill create barriers on the flow of international data, which are fundamental to the global market, and could impede the economic growth of Brazil.”

Joint Liability 

Some comments on the draft bill expressed concern with its proposed joint liability for data controllers and data processors.

“This should be a private relationship governed by private agreements, which should not affect data controllers' liability towards data subjects,” Arruda said.

She said comments noted that “having joint liability rules in place may be a disincentive to data processing businesses in Brazil.”

Privacy Regulator 

The draft bill discusses the creation of a data protection authority but doesn't provide details. It leaves open whether the privacy regulatory duties would be given to an existing government ministry or a new agency would be created.

“Comments go both ways; some believe an independent DPA is essential and others have commented that Brazil does not need a new governmental agency and that existing agencies—consumer protection and business-specific agencies—could do the work,” Arruda said.

In its comments, the Brazil-U.S. Business Council said the bill doesn't define how the DPA would operate in relation to already existing regulatory agencies. The council called for the bill to require consultation with business regarding any changes.

“Companies require predictability to develop systems that are flexible enough to deal with changes in technology and consumers need guarantees that their data will be adequately protected. We therefore suggest that any future demands be developed with the participation of the interested parties,” the council said.

Next Steps 

“The contributions will be analyzed by the team at the Ministry of Justice. Then a new version of the draft will be released,” Monteiro said.

“This might happen by the end of the year. Afterwards the draft will become a bill of law in order to be discussed at the different houses of Congress,” he said.

“This might take a couple of years,” Monteiro said.

To contact the reporter on this story: Ed Taylor in Rio de Janeiro at correspondents@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Further information on the draft bill, including the text of the proposed law and links to comments submitted during the consultation period, are available, in Portuguese, at http://pensando.mj.gov.br/dadospessoais/texto-em-debate/anteprojeto-de-lei-para-a-protecao-de-dados-pessoais/.