News that we can soon expect
The year 2018 has not yet reached the middle of its course, and we can already say that the legal protection granted to personal data is one of the most debated topics of the year. The privacy of individuals and how personal data is collected, used, transferred, and stored[1] by companies and government entities are in the sights of heated debates, in numerous newspaper articles, in themes of various seminars, [2] and also in some lawsuits. It would be very difficult that the reader, regardless of how attentive, has not yet come across the phrase “data is the new oil”. If this is true, in Brazil (and the rest of the world), we are living in a real race to ensure greater protection or at least discussing how to do that.
However, there are many reasons why the debate should be on the agenda. In March, in the international arena, the scandal related to the actions of Cambridge Analytica, a consultant contracted to influence elections in several countries, acting through the data of Facebook users (platform with approximately 1/3 of the world’s population), brought up how sensitive, yet at the same time, how complex its regulation is[3]. On the other hand, in May, we have been faced with the European Regulation for the Protection of Personal Data (better known as “GDPR – General Regulation for Data Protection”), entering into force, a regulation that aims to meet the challenge and to regulate the use of data better, protecting the holder against companies operating inside or outside of Europe[4].
In Brazil, the first semester has also been agitated. Even without any change in our legislation, we have taken significant steps in this area. The Personal Data Protection Commission of the Public Ministry of the Federal District and Territories has been acting, on almost a monthly basis, in the establishment of Public Civil Inquiries and Preparatory Procedures to investigate unauthorized use of personal data and / or security leaks and incidents. Besides that, Normative Order 539, issued in April by this MP, gives the Commission new competence to “promote the defense of the interests and diffuse collective and individual homogeneous rights of the holders of personal data.”[5] In addition, we have seen the filing of two Public Civil Actions that touched the theme. The first one is by the Federal Public Prosecutor of São Paulo [6] and the other is by the Public Ministry of Rio de Janeiro[7]. Finally, the Central Bank issued Resolution 4,658, which addresses the parameters for adopting cyber policies and requirements for hiring financial institutions for processing and storing data in the cloud.
Although, in the legislative sphere, we have even more discussions. Two bills with greater chances of approval are in the pipeline, each proposed by one of the houses of National Congress. Thus fore, “PLS 330” and “PL 4060/5276” (now PLC 53)[8] are the central identifiers of the debate, because, if approved, they would inaugurate a new phase of legal protection for personal data in the country, moving away from the current model of sectoral and specific regulation. Any of them would create the “General Law of Protection of Brazilian Data”.
For those who closely follow the legislative movement – the various amendments and replacement projects that have been circulating for some years, it is undeniable to realize how we have evolved into bills clearly inspired by international experiences, especially in GDPR and its enforcement structure. Likewise, despite their differences, the similarities between the projects are significant too.
For this reason, we decided to list four innovations that will be true in the country, if any of these projects is approved by the National Congress.
- Differentiation between the Responsible and the Operator in Data Processing Activities.
Another update to be introduced by the new general law will be the differentiation between agents who process personal data. As in the GDPR, the bills analyzed here bring the differentiation between who is the “responsible” for the data treatment and who is the “operator” that performs such treatment. Once again, the definition set out in the proposals is the same. The company, entity, or body that makes decisions such as how the personal data will be treated will be understood as “responsible”. On the other hand, “operator” will be the company or entity linked to the “responsible” that is responsible for carrying out such activities.
Such distinctions will be relevant at the time of determining the responsibilities against the damage caused to the data subject. Additionally, it is important to emphasize here that the projects establish the possibility of joint liability between agents, and even if the legislative proposals do not create such a bond of solidarity in exactly the same way, both guarantee the right of return to the one who was obliged to repair the damage integrally. It is understood that this would be a measure of guaranteeing effective indemnification to the data subject, the most vulnerable part of the relationship.
- News Rules for Internacional Data Transfers
The initiation of GDPR into force, as it should not have been, has brought about a great deal of discussion, regarding the rules related to the international transfer of data. More specifically, this is the sending of personal data collected in a certain territory to be “treated” in another jurisdiction. After all, this is a common practice today, mainly because of the internet and the existence of companies acting globally, some of which operate exclusively online. The problem arises when there is unauthorized use of personal data or even security breaches in a jurisdiction other than the one in which the data subject is located. In addition to being an expensive topic for discussions related to national defense and public safety.
Hence, there is a need to establish norms to regulate the transit of personal information. Both legislative proposals do not shy away from establishing such rules, although, the two texts determine very similar criteria for companies in Brazil to legally transfer data abroad. These include: (a) the possibility of a lawful transfer to an “international country or organization with adequate protection,” to be declared by a competent authority; (b) the possibility of transfer by specific, free, and informed consent of the data subject; and (c) the possibility of transfer when the responsible party offers guarantees to the holder of the rights, principles, and protection regime of the Brazilian law in the jurisdiction of destination. Each of these hypotheses poses different challenges, which should be carefully evaluated by the companies that transfer data abroad, depending on the country of destination, the type of data, and / or the structure of the corporation.
- Law enforcement for Public and Private Entities
On a number of occasions, when we read articles or participate in discussions related to privacy, data protection, big data, or the internet of things, we find that the focus given to the discussion is restricted to the processing and use of personal data by private sector companies from different markets, acting in completely unlike areas. This may lead the reader to conclude that the bills under discussion would not apply to government entities, state bodies, or even public or mixed economy enterprises.
In the same way, we know that public entities in all spheres (public banks, hospitals, and health posts, fiscal and tax control bodies, databases of assistance services, judicial and penitentiary, schools, just to mention a few), undeniably access, use, and store the personal data of all Brazilian citizens. Thus, it is reasonable that a law aimed at protecting the holder of personal data guarantees such protection against public entities in a more concrete and efficient way than the current legislation.
Fortunately, this is the case. Both projects, to a greater or lesser extent, contain specific chapters detailing the norms and responsibilities of public sector bodies against the protection of personal data they have and are known to use[9]. Therefore, such public entities shall be obliged to perform duties and responsibilities regarding the use of the personal data of Brazilians, whose rights will be ensured in the same way.
- Good Practices as Criteria for Weighting in the Application of Fines and Penalties
Finally, it is important to mention that both projects bring forth a list of sanctions to be applied to those who violate the terms of the future law. These sanctions are presented in a list that begins with the least burdensome (warning) and evolves to the most serious to the offender (partial or total prohibition of the exercise of data processing activities). It should be noted that this model and these sanctions are the same as those currently in force in the Internet Legal Framework[10].
As for the fine established, both legislative proposals bring the value of 2% of the billing [11] of the company or economic group in Brazil in the last financial year. However, while PLS 330 stipulates that the fine is to be imposed only in the event of an offense already committed, PL 4060/5276 does not impose this condition and still provides for the possibility of daily application, but it limits its value to 50 million reals per infringement.
It should be emphasized that the two proposals also include parameters and criteria to be observed by the authority in the calibration of the sanctions to be applied, such as (a) implementation of good practices and internal policies and (b) adoption of measures and mechanisms capable of minimizing the damage to the data subject in the case of infringement. Thence, it remains clear that the future law will privilege companies that understand the responsibility of their performance in the processing of personal data and implement concrete measures to manage and properly safeguard the personal data at their disposal.
In conclusion, despite the existence of two bills and uncertainties about when it will be approved (with the World Cup and elections disputing the attention of the members of Congress), as demonstrated here, the proposals factually have points of convergence.
Furthermore, it is important to note that the established deadlines on these projects for entry into force are extremely short, considering the impact of the new law on the activities of virtually all companies and public agencies in the country. Companies and state bodies would only have 12 months (in the case of PLS 330) or 18 months (in the case of PL 4060/5276) to be in total compliance. In comparative terms, the GDPR itself had 24 months of vaccatio legis, and surely, it was not the first European legislation on the subject that has been debated on the continent for more than 20 years.
Thus, if it is true that the country is moving towards the issuance of a new General Data Protection Law, it is imperative for the companies and entities affected by the new legislation, whether due to the similarities between the projects or for the short term available after their sanction, to take immediate measures to raise awareness about how personal data is collected, used, transferred, and stored in the performance of their activities and to seek to prepare for the changes. Consequently, there is no time to lose.
Ana Carolina Cagnoni Ribeiro
Lawyer specialized in Technology, Entertainment, and Intellectual Property
Partner at GCA – Grinberg Cordovil Advogados
acc@gcalaw.com.br
[1] Among various specific technologies in the area of data protection, there is the expression “data processing,” which encompasses practically all possible activities in relation to the use of personal data. In accordance with art. 14 II from the Regulation of Internet Legal Framework, which has introduced such a definition among us, “II – processing of personal data – any operation carried out with personal data such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, storage, disposal, evaluation or control of information, modification, communication, transfer, dissemination, or extraction.”
[2] Among many others, the Brazilian Consumer Congress held on May 21-23, 2018 (http://congressobrasilcon.com.br/programacao/), the Telebrasil Panel 2018 held on May 22-24, 2018 (http://paineltelebrasil.org.br/programacao), the First Women In Antitrust Seminar held on May 10, 2018 (https://www.womeninantitrust.org).
[3] The case in question, access by Cambrigde Analityca to the data made available on Facebook by users was carried out, in accordance with terms of use of the platform applicable by the application developer, Aleksandr Kogan. Subsequently, the developer would have shared such data with Cambridge Analytica. Here, unlike other cases, there were no security incidents. In the words of Mark Zuckerberg in a post on the platform on March 21, 2018, “This was an incident of trust breach between Kogan, Cambridge Analytica, and Facebook. But it was also an incident of breaking trust between Facebook and people who share their data with us and expect us to protect it.”
[4] There were many reports on the territorial extension of the GDPR application. Amongst them: https://www1.folha.uol.com.br/mercado/2018/04/novas-regras-europeias-de-protecao-de-dados-afetam-negocios-no-brasil.shtml.
[5] Including art. 2, XV that was not included in Normative Order 512, previously.
[6]As reported by the agency: http://www.mpf.mp.br/sp/sala-de-imprensa/noticias-sp/mpf-processa-microsoft-para-que-windows-10-deixe-de-coletar-dados-pessoais-sem-autorizacao-dos-usuarios
[7]As reported by Jota: https://www.jota.info/justica/decolar-com-e-acusado-pelo-mprj-de-priorizar-clientes-estrangeiros-06022018
[8] On the night of May 30, the Chamber of Deputies approved PL 4060/5276, which has already been passed for consideration by the Federal Senate under number PC 53, affixed to PLS 330. For the purposes of this publication, we consider the version of PL 4060 / 5276 approved and the PLS 330 version dated 03.05.2018.
[9] Let us remember here the discussion generated around the “Public Consultation” site that presented data such as CPF, CNPJ, date of birth, number of voters’ titles, and other information of Brazilians for free. Recently, it was reported that the site had access to such data through payment to SERPRO – the Federal Data Processing Service. This commercialization of data, among others, would be under investigation by the MPFDT Data Protection Commission (more information) https://canaltech.com.br/governo/governo-federal-e-investigado-por-suposta-venda-de-dados-de-cidadaos-115070/).
[10] Law 12.965 / 14, in its article 12.
[11] It is worth mentioning that the Internet Legal Framework determines a fine of more than 10% of the revenues of the company or economic group in Brazil.