Data Protected - Brazil

Contributed by Lefosse Advogados

Last updated November 2018

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws 

There is no general data protection law in Brazil. However, there are a number of specific laws that address various privacy and data protection issues. The most important of these laws are summarised below.

The Federal Constitution provides that the “privacy, honour and image” of a person are fundamental rights of any individual and are inviolable. These fundamental rights are reinforced by the Civil Code which provides that the private life of an individual is inviolable.

The Internet Bill of Rights Law (Marco Civil da Internet) was introduced to, amongst other things, restrict use of or access to information about private internet usage. Decree No. 8.771/2016 was enacted to regulate certain aspects of the Marco Civil da Internet, especially security standards for the secrecy of connection records, personal data and private communications.

The Consumer Protection Code (Código de Defesa do Consumidor or “CDC”) contains specific provisions to protect the personal data of consumers and balance the relationship between consumers and businesses.

Added to this are a number of specific sectorial laws which include: (i) Federal Law No. 8,069/1990, which regulates personal data of minors; (ii) Federal Law No. 9,296/1996, which regulates wiretapping; (iii) Telecommunications Act (Federal Law No. 9,472/1997), which lays out privacy rights in the telecom sector; (iv) Access to Information Law (Law No. 12,527/2011), which regulates the treatment and safeguarding of documents and information handled by governmental entities; (v) National Tax Code (Law No. 5,172/1966), which establishes the confidentiality of any financial, economic or commercial information obtained by public agents from the Internal Revenue Service; and (vi) Complementary Law No. 105/2001, which establishes financial institutions' duty of confidentiality in relation to transactions, services and operations.

UPDATE: Brazil has passed a new General Data Protection Act which will come into force in 2020. The new Act resembles the EU General Data Protection Regulation and creates a comprehensive data protection law for Brazil. Please note, the summary below describes the position under the current law and not under the new Act. More information is available here.

Entry into force

Various.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

There is no specific data protection regulator in Brazil.

Notification or registration scheme and timing

There is no notification or registration scheme.

Exemptions to notification

Not applicable.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

There is no specific provision on the territorial effect of data protection laws. It is, therefore, likely to apply to the: (i) processing of personal data in Brazil; and (ii) processing of personal data which relates to Brazilian citizens or residents regardless of where the organisation carrying out the processing is based.

The Marco Civil da Internet applies where: (i) the collection, storage or processing takes place in Brazil; or (ii) at least one of the endpoints to the communication is located in Brazil. It also applies to foreign companies if there is a local entity of the corporate group in Brazil or if services are offered to the Brazilian public.

Is there a concept of a controller and a processor?

There is no distinction in Brazil between controllers and processors. All persons using personal data need to comply with Brazilian laws applicable to this matter.

Are both manual and electronic records subject to data protection legislation?

Both manual and electronic records are subject to the laws that deal with data protection.

Are there any national derogations?

The Marco Civil da Internet does not apply to telecommunication services that are not intended for internet connection, or to specific services, e.g. connection services intended for a specific group of users.

_____________________________________________________________________ Top

Personal Data

What is personal data?

Some of the laws currently in force deal with a concept of personal data that refers to information about identifiable individuals and includes name, ID, tax registration number, personal address, credit card number, income, bank account and any private communications, among others.

Decree No. 8.771/2016 applies to data related to an identified or identifiable natural person, including identifying numbers, location data or electronic identifiers, when these are related to a person. The Decree also defines a separate category of personal data called “registration data”, which comprises name, marital status, occupation, address and parentage. Registration data has a different legal treatment under the Marco Civil da Internet as administrative authorities can request this information without a court order.

Is information about legal entities personal data?

Yes. This is confirmed not only by certain provisions in the law, but also case law and academic consensus.

What are the rules for processing personal data?

If a person is identifiable by the personal data, consent is needed to use that personal data. Consent may be obtained after the collection of the personal data. Where personal data is be disclosed to or used by third parties, the person should be informed of that fact at the time consent is obtained. Moreover, agreements on personal data are interpreted strictly.

Under the Marco Civil da Internet, personal data about internet usage (including connection records and information about access to applications) may not be communicated to third parties without free, express and informed consent of the individual. There is an exception where a valid Court order allowing the disclosure of such personal data and for registration data which can be requested by the administrative authorities without a court order. The need for informed consent means that so-called adhesion contracts (i.e. standard form contracts purporting to provide automatic consent) are not sufficient.

Under Decree No. 8.771/2016, internet connection providers and applications providers should retain the minimum amount of data necessary for the provision of the services. Retained data should be deleted: (i) as soon as it achieves the purpose for which it was collected; or (ii) at the end of any legal mandatory custody period. Additionally, the personal data or communications data should be kept in an interoperable and structured format, in order to enable easy access in case of court requests.

Under the Federal Constitution an individual’s mail, data and telephone communications are protected, although access may be obtained for evidentiary purposes by means of court order, such as those issued in the context of criminal investigations or proceedings. However, in relation to the obligations under the Civil Code, a decision of the Higher Labour Court indicates that employers can legally monitor employees within the work environment. Therefore, the privacy of an employee within such environment is limited.

Are there any formalities to obtain consent to process personal data?

Consent can be inferred or implied, but its validity will always depend on the specific circumstances of the case. In addition, it is normally advisable to get consent in writing for evidential purposes.

Under the Marco Civil da Internet express consent is required for certain types of processing and that consent must be based on clear prior information as to the purpose for which such data is collected.

Are there any special rules when processing personal data about children?

Minors cannot give consent without parental authorisation. A minor is a child under the age of 18 (Article 4 of the Civil Code).

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

Despite the lack of specific data protection legislation defining the meaning of “sensitive data” in Brazil, case law does provide a concept of sensitive personal data similar to the one expressed in the standard types of sensitive personal data.

Are there additional rules for processing sensitive personal data?

This type of data is likely to attract additional protection and may be subject to specific protection. For example: (i) Labour Law restricts the use of sensitive data for the purpose of discriminatory background checks; and (ii) medical data is subject to additional confidentiality obligations.

Are there additional rules for processing information about criminal offences?

 

The rules are the same as for sensitive personal data.

 

Are there any formalities to obtain consent to process sensitive personal data?

While there are no additional legislative requirements, it is strongly advisable to inform the individual of such data processing and to get formal consent in writing, preferably in hard copy.

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

There is no obligation to appoint a data protection officer.

What are the duties of a data protection officer?

Not applicable.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

There is no general accountability obligation.

Are privacy impact assessments mandatory?

Privacy impact assessment is not mandatory.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

There is no general obligation to provide fair processing information, though information about the purpose for which personal data is being processed must be provided to obtain an informed consent under the Marco Civil da Internet.

Rights to access information

Under the CDC, consumers must be given access to his/her own data contained in any files, index cards, records, personal and consumer data, as well as their respective sources. This request can be made free of charge.

In addition, the Federal Constitution, as further regulated by Federal Law No. 9.507/97, guarantees to any individual or legal entity the habeas data proceeding against controllers of public and private databases in order to access and rectify any of their data.

Rights to data portability

There is no data portability right in Brazil.

Right to be forgotten

There is currently no legislation or case law on the individual’s right to be forgotten. However, in June, the Brazilian Supreme Court held a public hearing on a case with the aim of determining how the right to be forgotten should be interpreted [in law] based on the right to ‘privacy, honour and image’ provided by the Federal Constitution and an individual’s inviolable rights enshrined in the Civil Code. This judgment is still pending.

Objection to direct marketing and profiling

An individual is entitled to revoke its consent to the processing of personal data for the purposes of the direct marketing of goods, work or services.

Other rights

Where the database is held by a public entity, citizens have the so-called habeas data right to correction of personal data. The CDC gives consumers the right to request immediate rectification of his/her data, which should be made and notified to the consumer within five days. Under the Marco Civil da Internet, users have the right to have their personal data deleted at the end of their contract with the internet provider.

Certain other rights exist, for example, credit reference agencies must not disclose negative credit entries (such as a public protest for payment) that are more than five years old.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

The Decree No. 8.771/2016 sets out specific security guidelines which must be observed for data retention, storage and processing by internet connection providers and applications providers. Such persons must: (i) establish strict controls over access to data through appropriate access controls; (ii) authenticate access to records, for example by using dual authentication systems to allow the identification of those responsible for data processing; (iii) keep detailed logs of access to data. These logs should contain the time and duration of access, the identity of the employee or person involved and the identification of the accessed files; and (iv) use records management solutions to guarantee the inviolability of the data, such as encryption. General information about the security standards adopted by internet connection providers and applications providers should be disclosed in a clear and accessible way to any interested party.

Except for the Marco Civil da Internet and certain sector-specific regulated areas (e.g. banking, tax and telecommunication), there is no specific requirement regarding security measures for the protection of personal data. However, reasonable efforts must be made, and reasonable technology must be used, in order to protect personal data.

Specific rules governing processing by third party agents (processors)

Where personal data is disclosed it is important that any party who may subsequently have access to that information takes all appropriate measures in order to keep it confidential.

Although not legally required, organisations should consider executing a confidentiality agreement with any person to whom they disclose personal data (whether employees, outsourced service providers or any other third parties), since unauthorised access, use or transfer of data, may trigger liability. A confidentiality agreement will minimise the organisation’s risk exposure in connection with such disclosure.

Notice of breach laws

None.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

There are no specific rules on transfer of personal data to third countries.

Despite the lack of express regulation on the transferring of personal data locally or abroad, it is possible to infer from the existing law that when the database is created or transferred locally or abroad, the individual must be notified.

Notification and approval of national regulator (including notification of use of Model Contracts)

Not applicable.

Use of binding corporate rules

Not applicable.

_____________________________________________________________________ Top

Enforcement

Fines

The Marco Civil da Internet imposes significant penalties for those that misuse information about private internet usage. These sanctions include a fine of 10% of the offending entity economic groups gross income in Brazil.

Criminal liability

The Criminal Code imposes criminal sanctions for violations of privacy in the event of: (i) interference with private or commercial correspondence or interception or violation of telephonic, telegraphic or radio communication, which can result in imprisonment for up to two years (or up to three years if the violator is engaged in activities related to the postal service, telephonic, telegraphic or radio communication); (ii) accessing a private computer without authorisation in order to obtain personal advantages or have access to private electronic communication, which can result in imprisonment for up to two years; and (iii) disclosure in breach of duties of secrecy or professional secrecy, which can result in imprisonment for up to one year. In addition, article 10 of the Brazilian Banking Secrecy Law (Complimentary Law No. 105/01) provides for criminal sanction for violation of banking secrecy, which can result in imprisonment for up to four years.

Compensation

The collection of sensitive data of employees, customers or other third parties may raise claims for compensation for moral damages, which may be awarded if the Brazilian Courts consider there is no reasonable business need to collect such data or that the data was misused. Despite the lack of specific legislation on this matter, the collection of non-sensitive data is unlikely to raise claims for compensation for moral damages.

Other powers

There are other sanctions under the Marco Civil da Internet including: (i) a warning; (ii) temporary suspension of any processing; and (iii) a prohibition on conducting business.

Practice

Published cases mainly relate to the processing of personal data: (i) by fiscal authorities; (ii) in the telecommunications sector; (iii) by employers; (iv) relating to health and medical matters; (v) in marketing activities; and (vi) consumer relations.

In recent cases, state courts have ordered telecommunications companies to cut off access to certain internet instant messaging services, since the applications provider declined to provide court with users’ chat logs related to a criminal investigation. The Supreme Court has reversed all the decisions, on the grounds that they were not reasonable and proportionate. However, since no final decision was issued by Brazilian courts on this matter so far, there is an uncertainty regarding the obligation of internet applications providers on the storage of users’ chat logs.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

Accessing a person’s private computer in order to obtain, modify or destroy any kind of data, or accessing electronic communication without authorisation, whether express or implied, aiming at obtaining personal advantages, may trigger criminal sanctions of imprisonment for up to three years and a fine. Moreover, the Marco Civil da Internet includes new privacy and personal data protection rules applicable to private internet usage.

Amendments to the CDC have been proposed to further regulate the sending of unsolicited “spam” e-mails.

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

There are no specific cookie laws. However, various laws, including the CDC and Marco Civil da Internet, suggest cookies should only be used when: (i) the individual’s consent is obtained; or (ii) the cookie does not identify the individual.

In order to obtain consent, the website must make sure that the individual receives clear upfront information why the cookies are being used and what data is collected. The individual must expressly opt-in to the disclosure of data and records to third parties.

Regulatory guidance on the use of cookies

Not applicable.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

There are no specific laws regarding this matter.  However, considering the general privacy and data protection principles and consumer rights provisions, marketing e-mails or spams should not be sent to subscribers who previously objected.

Conditions for direct marketing by e-mail to corporate subscribers

There is no distinction between individual and corporate subscribers.

Exemptions and other issues

None.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

Many states have enacted “do not call” provisions to control telemarketing to mobile and fixed telephones. Companies may not call numbers on those lists for the purposes of telemarketing, unless the consumer has given prior permission in writing with an express expiration date.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

There is no distinction between individual and corporate subscribers.

Exemptions and other issues

Philanthropic entities, such as charities raising funds, are not subject to these restrictions.

_____________________________________________________________________ Top