By Cecile Zwiebach
A New Legal Framework Aimed at Providing Guidelines for a Rapidly Evolving Environment
Written by Cecile Zwiebach
In the past year or so, Brazil has taken significant steps towards enacting a comprehensive legal framework governing the use of the Internet and the protection of personal data. Many questions remain to be answered about the final form of the contemplated legislation and its regulations, and the impact it will have both within Brazil and on organizations or businesses operating in Brazil; however, it is clear that this set of new laws is an important development in Latin America and in the area of privacy law.
On April 23, 2014, Brazil passed the landmark Law 12.965, the Marco Civil da Internet or Brazilian Civil Rights Framework for the Internet (the “Marco Civil”). In its own words, the law establishes “principles, guarantees, rights, and obligations for the use of the Internet in Brazil” and “provides guidelines” for all levels of Brazilian government to follow when regulating this use. The Marco Civil has been followed by two related legislative projects, which are being developed in a collaborative process inviting public participation: a decree law to further implement the Marco Civil through regulations, and a data protection law, the Lei para a Proteção de Dados Pessoais or Law for the Protection of Personal Data (the “Draft Bill”).
The Marco Civil and its regulations and the Draft Bill are noteworthy not only because they will soon become the governing legislation in a large country with an important economy, but also because they represent current and emerging trends in privacy law in the region. The Draft Bill takes guidance from existing precedent, adopting, and in some instances modifying, the foundational elements of the EU Data Protection Directive 95/46/EC (the “Directive”) and of several other Latin American data protection laws. The Marco Civil, on the other hand, shows Brazil breaking new ground in the global effort to develop a lasting set of rights and freedoms vis-à-vis the Internet. Both legislative projects try to strike a balance between protecting individual freedoms and creating a stable and open commercial environment.
Brazil’s 1988 Constitution was the first in Latin America to introduce a key concept in data protection law in the region: habeas data, the right to “have the data.” The writ protects individuals’ rights to access their own personal data (whether it is held by a public or private entity), correct inaccuracies and, in some cases, have such data destroyed. These rights were adopted in constitutions and laws across the region, including in Argentina, Bolivia, Colombia, the Dominican Republic, Guatemala, Mexico, Panama, Paraguay, Peru, and Venezuela, and serve as the foundation for the comprehensive data protection laws that have followed.
In recent decades, Brazil has continued to work on legal and political issues raised by modern technology. The Marco Civil has been in progress since 2009, when it was conceptualized through a partnership between the Ministério da Justiça, the Ministry of Justice, and the Center for Technology and Society of the Law School at the Fundação Getulio Vargas.
The idea of a data protection law has also been under governmental discussion and public consultation in various forms since 2010.
To encourage public participation on the current legislative projects relating to the Marco Civil, on January 28th, 2015 the Ministry of Justice launched a website called Pensando o Direito, where it invited people to comment on key concepts in the Marco Civil (net neutrality, privacy, and data log records) and made the text of the Draft Bill available and open for comment. In response to the quality of the discussions and the high level of interest in the debate coming from various sectors of society, the Ministry of Justice extended the comment window for both projects to the end of April and subsequently extended the comment period for the Draft Bill to July 5, 2015.
While it is too early to make predictions about the long-term impact of Marco Civil, both the civil rights and business communities have raised questions about whether the framework will achieve its goals when fully implemented. In recent years, Brazil has been criticized by companies such as Google and Twitter for having a high rate of takedown requests and lawsuits.
Section III of the Marco Civil addressed this concern, limiting the liability of Internet providers for damages arising from third-party generated content. However, in a highly publicized case from February 2015, a judge invoked the Marco Civil to order Internet service providers to block access to the Internet application WhatsApp throughout Brazil as part of an effort to compel WhatsApp to cooperate with local police in an investigation. While the decision was reversed by an appellate court, it cast doubt on whether the Marco Civil will afford reliable protection to service providers and companies doing business in Brazil.
From a different perspective, proponents of the Internet rights of individuals have critiqued the Marco Civil for purporting to provide strong protections of such rights but being unable to ensure them. In July 2014, the Brazilian department of Consumer Protection and Defense fined the telecom provider Oi 3.5 million reals (roughly US$1.59 million) under the Marco Civil for recording and selling subscriber browser data. While the case demonstrated to some that the law is being enforced, others saw the penalty as a slap on the wrist and insufficient protection of consumer rights.
In another example, the Marco Civil has been critiqued for having statements about freedom of expression on the Internet that are not as broad as they appear to be. The Marco Civil says in its preliminary provisions that the regulation of the Internet is “founded on the basis of respect for freedom of expression” and cites as its first guiding principle the “guarantee of freedom of speech, communication, and expression of thought,” going on to add the words “in accordance to the Federal Constitution.” Because the Brazilian Constitution does not permit anonymous speech, this statement in the Marco Civil has been successfully invoked by prosecutors and law enforcement officials to prevent the use of Internet applications that allow anonymous expression, such as the popular Internet application Secret.
The Draft Bill
The Draft Bill builds on and codifies certain concepts relating to the treatment of personal data already present in Brazilian constitutional, statutory, and case law and is structured in a manner that mirrors the Directive and several of the existing data protection laws in Latin America that took guidance from the European example. The Draft Bill also fills gaps in the Marco Civil and other laws by proposing much-needed definitions for key terms such as “consent,” “personal data,” and “sensitive personal data.”
Interestingly, the Draft Bill does not explicitly call for the creation of a specialized data protection authority nor the registration of databases holding personal data, both common elements of other regional data protection laws. That being said, the law makes various references to an “órgão competente,” or “competent body,” and its authority to further regulate various concepts set out in the Draft Bill, prompting comments asking whether it will be a newly established agency or an existing body given new authority.
The powers granted to data protection authorities vary from the ability to track databases through registration requirements to, in some instances, the right to access and search databases. A full understanding of how Brazil will regulate data processing will depend on the role and makeup of this entity.
Key Aspects of the Draft Bill and Questions Raised
Notice and Consent Requirements: Under the Draft Bill, processing of personal data is permitted only with the express consent of the holder of that data, subject to limited exceptions. “Processing” is a broad term that refers to the various actions that can be done with or to the data, including collection, classification, reproduction, distribution, modification, etc., by various means including transfer, disclosure or general communication. Consent must be a free, express, specific, and informed statement by which the data subject agrees to the treatment of his or her personal data for a specific purpose and must be in writing or given by other certified means, and can be revoked at any time, free of cost. The processing of sensitive personal data (defined as personal data that discloses sensitive information such as a person’s racial or ethnic origin, religious beliefs or sexual orientation) is subject to heightened consent requirements.
While the impetus for the strong consent requirements appears to be the protection of the individuals whose data will be processed, these consent requirements, in whichever form they are ultimately adopted, will have a tremendous effect on the operations of public and private entities that gather personal data. Comments on the Draft Bill from the American Bar Association’s Sections of Antitrust Law and International Law suggest that in some contexts, the legitimate use of the data by a data processor or controller could be sufficient grounds for allowing processing, without requiring consent. Even in situations where consent is required, they suggest that implicit or continuing consent may be preferable.
By requiring consent to be express in all circumstances, the Draft Bill may result in creating constraints and inefficiencies for both businesses and consumers. Furthermore, a substantial increase in new consent requirements for data subjects, particularly in the context of online applications and transactions, may lead data subjects to grow accustomed to giving their consents as a matter of course and without review or careful consideration, leading to the exact opposite of the consent requirement’s intended effect.
Access, Correction, Cancellation, and Objection Rights: Rights to access and correct personal data are common features of data protection laws in many Latin American jurisdictions, further codifying the habeas data rights found in their legal system. Chapter III of the Draft Bill establishes the data holders’ ownership of their data and their rights vis-à-vis the data processors or controllers: data holders are entitled to: (a) confirm the existence of data processing; (b) access their data; (c) obtain the correction of incomplete, inaccurate, or outdated data; and (d) obtain the disassociation, blocking or cancellation of data that is excessive or that has been processed in non-compliance with the law.
Processing agents are required to immediately comply with these requests or, if compliance is impossible, respond to the petitioner with an explanation within seven days of receiving the notification. The data controller must comply with the request at its own cost and must notify third parties to whom it has disclosed the information so that they may repeat the same procedure.
Here, too, the Draft Bill appears to focus on the protection of individual rights vis-à-vis the operational costs to data processors or controllers. It remains to be seen whether the final version of the law or its regulations will establish review or appeal mechanisms for data controllers, or whether the timing requirements will be loosened from “immediate” compliance to a more flexible standard. As noted in comments on the Draft Bill, in some situations, a data controller or processor may have legal obligations that require it to hold data, in contravention to the data subject’s demands. The Draft Bill does not currently offer guidance on how such conflicts should be resolved.
Security, Integrity and Retention Requirements: Many Latin American data protection laws require data controllers to take appropriate technical and administrative security measures to protect personal data and prevent its unauthorized access, use, alteration or disclosure, with various degrees of specificity regarding the security standards to be used. Often, the laws require disclosure to the affected individuals and/or the data protection authorities in the case of data security incidents. The laws also generally require that the data be retained only for the period of time necessary to fulfill the purpose for which it was gathered.
The Draft Bill incorporates these concepts. Under Article 14, the processing of personal data is required to end as soon as the purpose of the processing is achieved or the data ceases to be relevant, and the data is to be cancelled once the processing has finished, barring legal obligations of the controller to retain copies or specific exemptions created by the competent body. The data security requirements of the Draft Bill, set forth in Articles 42 through 49, require the processor to maintain “constantly updated” technical and administrative measures for the protection of the data, which must be appropriate and proportionate to the data being processed and compatible with current technology. Furthermore, the controller must immediately provide a detailed notification to the competent body regarding any security incident that might damage the data subjects, and the competent body may, in its discretion, adopt measures to address the incident. The competent body may require disclosure of the incident to the data subjects, or if the data subjects may be damaged or their personal safety endangered by the breach, the processor must promptly notify them.
Nuances in the drafting of these sections of the Draft Bill have prompted warnings that the current wording could be unexpectedly burdensome in practice. The American Bar Association’s Sections of Antitrust Law and International Law points out that the requirement that a processor “constantly” update its security measures would, if taken literally, require processors to adopt each new iteration of its security systems regardless of whether they represent significant improvements in security, most likely involving a significant expenditure of time and financial resources.
Similarly, the requirement that processors “immediately” report security incidents to the relevant competent body if they “might” damage the data subjects could easily invite over-reporting by processors concerned about compliance, distracting them from addressing the incidents and creating unnecessary work for the authorities. In order to comply with the literal meaning of the law, processors would have to make notifying the authorities their first priority in the case of a security incident that had any chance of damaging data subjects, rather than turning all of their efforts to addressing the incident itself and assessing its potential harm.
Cross-Border Transfer Restrictions: The Draft Bill prohibits the export of personal data to jurisdictions that do not provide privacy protections that are equivalent to those it provides, as determined by the competent body, except in certain circumstances, such as cooperating with international law enforcement. Data can be transferred out of Brazil to a jurisdiction whose data protection is at a lower level if a special consent is obtained from the data subject, or if certain other guidelines in the law are met.
Entities trying to comply with these transfer restrictions may find it logistically very challenging to obtain individualized consent on a recurring basis. It will be helpful to see what further clarifications and rules the competent body puts in place to ensure that these restrictions do not become obstacles to international business.
The Marco Civil and its related legislative projects are a valuable contribution to global efforts to find fair and balanced ways to govern the rapidly evolving space of Internet usage and use of data, and Brazil’s commitment to producing these laws is impressive. As it finalizes the laws and strikes its balance between individual rights and other interests, the world will surely continue to watch with great interest and take lessons from Brazil’s example.
Cecile Zwiebach is a member of the Corporate group at Covington & Burling LLP in New York. Her practice focuses on Latin American cross-border transactions and technology transactions. She advises financial institutions, private equity firms, and companies in strategic mergers and acquisitions. She also advises a wide range of clients in connection with IT infrastructure matters, including the negotiation of information technology services agreements and global ticket inventory distribution arrangements as well as data collaborations and various projects relating to proprietary rights to data, data privacy, and data security.