Data Protection & Cybersecurity

Last verified on Wednesday 20th December 2017

Brazil

Fabio Ferreira Kujawski, Thiago Sombra and Alan Campos Elias Thomaz
Mattos Filho Veiga Filho Marrey Jr e Quiroga Advogados (São Paulo)
  1. 1.

    Is there any provision in your country’s law for privacy and data protection?

  2. Yes. In Brazil, privacy and data protection are treated as fundamental rights of individuals under the Federal Constitution. The Brazilian Civil Code (Law No. 10,406/02), the Consumer Protection Code (Law No. 8,078/9, the Consumer Code) and the Internet Act (Law No. 12,965/14) are the most prominent statutes governing the use, collection and processing of personal data in specific cases by private enterprise.

    The Federal Constitution, generally speaking, enshrines that intimacy, private life, honour and image are inviolable fundamental rights of all individuals. Individuals who suffer material or moral damages due to violation of such rights have the right to indemnification. In addition, the Constitution establishes that one’s mail, data and telephone communications are inviolable, except by a court order and within the context of criminal investigations. The Federal Constitution provides a remedy named habeas data, which can be used to rectify and to give access to information included in public records or databases.    

    The Brazilian Civil Code acknowledges and reinforces the principle that privacy is inherent to an individual’s personality and dignity. Nonetheless, Civil Code allows individuals to self-restrict their privacy by giving the consent for a specific and temporary negotiation regarding their rights.    

    The Consumer Code is applicable whenever a consumer relationship is established between an individual (or corporate entity, in certain circumstances) and a service provider or a product manufacturer. The privacy of consumer relations and handling of databases are regulated by this statute.

    The Internet Act applies only to personal data collected through the internet, establishing other principles and rules with respect to the privacy and protection of internet users’ personal and behavioural data. It contemplates specific rules on the collection, storage and processing of personal information through internet services and applications. Some of the user rights and guarantees assured by the Internet Act are the inviolability of privacy and intimacy in connection with communications over the internet or those stored privately.    

    Other privacy regulations apply to specific sectors of the economy, such as financial institutions and health care services. In addition, some privacy regulations shall be considered within the scope of a labor relationship. The federal government has to follow other specific set of rules including Information Access Act (Law No. 12,527/11), which governs information used by federal authorities.

  3. 2.

    Has your country adopted a general legal framework for the protection of personal data? 

  4. The legislative branch has not yet approved a more comprehensive data protection law that could establish the general principles and obligations across all economic sectors. Several bills are under discussion in both houses (the Senate and House of Representatives) seeking to regulate privacy and data protection more broadly. A federal law on the matter may be approved in 2018. If approved, the new law will significantly affect the way companies and individuals behave with respect to privacy and data protection in Brazil. International data transfer, coverage and enforceability of the law and the requirement of express consent by the data subject are the main aspects covered by this new law.

  5. 3.

    Has your country adopted a general legal framework on cybersecurity matters?

  6. Not yet. In consumer relationships, for example, companies must take all reasonable measures to offer safe and free-of-defect products and services. Therefore, vulnerable online services and platforms may be considered defective and therefore trigger liabilities. The Internet Act (by means of the Decree 8,771/2016) also provides for the guidelines on data security to be observed by entities that perform data treatment activities on the internet, as further detailed in question 17. The Brazilian Internet Steering Committee might establish some safety rules to be adopted by internet application providers in the near future. Specific regulations apply to the financial and health care sector, as detailed below (see question 7).

  7. 4.

    How does the law of your jurisdiction define personal data? Can the definition extend to data relating to businesses?

  8. The decree that regulated the Internet Act provides that personal data is the “data related to an identified or identifiable individual, including identification numbers, locational data or electronic identifiers, when related to an individual”, but this definition only applies to data collected or treated online. Brazilian laws do not provide a single unified statutory definition of personal data, given the lack of a general data privacy law. The Bills under Congress analysis also bring a definition of personal data that is somewhat similar to the definition previously stated. All existing data privacy laws apply to data belonging to individuals, and not to legal entities.

  9. 5.

    Does your country’s data protection legal framework distinguish between sensitive and non-sensitive data?

  10. The current Brazilian laws do not distinguish the treatment of sensitive and non-sensitive data. The Good Payers Database Law (Law No. 12,414/11) provides for the definition of sensitive data, but its applicability is very limited.      

    The Bills under Congress analysis define sensitive data as “racial or ethnic origins, political opinions, ideological, philosophical or religious convictions, work union filiation, health status or sexual orientation, and genetic/biometric data” and, if approved, the free, certain, informed, express and specific consent would be required for the treatment of sensitive data in Brazil. This consent would have to be provided separately from the consent for treatment of other personal data. In addition, specific information about the risks associated with the treatment of sensitive data would have to be provided to the data subject.

  11. 6.

    Identify the basic principles in force in your country for the processing of personal data. Is there a general limitation for the processing of personal data?

  12. Despite the lack of unified and clear principles, the Consumer Code, for example, provides for the principles of information and transparency. Pursuant to these principles, the consumer (ie, data subject) has to receive sufficient information about all aspects of the service provided (and consequently the data treatment activity performed). Similar to the data minimisation principle, the Internet Act provides that internet service providers may only collect information for justified reasons and that they shall retain the least possible amount of personal data, which shall be excluded (i) as soon the use purpose is reached; or (ii) at the end of the period determined by legal obligation.

  13. 7.

    Do special data protection rules apply to certain industries, such as financial services, healthcare and telecommunications? Is the processing of personal data on the internet specifically provided for? 

  14. Yes.

    Information handled by the federal government: The Information Access Act (Law No. 12,527/11) governs the collection, use and processing of data by federal authorities. It also establishes rules and procedures by which citizens can request details of the information collected by them.

    Banking secrecy: Pursuant to Banking Secrecy Act (Complementary Law No. 105/01), financial institutions, such as banks, credit card administrators and the stock exchange must maintain strict confidentiality of financial transactions and financial information of their clients. The exchange of data between financial institutions for credit profiling and risk management may be allowed in specific circumstances. Financial institutions shall report to relevant authorities any transaction they deem suspicious (under anti-money-laundering regulations), and such reporting shall not be considered a breach of confidentiality duties. In addition, the Brazilian Supreme Court of Justice have recently ruled out that the Internal Revenue Service (IRS) may have access to individual’s banking information without a Court order.

    Resolutions 4,480 and 4,474, of 2016, issued by the National Monetary Council have regulated, respectively, the opening and closing of bank accounts by electronic means and the digitalisation of documents, providing for specific cybersecurity rules to ensure privacy in those situations. Finally, it should be noted that the Central Bank launched a public consultation in 2017 to define cybersecurity rules applicable to financial institutions and their IT service providers (notably, cloud service providers). The draft of the regulation subject to consultation imposes the obligation to have a cybersecurity policy, annual incidents report, data breach reporting obligations to the Central Bank and a data incident recovery plan. In addition, it imposes certain conditions for financial institutions to hire third-party IT providers.

    Health: The Medical Ethical Conduct Code (Federal Council of Medicine, Resolution No. 1,931/09) provides for certain rules on the protection of patients’ information and medical records. Except for limited exceptions, the patient’s data may only be disclosed by the physician to third parties with his/her written consent. A specific resolution issued by the Federal Council of Medicine governs the use of computer systems for storage, handling and retention of such data, authorising the replacement of paper with electronically stored information. Also, the Federal Council of Medicine regulates the exercise of medicine through the use of the internet and other technological measures (telemedicine). The National Health Surveillance Agency (ANVISA) provides for specific rules applicable to data treatment activities in clinical trials. 

    Telephone or radio communications: The confidentiality of telephone and computer communications is protected under the Wiretap Act (Law No. 9,296/96) and the Telecommunications Act (Law No. 9,472/97). The Wiretap Act provides that the access to and interception of telephone and telematics communications may only occur under the authority of a valid court order in criminal investigation proceedings. The Telecommunications Act provides that clients’ information can only be used for the purpose of delivering services, and that telecom bills can only be revealed upon the express consent of the user or by a valid court order.

    Exercise of profession: There are many federal and state statutes in Brazil that cover the legal profession privilege, such as attorney–client privilege.

    Employees: In Brazil, there is no statutory provision regulating the use of employees’ data. As a rule, employees’ data may be treated by employer (sometimes transferred to other affiliate entities) for the purpose of managing the employment relationship (eg, for HR-related activities, centralising back-office activities). In addition, the majority of legal scholars and higher court decisions sustain that the monitoring of computer systems made available to employees is allowed. Therefore, IT resources made available for the exercise of the employees’ functions may be subject to surveillance. The surveillance of employee’s personal devices may be possible (for example, in the event a professional email account is installed in the employee’s cellphone or computer) to the extent that it focuses only on the company’s information. Employees shall be informed in advance by their employer about all monitoring activities performed. Employee medical records are deemed to be highly confidential and may be accessed only by the employers' occupational physician.

  15. 8.

    Are there specific rules for the processing of personal data of minors?

  16. As detailed above, the collection and treatment of minors’ data shall be made upon the provision of a notice (if collected offline) or upon the express consent (if collected online). In any case, the minor shall be duly represented to validate the notice/consent.

    In addition, the Child and Adolescent Act (Law No. 8,069/1990) provides that the offer, exchange, delivery, transmission, distribution, publication or disclosure of photographs, videos or other materials containing explicit sex scenes or child pornography is a criminal activity, which will be subject to a penalty of up to eight years of imprisonment. 

  17. 9.

    What are the sanctions and remedies for non-compliance with data protection and cybersecurity laws? Is there criminal liability for non-compliance with the data protection and cybersecurity laws?

  18. Generally, non-compliance with privacy rights triggers strict and joint liability and  gives  rise to compensation for moral and direct damage.

    The Consumer Code imposes criminal liability (imprisonment from six months to one year) for certain conducts that may qualify as a crime against the consumers, although imposing criminal liability for violation of cybersecurity and data protection laws is very rare.

    The Internet Act establishes a fine of up to 10 per cent of the breaching entity’s economic turnover in Brazil in the previous fiscal year, or the suspension or prohibition of doing business in the country. Finally, if the non-compliance constitutes a crime of unfair competition, penalties of imprisonment (from six months to one year) and a fine can be imposed.

  19. 10.

    Does your jurisdiction have an independent authority (or authorities) with responsibility for regulating data protection and cybersecurity? What are the enforcement powers of the authorities?

  20. There is no regulatory agency or specific public administrative body created to regulate and inspect compliance with data privacy laws, nor to prosecute individuals or corporate entities for violations thereof. The Public Prosecutor’s Office, the Ministry of Justice and consumer protection authorities (such as the Consumer Protection and Defence Authority (PROCON)) are the entities entitled to initiate administrative or judicial proceedings against companies or individuals that violate existing privacy laws. Administrative proceedings may be either civil or criminal, and may lead to the filling of civil or criminal public lawsuits, as the case may be. 

  21. 11.

    Is notification or registration required before collecting, processing and transferring personal data? 

  22. No.

  23. 12.

    What are the main obligations applicable to data controllers to process personal data? 

  24. Notice or consent: As mentioned above, the Internet Act requires express consent for processing of data and a detailed privacy policy with respect to data processing. When data is not collected online and a consumer relationship is established, the Consumer Code requires that notification must be given, as opposed to obtaining consent.

    Information collected online: Under the Internet Act, consent to the data processing or data transfer activities shall be given separately from consent required for other terms of the service. Therefore, a stand-alone Privacy Policy is required under that statute. Before collecting the users’ data, they shall be fully informed, in a clear and direct manner, of the collection, use, storage and processing of personal data, which can only be made for justifiable reasons, if not otherwise prohibited by law and if allowed by enforceable service agreements or terms of use.

    Therefore, internet application providers have to expressly detail what type of information is collected and how they intend to use, treat and transfer it. Normally the following shall be informed in the privacy policies: (i) type of information collected; (ii) how and for what purpose the information is collected; (iii) what is the purpose and how the company will use, treat, process and transfer the information; (iv) what the company can do with the information; (v) for how long the information will be treated/stored; (vi) data controller contact information; (vii) the level of protection afforded to the collected information (such as safety standards adopted by the company); (viii) how the individual can reach the company in order to revoke the consent. If the terms of service or the privacy policy are drafted in such a way as to significantly reduce the privacy rights stipulated by law, courts may reject such provisions invalid. In a nutshell, there has to be a reasonable correlation between the information collected and the purpose for which the consent to collect data has been provided.

    Mandatory log keeping: Internet connection providers (ie, those that offer telecommunications connectivity for internet access) cannot monitor or store any information concerning the behaviour of the user, but are required to retain connection logs for a minimum period of 12 months. Connection logs include the date, time and duration of an internet connection made by a certain IP address allocated by the connection provider to the user. Internet application providers (ie, those that offer any kind of functionality to their users through the internet, such as social networks, e-commerce websites, etc) shall store access logs for at least six months. In such cases, access logs must include the date, time and duration of connections to the internet application. The minimum retention periods mentioned above may be extended upon the determination of relevant authorities.

    Data retention and disclosure of information: Apart from the connections logs and the access logs, the Internet Act does not require data controllers to retain other personal data, including the content of communications. The Internet Act determines that only through a valid court order may the following be disclosed by internet application providers or internet connection providers: (i) interception of communications; (ii) disclosure of privately stored communication; and (iii) connection and access logs. There are only two exceptions to this rule. Certain government and administrative authorities can request limited information (such as name, ID number, address and parents’ name of a user) without a court order, and an internet user may, by express consent, allow the disclosure of his or her personal data, connection and access logs. Finally, personal data must be kept in interoperable and structured format, for easy access in the event of a court order request.

    Data controllers must also observe the right of information, access, rectification and deletion of data, as detailed in question 15.

  25. 13.

    Is there a specific regime applicable to the processing of personal data on behalf of third parties? 

  26. Yes. The Consumer Code establishes that consumers should be notified about the creation of a database; but does not address whether the supplier may transfer consumer information to third parties. We believe that if the processing is being made on behalf of the data controller (either by another affiliate entity or even by a third party service provider), the previous notification required by the Consumer Code should suffice. The transfer of consumer information to unrelated third parties and for unrelated business purposes is not permitted.

    If the information is collected through the internet, the terms of use and privacy policy should comprehensively detail everything that the company may do with the collected information. Note that, as adhesion agreements, in the event that such documents contain provisions whereby the users would be materially waiving its privacy rights, we cannot rule out the possibility that such provisions be challenged in Brazilian Courts and deemed as abusive. Therefore, the more the company can justify the reason why the transfer of information is necessary, the greater chances that the provision may be considered enforceable under Brazilian laws. As previously mentioned, the user shall provide its affirmative consent for any collection, use, transfer and treatment of his or her data.

    Furthermore, employee information should not be transferred to unrelated third parties. We believe that employee information may be transferred to related parties, even if located abroad, for managing the employee’s relationship, integrating the company’s systems and files, among other justifiable causes. Please note that additional restrictions apply to employee medical record data.  Misuse of this information on the part of the employer or any related party receiving this information through the employer, may trigger liability.

  27. 14.

    Is the informed consent of the data subjects required before processing personal data? Are there lawful ways to process personal data without consent?

  28. Yes. As previously mentioned, the Internet Act relies on the express consent for processing of data and requires the implementation of a detailed privacy policy with respect to data processing. The Internet Act does not recognize implied consent. When data is not collected online and a consumer relationship is established, the Consumer Code requires that notification be given, as opposed to obtaining consent. Both the Internet Act and the Consumer Code do not provide for express derogations of the notice or consent rule.

    Considering that the Internet Act is a new law, there are no legal precedents for necessary standards to be imposed by the courts to determine whether consent has been properly given. Nevertheless, companies should be able to demonstrate how and when consent has been given by any individual who disputes whether or not a consent was given.

  29. 15.

    What types of rights are granted in the law to data subjects over their information? 

  30. Access and rectification: Data subjects have the right to request information stored in public interest databases or databases controlled by public administrative authorities through the Constitutional remedy of habeas data. The Consumer Code and the Internet Act also provide for the right to access and rectify data.

    Right of Information: the Consumer Code and the Internet Act provides that data subjects shall be appropriately informed about all characteristics of the data treatment.

    Negative credit profiles: The Consumer Code provides that negative credit information may not be stored for a period longer than five years.

    Deletion: The Internet Act guarantees the data subjects’ rights to request the deletion of his or her personal data upon request, after the termination of an agreement with the internet service provider.

    Secrecy of communication: The Internet Act and the Wiretap Act provide that internet communication is inviolable.

  31. 16.

    What is the general regime for the transfer of personal data abroad? Is there a general restriction on the transfer of personal data out of your country? Is the notification of, and approval of the transfer by, the competent authority necessary?

  32. There is no specific regime or regulation regarding the transfer of data abroad. To the extent that there is a consent and the privacy policy expressly allows for international data transfers, Brazilian law does not impose a restriction nor requires notification or approval by any Brazilian authority. There are some provisions related to international data transfers in the Bills, which will impose additional requirements for transferring data to countries considered to have less protection than Brazil. The data privacy authority shall also determine which countries fall into the category of less safe for such purposes. 

  33. 17.

    What data security requirements are imposed in relation to the processing of personal data? 

  34. As previously mentioned, companies shall take all reasonable measures to offer safe and free-of-defect products and services. Therefore, if the company does not implement appropriate security measures (normally based in industry-standards) their product or service may be deemed defective and trigger liabilities.

    The Internet Act establishes the following security measures to be implemented by internet service providers:

    1. strict control over the access to personal data upon the definition of responsibilities for the personnel who will have access to the data stored;
    2. authentication mechanisms must be used to allow the access to personal data stored (eg, two steps verification should be used to ensure the identification of the individual who had access to personal data stored);
    3. detailed data inventories must be created containing the access to personal data (date, time and duration of the access, the identity of the employee responsible for the access, as well as the files that were accessed must be kept); and
    4. use of IT solutions that ensure the inviolability of data, such as encryption or equivalent protective measures.

    In addition to the foregoing, the Brazilian Internet Steering Committee (CGI) may recommend additional security measures and standards to be adopted.  

  35. 18.

    Is there any legal requirement in your jurisdiction for a data processor to have a data protection officer (DPO)? What are the main roles or responsibilities of the DPO? Can the DPO incur criminal liability for acts and omissions?

  36. No. There is no provision in Brazilian law requiring entities to nominate a DPO nor defining roles and responsibilities to DPOs. 

  37. 19.

    Does your jurisdiction require notification to affected individuals or the authority in the event of data security breach? 

  38. No, there is no specific reporting obligations in the event of cyberattacks. However, in some specific cases, due to the general reporting obligation stipulated in the Consumer Code, reporting obligations may apply and data protection authorities or data subjects may have to be informed about data incidents. 

  39. 20.

    Is there any national law, regulation or guidance on the use of cookies in general or the use of tracking technologies?

  40. As previously mentioned, the Internet Act provides that the individual whose data is being collected shall have clear and comprehensive information about the collection, use, storage, treatment and protection of its personal data, which would include information collected through cookies, beacons and other tracking technologies. 

  41. 21.

    Is there any national law, regulation or guidance regarding fintech and data protection and cybersecurity?

  42. No. Brazil does not have any national law, regulation or guidance applicable specifically to fintechs on data protection and cybersecurity matters. However, in connection with the multiple activities developed by fintechs in Brazil, they might be subject to certain rules applicable to financial and payment services providers. For instance, fintechs that provide payment services regulated by the Brazilian Central Bank are required to comply with banking secrecy laws and the rules imposed by Central Bank on data protection and cybersecurity, as mentioned in the previous questions (see question 7). In addition, Brazilian Central Bank has issued a public consultation for imposing several cybersecurity obligations for financial service providers. Please refer to question 7 for more comments on this regulatory initiative.

  43. 22.

    What requirements are imposed in your jurisdiction regarding "privacy by design", "privacy by default" and privacy impact assessment?

  44. There is not a legal requirement or privacy by design and privacy by default under current legislation.  

  45. 23.

    What requirements are imposed in your jurisdiction on the sending of unsolicited electronic commercial communications?

  46. With respect to email marketing, the Secretariat of Economic Law issued Ordinance No. 5/2002, deeming opt-out provisions in adhesion agreements to be abusive. A "soft law" on unsolicited messages issued by the Brazilian Internet Steering Committee (CGI.br) establishes that opt-in or "soft opt-in" email marketing campaigns are legitimate, but the CGI.br requires companies to adopt opt-out mechanisms in all circumstances.

Interested in contributing to this Know-how?

E-mail our Co-Publishing Manager


Questions

  1. 1.

    Is there any provision in your country’s law for privacy and data protection?


  2. 2.

    Has your country adopted a general legal framework for the protection of personal data? 


  3. 3.

    Has your country adopted a general legal framework on cybersecurity matters?


  4. 4.

    How does the law of your jurisdiction define personal data? Can the definition extend to data relating to businesses?


  5. 5.

    Does your country’s data protection legal framework distinguish between sensitive and non-sensitive data?


  6. 6.

    Identify the basic principles in force in your country for the processing of personal data. Is there a general limitation for the processing of personal data?


  7. 7.

    Do special data protection rules apply to certain industries, such as financial services, healthcare and telecommunications? Is the processing of personal data on the internet specifically provided for? 


  8. 8.

    Are there specific rules for the processing of personal data of minors?


  9. 9.

    What are the sanctions and remedies for non-compliance with data protection and cybersecurity laws? Is there criminal liability for non-compliance with the data protection and cybersecurity laws?


  10. 10.

    Does your jurisdiction have an independent authority (or authorities) with responsibility for regulating data protection and cybersecurity? What are the enforcement powers of the authorities?


  11. 11.

    Is notification or registration required before collecting, processing and transferring personal data? 


  12. 12.

    What are the main obligations applicable to data controllers to process personal data? 


  13. 13.

    Is there a specific regime applicable to the processing of personal data on behalf of third parties? 


  14. 14.

    Is the informed consent of the data subjects required before processing personal data? Are there lawful ways to process personal data without consent?


  15. 15.

    What types of rights are granted in the law to data subjects over their information? 


  16. 16.

    What is the general regime for the transfer of personal data abroad? Is there a general restriction on the transfer of personal data out of your country? Is the notification of, and approval of the transfer by, the competent authority necessary?


  17. 17.

    What data security requirements are imposed in relation to the processing of personal data? 


  18. 18.

    Is there any legal requirement in your jurisdiction for a data processor to have a data protection officer (DPO)? What are the main roles or responsibilities of the DPO? Can the DPO incur criminal liability for acts and omissions?


  19. 19.

    Does your jurisdiction require notification to affected individuals or the authority in the event of data security breach? 


  20. 20.

    Is there any national law, regulation or guidance on the use of cookies in general or the use of tracking technologies?


  21. 21.

    Is there any national law, regulation or guidance regarding fintech and data protection and cybersecurity?


  22. 22.

    What requirements are imposed in your jurisdiction regarding "privacy by design", "privacy by default" and privacy impact assessment?


  23. 23.

    What requirements are imposed in your jurisdiction on the sending of unsolicited electronic commercial communications?


Other chapters in Data Protection & Cybersecurity

  • Brazil
    Mattos Filho Veiga Filho Marrey Jr e Quiroga Advogados (São Paulo)
  • Chile
    García Magliona & Cía Abogados
  • Colombia
    Cuberos Cortés Gutiérrez Abogados S.A.S
  • Costa Rica
    Nassar Abogados (San José)
  • Peru
    Montezuma & Porto (Lima)