Brazil: Data Protection Laws of the World Handbook: Second Edition - Brazil
E-Commerce and Privacy Alert

LAW

Brazil does not have a law that is specifically devoted to data protection. However, there are general principles and provisions on data protection and privacy in the Federal Constitution, in the Brazilian Civil Code and in laws and regulations that address particular types of relationships (eg the Consumer Protection Code1 and labor laws), particular sectors (eg financial institutions, health industry, telecommunications etc.), and particular professional activities (eg medicine and law). Additionally, there are laws on the treatment and safeguarding of documents and information handled by governmental entities and bodies that have privacy implications.

The Federal Constitution provides that (i) the intimacy, private life, honour and image of persons are inviolable; (ii) the confidentiality of correspondence and electronic communication is protected; and (iii) everyone is ensured access to information, although the confidentiality of the source shall be safeguarded whenever necessary for the exercise of a professional activity.

Discussion of privacy legislation has increased recently. The National Congress is reviewing several bills that address data protection, and the Executive Branch presented a new proposal for a specific data protection and other internet related issues law on August 24, 2011, which has been presented to Congress for consideration.

On November 30, 2012, the National Congress enacted computer crime Law 12,737/2012, which criminalizes the acts of hacking or invading electronic devices with intent to obtain, adulterate or destroy data and/or information without the consent of the owner of the device.

DEFINITION OF PERSONAL DATA

There is no legal definition of "personal data" established in a particular statute. In general, it should be considered to include any particular information related to an individual, including name, age, sex, profession, address, religion, sexual orientation, criminal background, as well as any personal communication exchanged without any intent to go public, such as personal emails and messaging.

DEFINITION OF SENSITIVE PERSONAL DATA

There is no legal definition of "sensitive data" or the equivalent.

NATIONAL DATA PROTECTION AUTHORITY

Brazil does not have a national data protection authority.

REGISTRATION

There is no requirement to register databases.

DATA PROTECTION OFFICERS

There is no requirement to appoint a data protection officer.

COLLECTION AND PROCESSING

In general, there is no requirement to obtain prior consent to collect personal data submitted by the subject. However, the use, treatment and protection of such data are subject to some restrictions. Some specific statutes and case law establish that the scope of collection, treatment and use of personal data must be restricted to the purpose for which the data was originally collected. There is also a common understanding that certain sensitive data (eg religion, sexual orientation, criminal background etc.) should not be collected and used for any discriminatory purpose; if a company collects and uses such sensitive data it should obtain the person's consent.

In particular, the Brazilian Consumer Protection Code establishes that a consumer should be notified in writing of the opening of a consumer file, form, registry or database containing personal data regarding a consumer if the consumer did not request that it be opened. Consumers are entitled to have access to personal data and databases about themselves and to demand immediate correction whenever they find that the data or files are incorrect. Other limitations apply. For example, negative information (such as relating to debts, breach of agreements etc.) may not be retained for more than five years.

TRANSFER

Brazilian law does not expressly restrict cross border data transfer. However, some general principles may imply restrictions on the cross border transfer of personal data in certain cases (eg clinical trial data and medical records). In the absence of specific legislation, geographic transfer should be permitted upon consent from the parties involved.

SECURITY

In view of applicable general principles, data processors in Brazil are required to take reasonable technical, physical and organizational measures to protect the security of personal data, but, generally, there are no specific requirements, restrictions or details on how security should be implemented. Case law establishes that service providers and networks should keep access records (such as IP addresses, logins etc) so as to identify users who may have committed crimes, defamation or acts of infringement. If such records are not kept for a reasonable period of time, the service provider or network may be held jointly liable for an act of infringement.

BREACH NOTIFICATION

Security breach notification is not required.

Nevertheless, in view of the recently enacted hacking Law 12,737/2012, the owner of the personal data or the breached device may – although not obligated to do so – notify public authorities in order to conduct enquiries, so as to identify and prosecute the individual responsible for the crime of hacking and/or invasion of protected device established therein.

ENFORCEMENT

Currently, there is no data protection authority. Enforcement can occur through administrative procedures, individual civil suits or class actions, which can be initiated by the data subject, by public authorities (eg State Attorney's Office, Consumer Protection Office and the regulator for the relevant industry) or by associations that defend collective interests.

Public authorities may impose fines and, where relevant, revoke licenses or permits. Civil damages can be significant, because infringements of privacy rights may entitle the defendant to moral damages. Most case law on privacy and data protection involves violations of consumer rights.

Administrative fines related to consumer issues can be established in amounts up to R$3 million (approx. US$1.5 million). Damage awards may vary but in actions brought by a single consumer should not surpass R$15,000 (approx. US$7,500), while class actions may reach values far above US$1 million.

It is worth mentioning the existence of habeas data, a remedy provided for in the Federal Constitution, which can be used to gain access to personal data contained in records or databases of governmental bodies or entities having a public character, and for the correction of the applicant's data contained in such records and databases.

ELECTRONIC MARKETING

There is no federal law specifically addressing electronic marketing.

On January 9, 2012, the State of Rio de Janeiro enacted State Law 6,161/2012, which provides penalties for the offering of products and services by so-called collective buying websites within territorial limits of the same State. Under this law, information on offers and promotions may be sent only to clients previously registered through the website who have expressly consented to receive such information via email.

There is also a bill currently under discussion in the Senate which intends to amend the Brazilian Consumer Protection Code to establish as an abusive practice the unsolicited offer of products and/or services through electronic means or telephone.

In spite of the lack of a specific statute, the general provisions on privacy and intimacy rights, as well as consumer protection rights still apply; thus, a sender should immediately cease sending any sort of electronic marketing if so requested by the consumer.

ONLINE PRIVACY (INCLUDING COOKIES AND LOCATION DATA)

There is no law specifically addressing online privacy.

Nevertheless, the established rights of privacy, intimacy and consumer rights apply equally to electronic media, such as mobile devices and the Internet.

So, violations of these rights may be subject to civil enforcement. It is generally understood that the gathering and exploitation of personal data from a user through cookies without consent may be contrary to privacy and intimacy rights, if the data subject is identifiable (i.e. the information is directly linked to a particular user, IP address, device or other particular identifier etc.). The same rationale applies to location data, which is considered to be a more sensitive type of personal data.

Therefore, cookies, location data and equivalent online data collection methods are permitted if either:

• the data subject's consent is obtained;
• it is not possible to recognize or identify the data subject (if data cannot be linked to a given subject it does not affect privacy and intimacy rights).

Finally, it is also worth mentioning that Law 12,737/2012 criminalises the installation or exploiting of software, devices and/or vulnerabilities within an electronic device in order to obtain illicit advantage. So data collectors should be cautious as to the nature and extent of the cookies and other applications operating in the data subject's system.

Footnotes

¹ Due to a broad interpretation established in case law, practically every internet user is considered a "consumer" for the purposes of the consumer protection.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.

DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com