There has been an increasing interest about the Brazilian laws providing for data protection in the insurance market.
Although there is no specific rule on the protection of databases currently in force, the Brazilian legislation contemplates certain provisions regarding data protection, which also include electronic data in general.
Regarding the operations in the insurance market, the Brazilian Private Insurance Supervisory Agency (Superintendência de Seguros Privados - SUSEP) has recently issued the CNSP Resolution No. 297/13, which introduces in the insurance regulation a specific provision about data protection of insureds, applicants and beneficiaries of insurance policies.
There are specific legal provisions that govern data protection both in the Federal Constitution, as well as in the common legislation (Laws 8.078/90 and 9.296/96), in light of the need to protect one's right to intimacy and privacy.
Data confidentiality is constitutionally guaranteed, pursuant to article 5, item XII of the Federal Constitution, which sets forth:
"Art. 5. Everyone is equal under the provisions of the law, without distinction of any kind, guaranteeing Brazilians and foreign residents in the country the inviolability to their right to life, liberty, equality, security and property, under the following terms:
XII – the secrecy of correspondence and telegraphic, data 1and telephone communications is inviolable, except, in the last case, when a judicial order is granted, under the circumstances and in the manner that the law establishes for the purposes of a criminal investigation or criminal procedural instruction".
Concerning the constitutional protection mentioned above, data of any kind is subject to a special guarantee against improper violation, specifically to preserve the right to intimacy, privacy and honor of citizens, equally established in the Brazilian Federal Constitution (article 5, item X).
When combining these two pieces of the Federal Constitution together, one can see that data is protected for the preservation and security of those involved, both at the civil and criminal levels.
Seeking to regulate the circumstances under which an intercept of communications exchange in electronic systems is possible, the legislator established the rules on the subject in Law No. 9.296/96.
Through a court authorization granted for legal purposes, it is legal to make a data communication interception. The intercept performed in any other manner constitutes a crime, as established in article 10 of Law No. 9.296/96.
In addition, the Law No. 8.078/90 (Consumer Protection Code), in its article 43, specifically regulates the data and consumers registration and provides, among others that:
(i) everyone who has its data registered in some data registration may access them, as well as its sources;
(ii) the consumer must be informed in writing about the registration of his or her personal data, if such registration has not been requested by the consumer.
In any event, the content of someone's data obtained legally may not be improperly disclosed, otherwise the party responsible for the illegal disclosure or use of the information will be held liable in the civil and criminal spheres for his/her acts. Let us review below the provision in article 153, §1-A, of the Brazilian Criminal Code:
"§1-A – anyone who improperly discloses, reserved or confidential information, as per definition provided for in law, whether or not stored in the information system or database of Public Agencies.
Penalty – imprisonment from one (1) to four (4) years and a fine."
As mentioned above, the issue of data protection in the insurance market was expressly addressed in October 2013 with the publication of the CNSP Resolution No. 297/13, which regulates the transactions of insurance companies through insurance agents. This new rule expressly provides that personal data of insureds, applicants and beneficiaries of insurance policies shall not be assigned or transferred to third parties and must be used exclusively for purposes of the contractual relationship, except for purposes of forming the individuals' credit history under the terms of Law No. 12.414/11.
There is currently a bill (No. 3494/2000), which is being discussed at the House of Federal Representatives, that brings certain important definitions such as personal data, databases, data processing, ownership and use of databases, among others. It has the purpose of regulating the formation and use of personal databases, also establishing the procedural form for habeas data (a constitutional right to access public information). This bill is halted since March 2011 and there is no estimate of the time this bill will be converted into law.
1. Note that the meaning of "data" is not defined, which means that any type of data would be protected, electronic or not.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.