The Universal Declaration of Human Rights
1948
After WW2, The Universal Declaration of Human Rights of 1948 also included protection for data, regarding the private life of an individual. International law has been foundation to enforce data protection, in 1966 the International Covenant on Civil and Political Rights emphasized the right of privacy in its article 17
American Convention on Human Rights “Pact of San Jose, Costa Rica
1969
Article 11. Right to Privacy
1. Everyone has the right to have his honor respected and his dignity recognized.
â
2. No one may be the object of arbitrary or abusive interference with his private life, his family, his home, or his correspondence, or of unlawful attacks on his honor or reputation.
â
3. Everyone has the right to the protection of the law against such interference or attacks.
1976
Constitution of the Portuguese Republic
Article 35: Use of computers
-
Every citizen shall possess the right to access to all computerised data that concern him, to require that they be corrected and updated, and to be informed of the purpose for which they are intended, all as laid down by law.
-
The law shall define the concept of personal data, together with the terms and conditions applicable to its automatised treatment and its linkage, transmission and use, and shall guarantee its protection, particularly by means of an independent administrative body.
-
Computers shall not be used to treat data concerning philosophical or political convictions, party or trade union affiliations, religious beliefs, private life or ethnic origins, save with the express consent of the datasubject, with authorisation provided for by law and with guarantees of nondiscrimination, or for the purpose of processing statistical data that cannot be individually identified.
-
Third-party access to personal data shall be prohibited, save in exceptional cases provided for by law.
-
The allocation of a single national number to any citizen shall be prohibited.
-
Everyone shall be guaranteed free access to public-use computer networks, and the law shall define both the rules that shall apply to cross-border data flows and the appropriate means for protecting personal data and such other data as may justifiably be safeguarded in the national interest.
-
Personal data contained in manual files shall enjoy the same protection as that provided for in the previous paragraphs, as laid down by law.
Brazilian Laws have commonly been influenced by other countries laws and policies, especially European countries with Civil Law Systems like Portugal, France, Spain and Germany.
Even though, Brazil has been independent from Portugal since the beginning of the 19th Century, both countries maintain close relationship with each other because of common economic, social and political interests to a point that under the Brazilian Federal Constitution Portuguese have privileges and the same happens to Brazilians under Portuguese Laws. That explains a lot why Portugal law can be inspirational to Brazil.
The Constitution of the Portuguese Republic was the first EEUU constitution to address data protection, and innovative because it traced general regulation about data protection in a computerized reality.
â
Constitution of the Federative Republic of Brazil
1988
Influenced by Europe, the Constitution of the Federative Republic of Brazil was promulgated in 1988 and declared as fundamental rights of the individual the inviolability of his privacy and his data under the main article of the Constitution, article 5.
â
-
It is important to note that the Brazilian Constitution adopted a constitutional judicial remedy called habeas data, that can be claimed by any person who wants to be informed, to add, to remove or to rectify any information about herself that is processed by governmental entities or public institutions, so the citizen can have more control over his data.
-
Besides the right of privacy and intimacy at home, the secrecy of communications is a powerful tool to guarantee confidentiality of personal data.
Article 5. All persons are equal before the law, without any distinction whatsoever, Brazilians and foreigners residing in the country being ensured of inviolability of the right to life, to liberty, to equality, to security and to property, on the following terms:
X – the privacy, private life, honor and image of persons are inviolable, and the right to compensation for property or moral damages resulting from their violation is ensured;
XI – the home is the inviolable refuge of the individual, and no one may enter therein without the consent of the dweller, except in the event of flagrante delicto or disaster, or to give help, or, during the day, by court order;
XII – the secrecy of correspondence and of telegraphic, data and telephone communications is inviolable, except, in the latter case, by court order, in the cases and in the manner prescribed by law for the purposes of criminal investigation or criminal procedural finding of facts;
LXXII – habeas data shall be granted:
a) to ensure the knowledge of information related to the person of the petitioner, contained
in records or data banks of government agencies or of agencies of a public character;
b) for the correction of data, when the petitioner does not prefer to do so through a confidential process, either judicial or administrative.
1997
National Telecommunications Agency (Agência Nacional de
Telecomunicações - ANATEL)
the General Telecommunications Law (Law 9472/97) created the National Telecommunications Agency (ANATEL) and although its main activity is to control the quality of telecommunications services, which includes internet, the Agency also has the prerogative to work in protection against consumer’s rights.
Image Credit
Criminal Code
2000
In 2000, the Law 9983/00 added to the Criminal Code crimes regarding:
-
modifying or altering information present in computer systems and databases pertained by the Public Administration without authorization from competent authority;
-
Penalty: Imprisonment from 3 months to 2 years and fine
-
-
inserting or facilitating the insertion of false data in computer systems and databases pertained by the Public Administration; altering or excluding true data of the computer systems and databases pertained by the Public Administration aiming to obtain improper advantage
-
Penalty: imprisonment from 2 to 12 years and fine
-
-
releasing confidential and private data pertained by the Public Administration, even if not present in computer systems and databases.
-
Penalty: imprisonment from 1 to 4 years and fine
-
(free translation)
Law 12.735/12 and Law 12.737/12
2012
In 2012, in the same day (November 30) two other laws were enacted, Law 12.735/12 and Law 12.737/12
-
The first one, it’s commonly known as Azeredo Law because it was the senator Eduardo Azeredo who proposed it, and it establishes that police departments need to structure its units, sectors and team to become specialized in dealing with digital or electronic crimes.
-
The other law, known “Carolina Dieckmann Law”, was named after a famous Brazilian actress who suffered a leakage of 36 explicit photos after her email was invaded. The hacker blackmailed the actress, trying to gain monetary advantage. After reporting the incident, there was a strong pressure from the media and the Law was promulgated adding a new article to the Brazilian Criminal Code:
-
Art. 154-A: Invading an IT device owned by another person, connected or not to the internet, through wrongful violation of security mechanisms, in order to obtain, alter or destroy data or information without express or tacit authorization from the device’s owner or to install vulnerabilities to obtain any kind of illicit benefit can be sentenced to imprisonment from 3 months to 1 years and fine.
-
Penalty is increased if crime is committed against government representants:
-
President, governors and mayors
-
President of the Federal Supreme Court
-
President of the Chamber of Representatives; Senate; Legislative Assembly of the State; Legislative Assembly of the Federal District or Municipal Chamber; or
-
The maximum manager of Federal, State, Municipal or Federal District direct or indirect administration.
-
-
(free translation)
2014
ââLaw 12.965/14 - Civil Rights Based Framework for the Internet (Marco Civil da Internet)
This law was enacted to establish principles, guarantees, rights and duties related to the Internet use.
Among the eight principles defined in this law, privacy protection and personal data protection are expressly cited. This law was important in different aspects, because it goes from conceptualizing IT terms to defining rights and responsibilities. The Law was also relevant to outline mechanisms of data protection.
The article 7 states user rights and some of these rights focus on data protection.
â
Art. 7: Internet access is essential for exercising the citizenship, and the following rights are secured for the user:
-
Inviolability of the intimacy, private life, your protections and the right of indemnity for material and moral damages due to violation;
-
Inviolability and secrecy of communications through internet, except in case of judicial order, according to the law;
-
Inviolability and secrecy of private stored communications, except in case of judicial order;
-
Contracts of services shall have clear and complete information, detailing the connection record process and access to internet applications process, as well as web management practices that may affects its quality
-
Personal data shall not be available to third parties, including connection, internet application access records, except in case of expressed, free and informed consent or hypothesis defined in the law
-
Clear and complete information about collection, storage, treatment and protection of personal data that may only be used for purpose:
-
That justify its collection
-
Are not prohibited by the law and
-
Are specified on services contracts or in terms of use of internet applications
-
-
Express consent about collection, use, storage and treatment of personal data shall be placed prominently in the contract
-
Permanent exclusion of personal data was provided to internet applications, if required by the user, when the relationship between parties is terminated, except in mandatory storage hypothesis, expressed in this law (…)
Art. 10: Storage and release of connection and access to internet applications records addressed in this law, as well as personal data from private communications, shall preserve the intimacy, privacy, honor and image of the parts directly and indirectly involved
Art. 11: In any collection, storage, treatment of records, personal data or communication by internet service provider and application, where at least one of these acts happen in national territory, it is mandatory to observe Brazilian legislation requirements and privacy, personal data protection, communication and records secrecy rights.
Art. 12: Without prejudice of other civil, criminal and administrative sanctions, violations to rules set on articles 10 and 11 shall be subject to the following sanctions, applied in an isolated or cumulative form:
-
Warning, indicating the deadline to adopt corrective measures;
-
Fine up to 10% of the economic group’s income in Brazil during its last professional period, excluding taxes, considering the economic condition of the violator and the proportionality principle between the seriousness of the misconduct and the intensity of the sanction;
-
Temporary suspension of the activities that involve acts contemplated in art. 11; or
-
Prohibition of exercising activities that involve acts contemplated in art. 11.
(free translation)
Law 13709/18 - General Data Protection Law (Lei Geral de Proteção de Dados - LGPD, in portuguese)
2018
Most important aspects of the General Data Protection Law
In 2018, the General Data Protection Law (Law 13.709/18, Lei Geral de Proteção de Dados – LGPD, in portuguese) was approved. This law was heavily influenced by the European GPDR, so in 2016 the project of the law was presented by the House of Representatives and after the legislative process ended up being approved only in 2018.
â
After it was approved, the law entered in vacation legis, a period of time between the approval and the effective date the law became valid. This period of time serves to assimilate the new law and start adapting to it.
â
The initial vacation legis period of 18 months was 24 months, alleging that Brazilian companies did not have enough time to adapt to it and that it would not be reasonable to overweight them with sanctions in this delicate period of recession and crisis the country has been facing. Therefore it was enacted a provisional measure to delay even more the period and the LGPD ended up becoming effective only in September, 2020, although the sanctions defined in the law will become valid in May, 2021.
â
The LGPD addresses rights and it can applied to protect natural and juridical persons. The law defines what is considered personal data, sensitive personal data, anonymized data, database and other terms, but it calls attention to different subjects: the owner (the person that the personal data is related to); the controller (the natural or juridical person that makes the decisions related to the treatment of the personal data); the operator (the natural or juridical person that performs the treatment of personal data according to request of the controller).
The LGPD (GDPL) defines principles that shall be observed in personal data treatment:
-
Purpose
-
Necessity
-
Free access (to the owner)
-
Quality of data
-
Transparency
-
Security
-
Prevention of harms
-
Non discrimination
-
Liability and Reporting
What are the right of the data owner?
-
Access his personal data;
-
Correct incomplete, inaccurate or outdated personal data;
-
Anonymization, blockage or elimination of unnecessary, excessive data or data that has not met the law requirement in its treatment process;
-
Portability of personal data to another product or service provider;
-
Elimination of consented treated data
-
Obtain information about public and private entities with who the controller shared personal data
-
Revocation of consent for personal data treatment
Cases in which data treatment is performed to serve a legal or regulatory obligation:
-
By the controller;
-
By the Public Administration for the treatment and shared used of data necessary to the execution of public policies defined in laws and regulations or underpinned by contracts, agreements or other similar instruments;
-
To serve studies for a research group, guaranteed, when possible, data anonymization;
-
When necessary to the execution or preliminary procedures related to a contract that the owner of data is part, when the owner requests it;
-
For regular rights exercise in judicial, administrative or arbitration process;
-
For protection of life or physical integrity of the owner or of a third party;
-
For the healthcare protection, in procedures performed by health professionals and sanitary entities.
Legitimate interest
The law introduced “legitimate interest” as a toll to authorize certain cases where consent would be not necessary. It can occur when it is not possible to ask the owner of the data about his consent.
-
Prevent fraud
-
Credit protection
Who supervises the enforcement of the law?
â
The LGPD (GDPL) establishes the creation of a national agency responsible to enforce data protection according to the law.
Treatment agents (controller and operator) shall adopt adequate security measures to protect personal data and prevent unauthorized access that may harm the data. These treatment agents may be held liable for any type of harm caused by lack of security or unauthorized access that breach LGPD imposed duties.
It is important to also highlight that any information breach incidents need to be reported to the national agency (yet to be created), data owner in a reasonable timeframe, describing which data was affected, risks of the breach, what security measures were taken to protect the data before the incident and what has been done to revert or relieve the damages.
International Transference of data
â
LGPD (GDPL) allows international transference of data when the owner specifically consented to it.
This type of transference is also allowed when made by certificates, seals and conduct codes issue by the National Agency.
Sanctions
â
The sanctions are administrative and enforced by National Agency of Data Protection and include:
-
Advertences, with due dates to adopt corrective measures
-
Fines up to 2% of the revenues in Brazil of the private juridical person or group in their last financial year, excluding taxes and limited to R$ 50,000,000 (fifth million Brazilian reais) per infraction
-
Daily fines, observing the total limit of $ 50,000,000 (fifth million Brazilian reais) per infraction
-
Publicizing the infraction after investigated and confirmed
-
Blocking the personal data harmed until regularization according to the law
-
Removing the personal data harmed