.JPG)
By Andriei Gutierrez, coordinator of the ABES Regulatory Committee and co-founder and coordinator of the Movimento Brasil, País Digital
After eight years of debate, on July 10, the Personal Data Protection Bill was approved in the Federal Senate. As a next step, the text still needs to receive presidential sanction, but, without a doubt, Brazilian society can already celebrate a great victory, which makes it possible to design a digital nation project.
In the lines below, I point out the main topics of the project, as well as their similarities and differences in relation to the Data Protection models applied in other countries.
Protection of fundamental rights and legal certainty
It was time to join the club of more than 130 countries that have legal frameworks for the protection of personal data. Our framework is important for the protection of fundamental rights, such as privacy, freedom of expression and the dignity of the human person against any form of discrimination. In addition, it is a relevant instrument for the private and public sectors to have legal certainty to legitimize innovations and services based on personal data.
Democratic process
We have to be very proud, both of the final text approved by Congress, and for the democratic debate that culminated in its last version. There were two public consultations carried out by the Ministry of Justice (in 2010 and 2015), which resulted in a bill of initiative of the executive branch in 2016. Another five projects were also on the subject in the National Congress since 2012. In the last two years the The debate was heated amid 13 public hearings in the Chamber of Deputies, two in the Federal Senate and numerous meetings with parliamentarians, in addition to segments of the private sector, civil society and government engaged in the topic.
GDPR inspiration with significant developments
Today, we have mature and balanced legislation. The basic text and the entire debate were inspired by the European Union's General Personal Data Protection Act, the GDPR. However, we understand that our text goes further, as it introduces significant developments that provide greater legal support both for data-based innovations and for the international flow of that data, an indispensable condition for innovation.
Comprehensiveness and territoriality
The bill covers any personal data, such as name, address, e-mail, age, marital status and wealth status, obtained in any type of support (paper, electronic, computer, sound and image, etc.). It applies to any treatment operation carried out by a natural person or by a legal person under public or private law, regardless of the medium, the country of its headquarters or the country where the data is located, provided that 1) the treatment operation is carried out in national territory; 2) the processing activity is aimed at offering or providing goods or services; or 3) the processing of data from individuals located in the national territory; or 4) the personal data subject to the treatment has been collected in the national territory.
Legal bases for processing personal data
The project approved by Congress allows 10 legal possibilities for data processing, while the GDPR allows only six legal bases. This is very relevant, as it protects fundamental rights in order to allow data-driven innovations to flourish legitimately.
The legal bases mentioned in the text are:
(1) informed consent (expressed for sensitive personal data),
(2) for the implementation of public policies,
(3) for the fulfillment of a legal or regulatory obligation by the controller,
(4) to carry out studies by a research body, guaranteeing, whenever possible, the anonymization of personal data;
(5) when necessary for the execution of a contract or preliminary procedures related to a contract to which the data subject is a party, at the request of the data subject;
(6) for the regular exercise of rights in judicial, administrative or arbitration proceedings;
(7) for the protection of the life or physical safety of the holder or third party;
(8) for the protection of health, with a procedure carried out by health professionals or by health entities;
(9) when necessary to serve the legitimate interests of the controller or of a third party, except in the event that the fundamental rights and freedoms of the holder prevail that require the protection of personal data;
(10) for credit protection.
Anonymous Data
Anonymous data is one of the fundamental pillars of data-driven innovation, for example, for carrying out research to improve a product, service or even a recommendation or treatment in the health field. Throughout the discussion process, those involved sought to ensure with the entities that the Bill did not create legal impediments that would render the treatment of anonymous data unfeasible.
Article 12 establishes that “anonymized data will not be considered personal data, for the purposes of this Law, except when the anonymization process to which they were submitted is reversed, using only their own means, or when, with reasonable efforts, it can be reversed” .
Vacatio Legis
The new rules will only come into force after a year and a half of the publication of the law, so that bodies, companies and entities can adapt to the new rules.
National Personal Data Protection Authority
The project foresees the creation of a special autarchy linked to the Ministry of Justice with the mission of ensuring data protection, inspecting and applying sanctions, among other duties. This is still a sensitive point that needs to be sanctioned and delimited by the Executive Branch. This entity will have a fundamental role during the 18 months of adaptation until the law comes into force, either in the regulation or in the promotion of educational campaigns for organizations and society.
International Data Transfer
Despite the inspiration in European legislation, the project brings important advances with regard to the legal bases for the international transfer of data, such as, for example, the acceptance of stamps, certificates and codes of conduct that prove compliance with the law. Thus, the text includes the following legal possibilities:
In the lines below, I point out the main topics of the project, as well as their similarities and differences in relation to the Data Protection models applied in other countries.
Protection of fundamental rights and legal certainty
It was time to join the club of more than 130 countries that have legal frameworks for the protection of personal data. Our framework is important for the protection of fundamental rights, such as privacy, freedom of expression and the dignity of the human person against any form of discrimination. In addition, it is a relevant instrument for the private and public sectors to have legal certainty to legitimize innovations and services based on personal data.
Democratic process
We have to be very proud, both of the final text approved by Congress, and for the democratic debate that culminated in its last version. There were two public consultations carried out by the Ministry of Justice (in 2010 and 2015), which resulted in a bill of initiative of the executive branch in 2016. Another five projects were also on the subject in the National Congress since 2012. In the last two years the The debate was heated amid 13 public hearings in the Chamber of Deputies, two in the Federal Senate and numerous meetings with parliamentarians, in addition to segments of the private sector, civil society and government engaged in the topic.
GDPR inspiration with significant developments
Today, we have mature and balanced legislation. The basic text and the entire debate were inspired by the European Union's General Personal Data Protection Act, the GDPR. However, we understand that our text goes further, as it introduces significant developments that provide greater legal support both for data-based innovations and for the international flow of that data, an indispensable condition for innovation.
Comprehensiveness and territoriality
The bill covers any personal data, such as name, address, e-mail, age, marital status and wealth status, obtained in any type of support (paper, electronic, computer, sound and image, etc.). It applies to any treatment operation carried out by a natural person or by a legal person under public or private law, regardless of the medium, the country of its headquarters or the country where the data is located, provided that 1) the treatment operation is carried out in national territory; 2) the processing activity is aimed at offering or providing goods or services; or 3) the processing of data from individuals located in the national territory; or 4) the personal data subject to the treatment has been collected in the national territory.
Legal bases for processing personal data
The project approved by Congress allows 10 legal possibilities for data processing, while the GDPR allows only six legal bases. This is very relevant, as it protects fundamental rights in order to allow data-driven innovations to flourish legitimately.
The legal bases mentioned in the text are:
(1) informed consent (expressed for sensitive personal data),
(2) for the implementation of public policies,
(3) for the fulfillment of a legal or regulatory obligation by the controller,
(4) to carry out studies by a research body, guaranteeing, whenever possible, the anonymization of personal data;
(5) when necessary for the execution of a contract or preliminary procedures related to a contract to which the data subject is a party, at the request of the data subject;
(6) for the regular exercise of rights in judicial, administrative or arbitration proceedings;
(7) for the protection of the life or physical safety of the holder or third party;
(8) for the protection of health, with a procedure carried out by health professionals or by health entities;
(9) when necessary to serve the legitimate interests of the controller or of a third party, except in the event that the fundamental rights and freedoms of the holder prevail that require the protection of personal data;
(10) for credit protection.
Anonymous Data
Anonymous data is one of the fundamental pillars of data-driven innovation, for example, for carrying out research to improve a product, service or even a recommendation or treatment in the health field. Throughout the discussion process, those involved sought to ensure with the entities that the Bill did not create legal impediments that would render the treatment of anonymous data unfeasible.
Article 12 establishes that “anonymized data will not be considered personal data, for the purposes of this Law, except when the anonymization process to which they were submitted is reversed, using only their own means, or when, with reasonable efforts, it can be reversed” .
Vacatio Legis
The new rules will only come into force after a year and a half of the publication of the law, so that bodies, companies and entities can adapt to the new rules.
National Personal Data Protection Authority
The project foresees the creation of a special autarchy linked to the Ministry of Justice with the mission of ensuring data protection, inspecting and applying sanctions, among other duties. This is still a sensitive point that needs to be sanctioned and delimited by the Executive Branch. This entity will have a fundamental role during the 18 months of adaptation until the law comes into force, either in the regulation or in the promotion of educational campaigns for organizations and society.
International Data Transfer
Despite the inspiration in European legislation, the project brings important advances with regard to the legal bases for the international transfer of data, such as, for example, the acceptance of stamps, certificates and codes of conduct that prove compliance with the law. Thus, the text includes the following legal possibilities:
- for countries or international organizations that provide an adequate degree of protection of personal data as provided for in Brazilian law;
-
when the controller offers and proves guarantees of compliance with the principles, the rights of the holder and the data protection regime provided for in this law, in the form of:
- specific contractual clauses for a given transfer;
- standard contractual clauses;
- global corporate standards;
- stamps, certificates and codes of conduct regularly issued.
- when the transfer is necessary to protect the life or physical safety of the holder or third party;
- when the national authority authorizes the transfer;
- when the transfer results in a commitment made in an international cooperation agreement;
- when the transfer is necessary for the execution of public policy or legal attribution of the public service;
- when the holder has provided his specific and highlighted consent for the transfer, with prior information on the international character of the transaction, clearly distinguishing it from other purposes;
- among others.
These are just some of the advances made by this bill and, of course, the reader can highlight other aspects of this legislation. Check the full text here.
EN 
PT 
