The leaking of alleged messages exchanged between Sergio Moro, Brazil’s current justice minister, and prosecutors has brought to light an important issue that had not received proper attention from the rulers until recently. However, on July 2 this year, an amendment was approved that includes data protection as one of the individual guarantees from the Federal Constitution.  

The Proposed Constitutional Amendment (PEC) 17/2019 is an amendment proposed by Senator Eduardo Gomes (MDB-TO) and was approved with 65 votes in the first-round vote and 62 in the second, and now the text will now through the House of Representatives. 

This amendment comes at an important time, in which the market, especially in the technology field, is increasingly competitive, which leads many companies to collect as much data as possible from their customers to create a knowledge base that will enable them to win the recurrent races on the market. Without laws and controls for such data collection to be achieved respecting customer privacy, many cases of abuse may arise. 

Senadora Simone Tebet (MDB-MS), rapporteur of the bill nº 17/2019.

For Senator Simone Tebet (MDB-MS), who was the reporting member of the PEC, it is the state’s role to legislate on the protection of personal data. In her statement, the senator explained:

“Constitutionalizing the issue means the State is saying it recognizes the importance of the issue, classifying this right to data protection as fundamental. That is, the State, society, the citizen may have the right, as a general rule, to the knowledge of the other, provided it is required. Otherwise, data privacy must be preserved to the maximum extent.”

The amendment text raises concerns about privacy and the plurality that the “personal data” concept may suffer if the State does not constitutionalize it, according to the following paragraphs: 

“In fact, privacy has been the starting point for discussions and regulations of this nature, but given its peculiarities, a valuable autonomy around the protection of personal data is already perceived, even deserving to become a constitutionally guaranteed right.

There is no rationalization on this: the fragmentation and destruction of a subject so important to society must be avoided. Ideally, as with other fundamental rights and relevant general issues, the Union should have central legislative competence. Otherwise, there is a risk that, even unconstitutionally, there may be dozens – perhaps thousands – of legal concepts about what is ‘personal data’ or who are the ‘processing individuals’ subject to the law regulation.

It is, therefore, necessary for the country to come up with uniform data protection and processing, as it is virtually impossible for governments and businesses around the world to adapt to specific local rules. In addition, normative plurality can pose data compatibility and suitability problems, especially in services provided by the world wide web, which use personal data in increasingly more comprehensive and innovative ways.”

Simone Tabet also mentioned that, by approving the amendment, Brazil will get closer to the best international legislation on the subject. 

In countries such as the United States and members of the European Union, concerns about the protection of citizens’ personal data have been addressed for some time in their constitutions. In 2018, Brazil has approved the General Data Protection Law – which adapts Brazil to the best global data management practices – which encouraged the maturation of the matter in the national territory.

In some ways, although the laws of Brazil and these countries are intended to control and protect the personal information of citizens, they are different. 

LGPD – General Data Protection Law (Brazil)

On August 14, 2018, Law No. 13,709 was approved, inspired by the European General Data Protection Regulation (GDPR). This law, sanctioned by former President Michel Temer, aims to increase the privacy of personal data and the power of regulators to monitor organizations in this area. 

The legislation adapts Brazil to the best global data management practices and covers all companies established in Brazil, as well as organizations based abroad that offer services or have operations in the country that involve data processing.

By nature, the law protects individuals and companies, Brazilian or otherwise, present in the national territory during the collection and/or processing of their data. Personal data of children and teenagers must have the consent of a parent or guardian prior to collection. 

Along with the law, the National Data Protection Authority (ANPD) was created, whose goals are to:

  • Monitor and enforce sanctions. 
  • Promote knowledge of data protection policies and standards to the population.
  • Promote cooperative actions between data protection authorities from other countries.

With the creation of the agency, the deadline for compliance was changed to August 2020, previously set for February of the same year, and brought some changes such as: health data sharing; people in charge for communication between organizations; and the holders are not necessarily legal entities.

Fines for non-compliance vary from 2% of gross revenues to 50 million reais per violation. 

General Data Protection Regulation (GDPR) – Europe

GDPR went into effect in 2018 in EU countries, driven by data leaks from millions of Facebook users through an application that allowed Cambridge Analytica to work with the data to influence President Donald Trump’s and Brexit’s campaigns. 

The European regulation states that the individual is the owner of their data, therefore, consent to their use must be given by them. 

It applies to companies, regardless of location, that intend to offer goods or services to Europeans, even if their databases are not in Europe. 

The GDPR is the updated version of another European Union privacy law, called the “Data Protection Directive”, which has been in force since 1995. The GDPR has legal protection and the Data Protection Directive is just a guide for good practices.

Obligations include: means for the user to request the deletion of their personal data or to stop their collection; the right to know what data is being collected; leak notification within 72 hours; and many others. 

Fines in the event of a data leak can reach up to 20 million euros, or 4% of the organization’s revenues.

The Italian data protection agency recently fined Facebook in € 1 million for violations perpetrated by Cambridge Analytica. According to the agency, around 214,000 Italian users were affected.

California Consumer Privacy Act (CCPA) – United States

In January 2020, the Californian law that was also inspired by the GDPR will come into force. The two are very similar and state similar obligations. The law applies to companies that do business in the state of California, whether or not established in the state, but which meet the following requirements:

  • Annual revenues over $ 25 million.
  • Buyers, receivers, sellers, or those who sell personal information from 50,000 or more consumers for commercial purposes. 
  • 50% or more of revenues derive from the sale of personal information.  

Like the European law, Californian citizens have the right to request a copy of their data, free of charge for a specific period, in addition to the deletion of the data.

Fines range from $ 100 to $ 750 per resident and incident. 

Violation of data protection is a growing concern, but it is receiving mitigation measures through the efforts that States are putting to protect the privacy of their citizens by using laws and regulations.  

The bond between the amendment and national and international data protection laws is important for the establishment of privacy and security, items that should be a constant concern for both the State and the population.