Brazil Bill Implements New Provisions for International Data Transfers

by Morgan Lewis
Contact

The Bill’s provisions on international data transfers are most relevant to foreign companies that do business in Brazil.

The Brazilian government has issued a Bill for the Protection of Personal Data (Bill) for public consultation.[1] The Bill follows the European Union (EU) concept of “adequate data protection” in the receiving country and the provisions of the Brazilian Civil Rights Framework for the Internet (in Portuguese, Marco Civil da Internet, officially Law No 12.965), the law that governs Internet use in Brazil.[2] Compared to the Marco Civil, the Bill is more specific and covers all forms of the processing of personal data—not only via the Internet. According to Article 28 of the Bill, a data transfer from Brazil to countries without adequate data protection (which likely includes the United States) is legal only if one of the following five exceptions applies:

I - when the transfer is necessary for international judicial cooperation between public intelligence and investigation agencies, according to the instruments of international law;

II - when the transfer is necessary for the protection of life or physical safety of the owner or a third party;

III - when the competent body authorizes the transfer pursuant to a regulation;

IV - when the transfer results from a compromise assumed under an international cooperation agreement;

V - when the transfer is necessary for the enforcement of public policy or legal authority of the public service, made public pursuant to paragraph 1 of article 6.

Compared to the EU Data Protection Directive 95/46/EC (EU Directive)[3] that is the likely role model for this part of the Bill, the above exemptions are more narrowly designed. For instance, they would not cover data transfer for “the establishment, exercise or defense of legal claims,” e.g., for e-discovery purposes in the United States as Article 26 (1)(c) of the EU Directive allows under certain conditions. Article 26 (1)(b) of the EU Directive also authorizes a data transfer if it “is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject's request.” The Bill doesn’t mention this possibility. Instead, it relies heavily on prior authorizations of the international data transfers by the applicable data protection agency[4] and alternatively on individual consents:

  • Article 30 of the Bill states that an authorization of the applicable data protection agency shall be provided if the controller “offers sufficient guarantees that the general principles of protection and the holder's rights will be observed by means of contractual clauses approved for a specific transfer, contractual standard clauses or global corporate standards, in accordance with the regulation.” For this purpose, the data exporter and importer may
    • use approved Brazilian Model Clauses (not yet released), or
    • submit its internal privacy policies for approval (which are similar to the Binding Corporate Rules concept in Europe).
  • Individual consent is also possible as a legal basis, but each consent must be obtained separately and be based on “prior and specific information on the international character of the operation, warning about the risks involved, according to specific circumstances of [vulnerability] in the receiving country.”
  • It is unclear whether countries such as the EU/European Economic Area (EEA) Member States provide adequate protection. One motive for this reluctance could be that Brazil wants to keep this determination as a bargaining chip with the Europeans because Brazil is not yet recognized by the European Commission as a “country of adequate data protection for personal data” from the EU/EEA, in contrast to Argentina and Uruguay, which have already gained this status. Presumably, this is a longer process that could take many months. A country's data protection level will be assessed by the competent government agency and take into account the following:

I - general and specific rules of the legislation in force in the country of destination;

II - nature of the data;

III - compliance with the general principles of protection of personal data provided in the Brazilian Data Protection Law;

IV - adoption of security measures provided for in Regulation; and

V - other specific circumstances related to the transfer.

We also observe a provision on joint and several liability of the data exporter and the data importer under the law (Article 31 of the Bill)—“regardless of faultthat facilitates the law’s enforcement in Brazil and results in additional liability risks for data exporters and data importers.

At this stage, there are many variables and uncertainties with the Bill. For instance, we don’t yet know if the Brazilian Model Clauses will be issued at all, and if so, what they will look like and whether they will go beyond the already existing EU Standard Clauses for data controllers and data processers. The safest approach currently available to international companies that do business in Brazil is to disclose any international data transfers in the Brazilian Privacy Policy (especially if personal data is stored in the United States), the reasons why they are necessary, the transfer’s purposes, and a description of the risks in the receiving country. These companies should then ask the individual user or customer for specific consent on that basis. In any event, the Bill presents the Brazilian government’s initial views on the text of the law. Corporations and their data controllers should closely follow the next steps, which will include a revised Bill by the government (following public consultation), additional discussions, a vote in the Brazilian Congress, and potential implementation deadlines.


[1]. View the Bill here (text is in Portuguese). 

[2]. For more on this topic, see “Insight on Legal Developments in Latin America” (August 2014), available   here.

[3]. View the EU Directive here

[4]. The Bill mentions órgão competente, which can be translated (literally) as “competent agency.” No data protection agency has been created yet, and it is unclear if there will be a specific data protection agency or if existing government agencies will actually be granted such competence. This will likely be addressed in any regulations following the promulgation of the law.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morgan Lewis | Attorney Advertising

Written by:

Morgan Lewis
Contact
more
less

Morgan Lewis on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.