28 Jan THE EVOLUTION OF DATA PROTECTION IN BRAZIL
Today, Data Privacy Day is celebrated around the world. To celebrate this day, we have prepared a timeline with the main projects and landmarks regarding privacy and data protection in Brazilian law.
(i) 1st Public Consultation.
On November 30, 2010, the Ministry of Justice declared opened the Public Consultation to offer proposals and criticisms to the Draft Bill of Law for a Personal Data Protection Act until the end of April 2011.
(ii) North American espionage case (“Edward Snowden Case”).
In 2013, details of the United States National Security Agency’s (“NSA”) global spy programs were made public, by Edward Snowden, a systems analyst, former CIA systems administrator and former NSA contractor.
Consequently, on September 3, 2013, the Parliamentary Inquiry Commission (“CPI”) of Espionage was created in the Federal Senate to discuss the protection of personal data in Brazil and how Brazilian citizens could be affected by the revealed international espionage programs.
(iii) Approval of the Brazilian Civil Rights Framework for the Internet.
Due to Edward Snowden Case, the Brazilian Civil Rights Framework for the Internet, Law No. 12,965, enacted on April 23, 2014, which established basic rights to protect the privacy from users of systems and applications on the internet and took the first step towards creating a personal data protection system in Brazil, was approved.
(iv) 2nd Public Consultation.
In 2015, the 2nd Public Consultation on the Brazilian General Data Protection Law (“LGPD”) draft was held, having received more than eighteen hundred (1,800) contributions from national and international agents.
The process resulted on a matured text for Draft Bill of Law for the LGPD, concerning to that of 2010, which was to be transformed into Bill No. 5,276/2016. The initiative was widely supported by entities in Brazil and abroad and was said to have reached: “a balanced wording to safeguard innovation and protect citizens’ privacy”.
(v) Creation of Special Commission in the House of Representatives to analyze Bill of Laws on the protection of personal data.
Between October 2016 and July 2017, the Special Committee held a total of eleven (11) public hearings and an international seminar. We highlight the Bills No. 4,060/2012 and 5,276/2016, which were, after that, then processed jointly.
(vi) PLS 330/2016 of the Federal Senate.
In the Federal Senate, Senator Ricardo Ferraço presented an opinion approving the Senate Bill No. 330/2013 (“PLS 330/2016”), in October 2017. The project was based on the text of the LGPD Draft from the Bill of Law No. 5,276/2016 of the House of Representatives.
(vii) International scenario after a new data protection scandal.
In 2018, the scandal led by the British consulting firm “Cambridge Analytica” broke out. The company fraudulently obtained personal data from thousands of Facebook users to market intelligence reports in political actions to influence election results around the world.
On May 24, 2018 and May 28, 2018, the Brazilian Senate and House of Representatives approved urgent requests for the consideration of the bills regarding the protection of personal data that were being processed in the respective houses. On May 29, 2018, the House of Representatives unanimously approved the substitute draft presented by Rep. Orlando Silva, which, when sent to the Senate. This draft became Bill of Law No. 53/2018, which would become the LGPD, as we know it today.
(viii) General Data Protection Regulation.
On May 25, 2018, European General Data Protection Regulation (“GDPR”) entered into force. The LGPD is very similar to the GDPR.
(ix) Promulgação da LGPD.
On August 14, 2018, Law No. 13,709/2018, the LGPD, was enacted. The wording, follows the European trend, establishes guidelines for the processing of personal data, as well as the application of penalties for offenders.
(x) MP No. 869/2018.
When approved, the LGPD had its provisions regarding the creation of a national authority vetoed, which raised concerns about the legislative vacuum. Provisional Measure No. 869 (“MP 869/2018”), of December 28, 2018, quickly resolved the problem by establishing the National Authority on Data Protection (“ANPD”). In addition, MP 869/2018 detailed the composition and powers of the ANPD. However, the text subordinated ANPD to the authority of the Presidency of the Republic, which resulted in several criticisms, despite the organ’s technical autonomy having been preserved.
(xi) PEC No. 17/2019.
Constitutional Amendment Proposal No. 17 (“PEC No. 17/2019”), of March 12, 2019, has been approved by the Federal Senate, being submitted for approval by the House of Representatives, still pending processing. PEC No. 17/2020 aims to include personal data protection as one of the fundamental rights of the citizen, to be inserted in the list of protections of article 5th of the Federal Constitution.
(xii) Law No. 13,853/2019.
MP No. 869/2018, when approved, was converted into Law No. 13,853, of July 8, 2019.
(xiii) Anatel’s Public Consultation on Internet of Things.
On August 5, 2019, Anatel proposed a public consultation on the policies and regulatory measures for the topic known as the Internet of Things. The term identifies an ecosystem in which technological devices are interconnected.
(xiv) Citizen’s Basic Registry.
On October 9, 2019, Decree No. 10,046 (“Decree 10,046/2019”), was enacted. The Decree regulates data sharing between municipal, independent, and direct federal public administration bodies and entities, as well as other Union Powers. Decree 10,046/2019 revoked June 29, 2016, Decree No. 8,789 which regulated data sharing of databases within the federal public administration.
The new legislative text aims to simplify the provision of public services; guide and optimize the procedures for implementation of public policies; improve the quality and accuracy of data stored by the federal public administration; improve quality and efficiency of internal public administration service.
It was widely criticized by civil society entities and data protection experts who claim that the “Citizen´s Basic Registry” allows the Federal Government to collect and store personal data for unclear prerogatives and under a procedure that does not necessarily follow the provisions of LGPD for the lawful processing of personal data.
(xv) President Act of November 26, 2019.
On November 26, 2019, the Deputy Chamber created the Commission of Jurists to draft the project for specific laws regarding personal data processing on public safety, criminal investigations, and criminal offenses repression.
(xvi) Federal Government approval of national strategy on cybersecurity.
On February 6, 2020, Decree No. 10,222/2020 was published, enacting the National Strategy on Cybernetic Security (“E-Cyber”), as a general guideline from the Federal Government over the main measures and actions it must undertake, both nationally and abroad, regarding cybernetic defense, infrastructure security, classified information security and protection against data leaks from 2020 to 2023.
E-Cyber was enacted as one of the steps to be implemented from the National Policy on the Security of Information, established by Decree No. 9,637/2018, that provides principles, goals, tools, responsibilities, and powers over the information security to authorities and entities from the Federal Public Administration.
E-Cyber norm does not clarify specific aspects of general legislation on cybersecurity, it is possible that data protection aspects may be taken into appreciation.
As ANPD, the Institutional Security Office – the body that coordinated E-Cyber – is an entity connected to the Presidency of the Republic.
(xvii) Best Practices Guide for LGPD Enforcement over Federal Public Administration.
At the beginning of April, the Best Practices Guide for LGPD Enforcement over Federal Public Administration (“Guide”), which was drafted by the Data Governance Central Committee, was published.
This Guide aims to provide orientation and guidelines regarding best practices for the direct, indirect federal public administration and its agencies, per article 50 of the LGPD, to guarantee full compliance to the guidelines outlined in the LGPD in data processing procedures carried out by Public Administration bodies.
(xviii) Personal data sharing with Brazilian Institute of Geography and Statistics (“IBGE”).
On April 17, 2020, the President of Republic issued Provisional Measure No. 954 (“MP 954/2020”), under which telecommunication companies which provided landline and personal mobile phone services were demanded to share personal data from its customers with IBGE, to produce official statistics during the pandemic caused by coronavirus.
Despite being issued before LGPD entered into force, MP 954/2020 was largely criticized as it imposed a personal data violation for citizens without the appropriate safety measures and specific clarifications regarding the purposes of this personal data processing.
The result was the filling of five (5) direct unconstitutionality actions before Brazilian Supreme Court (“STF”), identified by the numbers, 6387, 6388, 6389, 6390 e 6393. During a joint trial, with Minister Rosa Weber reporting, STF decided to grant an injunctive relief to suspend efficacy of MP 954/2020.
(xix) Provisional Measure 959/2020 postponed the LGPD’s entry into force.
On April 29, 2020, the President, Jair Bolsonaro, postponed through Provisional Measure No. 959/2020 (“MP 959/2020”), published in an extra edition of the Official Gazette (“DOU”), the entry into force of the LGPD to May 3, 2021.
(xx) Decree No. 10,332/2020.
On April 29, 2020, Decree No. 10,332/2020 was published, setting forth the Government’s Digital Strategy (“Strategy”) for the period from 2020 to 2022, within the scope of the bodies and entities of the direct, autarchic, and foundational federal public administration.
The Strategy resulted from a public consultation process carried out in November 2019. According to the Federal Government, there were three hundred and twenty (320) contributions and engaged over one hundred and fifty (150) participants from thirty-two (32) different public and private organizations.
The policy provides for the creation of a Digital Governance Committee in each of the bodies and entities of the federal public administration, to deliberate on matters related to the implementation of digital government actions and the use of information technology resources and communication.
(xxi) Chairman Act No. 71/2020.
Chairman Act No. 71, of June 26, 2020, extended MP 959/2020’s time span. In this sense, the deadline to decide over the delay of LGPD entering into force was postponed.
(xxi) LGPD Administrative Sanctions postponed to August 1st, 2021.
On June 12, 2020, Law No. 14,010/2020, which postpones the application of the administrative sanctions provided in the LGPD to August 1st, 2021, was published in the Official Gazette.
This means that sanctions for non-compliance with the LGPD may only be imposed by ANPD after that date.
(xxii) Senate rejected LGPD’s entry into force postponement by MP 959/2020.
On August 26, 2020, the Federal Senate approved the suppression of the article 4th from Bill of Law No. 34/2020 for the conversion of the MP 959/2020, which provided for the LGPD’s postponement to December 31, 2020.
(xxiii) Publicado Decreto que constitui a ANPD.
A day after the previous item was voted upon by the Federal Senate, the government issued Decree No. 10,474/2020, which approves the Regimental Structure and the Demonstrative Table of Commission Duties and Trust Functions of ANPD. It constituted, therefore, ANPD, after a long idle time from the Federal Government regarding its formation.
(xxiv) ANPD appointment.
On November 5, 2020, the President of Republic appointed Mr. Waldemar Gonçalves Ortonho Junior for the position of Head Director of ANPD Board of Directors, for a six-years term. Also, the President of Republic appointed Mrs. Miriam Wimmer, Nairane Farias Rabelo Leitão, Joacil Basilio Real e Arthur Pereira Sabbat, for the remaining positions as directors, for a two, three, four and five-years terms, respectively.
(xxv) Boarding Act No. 152/2020.
Boarding Act No. 152, of December 16, 2020, has regulated, although superficially, LGPD enforcement over the Deputy Chamber.
(xxvi) Decree No. 322, of December 17, 2020.
On December 17, 2020, a decree which regulated data protection within the Deputy Chamber, including for digital processing methods, was published, aiming to ensure the fundamental rights of freedom, privacy, and free personality development for natural persons.
(xxvii) Decree No. 322, of December 17, 2020.
On the same date, the decree that appointed, temporally, public server Mr. Fernando Pereira Viana to act as Data Protection Officer for the Deputy Chamber was published. The decree can be considered, therefore, an amendment to its predecessor.
The new Data Protection Officer for the Deputy Chamber has received assistance from members of the following unities: (a) General Office Technical Assistance; (b) Documentation and Information Center; (c) Parliamentary Support Department; (d) Innovation and Information Technology Office; (e) Participation, Interaction and Digital Media Executive Management; and (f) Board General Secretariat.
This article is intended exclusively to provide information and does not contain any opinion, recommendation or legal advice from Kestener & Vieira Advogados concerning the matters here addressed. Copyrights are reserved to Kestener & Vieira Advogados.
No Comments