On August 14, President Michel Temer signed Brazil’s first piece of data protection legislation into law — but only after vetoing important provisions aimed at holding data processors accountable and ensuring the law is effectively implemented. The final text, after vetoes, was published yesterday in the Official Gazette (English translation available here).
The General Data Protection Law, which will go into force in 18 months, makes Brazil one of 128 countries to have adopted data protection legislation. It is an important step forward for Brazil and for the advancement of the rights of its citizens.
The law establishes basic data protection rights for Brazilians, including the rights to access personal data, to correct your data record, to object to your data being used, and to eliminate personal information under certain conditions. It also follows important data protection principles such as informed consent, special protection for biometric data, necessity and proportionality for data collection, data minimization, and the notification of leaks, among others.
The version of the bill sent to the president after approval by both houses of the Brazilian Congress was developed through years of rich debate and public consultation. Despite this broad consensus, the president chose to veto essential parts of the bill before signing it into law, jeopardizing the effectiveness of the whole piece of legislation unless Brazilian authorities act quickly to fill in the gaps. The vetoes impacted three important sections of the bill, namely the establishment of an independent data protection authority, penalties for the violation of the law, and transparency requirements for public-sector actors handling personal data.
The data protection authority (Articles 55 to 59)
As we feared, President Temer vetoed the provisions in the bill that would have established an independent data protection authority responsible for overseeing implementation and enforcement of the law. The government based its veto on a purported “defect of origin,” claiming that Congress was not allowed to create an entity under the scope of the executive branch. This is a controversial argument that has been contested by several Brazilian experts, including the Brazilian Coalition for Digital Rights. Nevertheless, President Temer announced that he would send a separate bill to Congress for the creation of the data protection authority.
The establishment of an independent and professional data protection authority should be a priority for Temer’s government. Without an enforcement authority that is independent, transparent, open to the public, and technically qualified, the law would be barely effective. In addition to investigating violations to the law and applying sanctions, the data protection authority would be in charge of interpreting the law as it is applied. Legal experts, including Carlos Affonso de Souza, have explained that, without a specialized body to provide technical interpretation of the law, interpretative litigation is likely to arise in several judicial districts, leading to inconsistencies in the law’s application and undermining legal certainty.
In short, the data protection authority is an urgent need, and the process for its creation should reflect the spirit of the participatory debate that led to the General Data Protection Law in the first place.
Suspension or prohibition of data processing (Article 52, Subsections 7 to 9)
The president also vetoed provisions providing for suspension or prohibition of data treatment activities in certain cases. This is a worrying move, because there are cases where the seriousness of the violation would merit a temporary suspension or permanent prohibition of the capacity to manage personal data, and such actions may be necessary to prevent further violations of individuals’ rights (for example, unauthorized manipulation of data in the context of data breaches, handling of illegally obtained information, or mismanagement of sensitive information).
While this sanction is also available to judges through other existing laws in certain cases involving internet service providers and internet applications, the authority has been stretched beyond its initial intent and used to suspend access to entire platforms — most notably WhatsApp. This provision was an important opportunity to expand the authority to apply this sanction to other data handlers — including banks and data brokers like Cambridge Analytica — while also clearly demarcating its boundaries.
Disclosure of public-sector data transfers (Article 28)
Finally, the president’s veto eliminated the requirement for public actors to publicly disclose transfers of data among government agencies. The government argued that a general obligation of transparency would make it difficult to carry out administrative duties, particularly where such data transfers are required by law, and to perform audits efficiently. However, government processing of citizens’ personal information is a very important issue that demands public knowledge and democratic oversight.
In that light, it is not overly burdensome to require agencies to disclose who they are transferring data to, what data is being transferred, and for what purpose. To ensure data rights are respected, public agencies must proactively answer these questions when determining whether each data transfer is lawful and appropriate, regardless of any duty to provide public notice, and the disclosure process could be integrated into existing administrative procedures. Also, even if it is somewhat burdensome, transparency in government acts is an objective that any democratic society should strive toward.
The passing of the General Data Protection Law is an important milestone for Brazil, the region, and the global movement to empower users to take back control of their personal data. However, this achievement is clouded by President Temer’s vetoes, which leave critical gaps that must be filled if Brazilians are to have an effective data protection framework.
The collection, analysis, and exploitation of personal information has become one of the most valuable assets for economy, politics, and social interactions, and also one of the biggest challenges to fundamental rights like privacy, free expression, and access to information. In this context, Brazilians deserve state-of-the-art protections and an enforcement authority that is independent, transparent, and technically savvy — as they were designed through a broadly inclusive national dialogue.
Though the law has passed, the work of preparing for its implementation in 2020 has only just begun, and we will continue to stand with Brazilian civil society in their efforts to ensure the necessary steps are taken to protect personal data. To stay informed on ways to support that effort, subscribe to receive Access Now action alerts and follow us on Facebook and Twitter. You can also get the latest updates from the Brazilian Coalition for Digital Rights here.