The protection of data privacy in Brazil started in 2014 due to Law n° 12.965, which established principles and duties regarding the use of the internet. The law offers guidelines regarding issues such as privacy protection, guaranteed freedom of expression, and network neutrality. It also ensures the stability, safety, and functionality of the network. Finally, it states that access to the internet is essential for the exercise of free citizenship; thus, users of the network maintain their rights to inviolability of communications, not suffer suspension of their internet connection, and data protection from third parties.
In response to a need for more specific regulations regarding data privacy, the Brazilian government enacted Law n° 13.709 on August 14, 2018 to delineate users’ data and how the controller and operator can and cannot manage them. Before scrutinizing the provisions of the law, it is important to understand some of the agents who act in this domain. They include the holder, who bears the personal data; the controller, who competes for decisions about the treatment of personal data; and the operator, who treats the data on the controller’s behalf.
The law states that the treatment of data can occur only in the following circumstances: with the holder’s consent; to fulfill a legal obligation; to allow the public administration to carry out public policy (when the data is in a shared platform); for organs of research (which always avoid using personal data); to execute a contract; to protect the life of third persons; for health proceedings by professionals; and when lawful interests of the controller or third party call for it.
Additionally, the treatment of personal data must adhere to the principles of good-faith, finality, adequation, necessity, free access to the way and duration of the proceeding, quality of the data, transparency, security to protect the information, prevention, non-discrimination, and accountability.
The data holder maintains numerous rights, including but not limited to the following: knowledge of the way, duration, and specified goal of the data’s treatment; identification of and information about the controller; accountability of the agents who treat the data; information regarding the sharing of the controller and its goals; confirmation of the existence of the treatment; access to the data; correction of incomplete, inaccurate, or outdated data; portability of the data to other providers; elimination of data that has been treated without the holder’s consent; information about public or private institutions with whom the controller shares information; and the possibility of revocation of consent.
If the holder is a child, the controller must obtain the consent of at least one parent in order to protect the best interests of the minor. An exception to this rule occurs if the information is needed to contact the parents.
The law states that the international transfer of data may occur only when the countries or international organisms provide adequate data protection and the controller proves that he/she can guarantee the holder’s lawful principles and rights.
Next, the law establishes that the agents of treatment (the controller and operator) must adopt safety measures, techniques, and administrative actions to protect the data and avoid accidental or unlawful destruction, loss, or alteration of their treatment. Moreover, the controller and operator may formulate, within their procedures, guidelines detailing best practices and governance for responding to holders’ claims, establishing technical standards, and fulfilling specific obligations.
Lastly, the original legislation included the creation of a national authority to protect and supervise data management and apply sanctions, when necessary. However, this provision suffered a presidential veto, potentially diminishing the law’s enforcement.