The Bill’s provisions on international data transfers are most relevant to foreign companies that do business in Brazil.
The Brazilian government has issued a Bill for the Protection of Personal Data (Bill) for public consultation. The Bill follows the European Union (EU) concept of “adequate data protection” in the receiving country and the provisions of the Brazilian Civil Rights Framework for the Internet (in Portuguese, Marco Civil da Internet, officially Law No 12.965), the law that governs Internet use in Brazil. Compared to the Marco Civil, the Bill is more specific and covers all forms of the processing of personal data—not only via the Internet. According to Article 28 of the Bill, a data transfer from Brazil to countries without adequate data protection (which likely includes the United States) is legal only if one of the following five exceptions applies:
I - when the transfer is necessary for international judicial cooperation between public intelligence and investigation agencies, according to the instruments of international law;
II - when the transfer is necessary for the protection of life or physical safety of the owner or a third party;
III - when the competent body authorizes the transfer pursuant to a regulation;
IV - when the transfer results from a compromise assumed under an international cooperation agreement;
V - when the transfer is necessary for the enforcement of public policy or legal authority of the public service, made public pursuant to paragraph 1 of article 6.
Compared to the EU Data Protection Directive 95/46/EC (EU Directive) that is the likely role model for this part of the Bill, the above exemptions are more narrowly designed. For instance, they would not cover data transfer for “the establishment, exercise or defense of legal claims,” e.g., for e-discovery purposes in the United States as Article 26 (1)(c) of the EU Directive allows under certain conditions. Article 26 (1)(b) of the EU Directive also authorizes a data transfer if it “is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject's request.” The Bill doesn’t mention this possibility. Instead, it relies heavily on prior authorizations of the international data transfers by the applicable data protection agency and alternatively on individual consents:
-
Article 30 of the Bill states that an authorization of the applicable data protection agency shall be provided if the controller “offers sufficient guarantees that the general principles of protection and the holder's rights will be observed by means of contractual clauses approved for a specific transfer, contractual standard clauses or global corporate standards, in accordance with the regulation.” For this purpose, the data exporter and importer may
-
use approved Brazilian Model Clauses (not yet released), or
-
submit its internal privacy policies for approval (which are similar to the Binding Corporate Rules concept in Europe).
-
-
Individual consent is also possible as a legal basis, but each consent must be obtained separately and be based on “prior and specific information on the international character of the operation, warning about the risks involved, according to specific circumstances of [vulnerability] in the receiving country.”
-
It is unclear whether countries such as the EU/European Economic Area (EEA) Member States provide adequate protection. One motive for this reluctance could be that Brazil wants to keep this determination as a bargaining chip with the Europeans because Brazil is not yet recognized by the European Commission as a “country of adequate data protection for personal data” from the EU/EEA, in contrast to Argentina and Uruguay, which have already gained this status. Presumably, this is a longer process that could take many months. A country's data protection level will be assessed by the competent government agency and take into account the following:
I - general and specific rules of the legislation in force in the country of destination;
II - nature of the data;
III - compliance with the general principles of protection of personal data provided in the Brazilian Data Protection Law;
IV - adoption of security measures provided for in Regulation; and
V - other specific circumstances related to the transfer.
We also observe a provision on joint and several liability of the data exporter and the data importer under the law (Article 31 of the Bill)—“regardless of fault” that facilitates the law’s enforcement in Brazil and results in additional liability risks for data exporters and data importers.
At this stage, there are many variables and uncertainties with the Bill. For instance, we don’t yet know if the Brazilian Model Clauses will be issued at all, and if so, what they will look like and whether they will go beyond the already existing EU Standard Clauses for data controllers and data processers. The safest approach currently available to international companies that do business in Brazil is to disclose any international data transfers in the Brazilian Privacy Policy (especially if personal data is stored in the United States), the reasons why they are necessary, the transfer’s purposes, and a description of the risks in the receiving country. These companies should then ask the individual user or customer for specific consent on that basis. In any event, the Bill presents the Brazilian government’s initial views on the text of the law. Corporations and their data controllers should closely follow the next steps, which will include a revised Bill by the government (following public consultation), additional discussions, a vote in the Brazilian Congress, and potential implementation deadlines.