January 27, 2023

Volume XIII, Number 27


January 26, 2023

Subscribe to Latest Legal News and Analysis

January 25, 2023

Subscribe to Latest Legal News and Analysis

January 24, 2023

Subscribe to Latest Legal News and Analysis

Brazil Bill Implements New Provisions for International Data Transfers

The Bill’s provisions on international data transfers are most relevant to foreign companies that do business in Brazil.

The Brazilian government has issued a Bill for the Protection of Personal Data (Bill) for public consultation. The Bill follows the European Union (EU) concept of “adequate data protection” in the receiving country and the provisions of the Brazilian Civil Rights Framework for the Internet (in Portuguese, Marco Civil da Internet, officially Law No 12.965), the law that governs Internet use in Brazil. Compared to the Marco Civil, the Bill is more specific and covers all forms of the processing of personal data—not only via the Internet. According to Article 28 of the Bill, a data transfer from Brazil to countries without adequate data protection (which likely includes the United States) is legal only if one of the following five exceptions applies:

I - when the transfer is necessary for international judicial cooperation between public intelligence and investigation agencies, according to the instruments of international law;

II - when the transfer is necessary for the protection of life or physical safety of the owner or a third party;

III - when the competent body authorizes the transfer pursuant to a regulation;

IV - when the transfer results from a compromise assumed under an international cooperation agreement;

V - when the transfer is necessary for the enforcement of public policy or legal authority of the public service, made public pursuant to paragraph 1 of article 6.

Compared to the EU Data Protection Directive 95/46/EC (EU Directive) that is the likely role model for this part of the Bill, the above exemptions are more narrowly designed. For instance, they would not cover data transfer for “the establishment, exercise or defense of legal claims,” e.g., for e-discovery purposes in the United States as Article 26 (1)(c) of the EU Directive allows under certain conditions. Article 26 (1)(b) of the EU Directive also authorizes a data transfer if it “is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject's request.” The Bill doesn’t mention this possibility. Instead, it relies heavily on prior authorizations of the international data transfers by the applicable data protection agency and alternatively on individual consents:

  • Article 30 of the Bill states that an authorization of the applicable data protection agency shall be provided if the controller “offers sufficient guarantees that the general principles of protection and the holder's rights will be observed by means of contractual clauses approved for a specific transfer, contractual standard clauses or global corporate standards, in accordance with the regulation.” For this purpose, the data exporter and importer may

    • use approved Brazilian Model Clauses (not yet released), or

    • submit its internal privacy policies for approval (which are similar to the Binding Corporate Rules concept in Europe).

  • Individual consent is also possible as a legal basis, but each consent must be obtained separately and be based on “prior and specific information on the international character of the operation, warning about the risks involved, according to specific circumstances of [vulnerability] in the receiving country.”

  • It is unclear whether countries such as the EU/European Economic Area (EEA) Member States provide adequate protection. One motive for this reluctance could be that Brazil wants to keep this determination as a bargaining chip with the Europeans because Brazil is not yet recognized by the European Commission as a “country of adequate data protection for personal data” from the EU/EEA, in contrast to Argentina and Uruguay, which have already gained this status. Presumably, this is a longer process that could take many months. A country's data protection level will be assessed by the competent government agency and take into account the following:

I - general and specific rules of the legislation in force in the country of destination;

II - nature of the data;

III - compliance with the general principles of protection of personal data provided in the Brazilian Data Protection Law;

IV - adoption of security measures provided for in Regulation; and

V - other specific circumstances related to the transfer.

We also observe a provision on joint and several liability of the data exporter and the data importer under the law (Article 31 of the Bill)—“regardless of faultthat facilitates the law’s enforcement in Brazil and results in additional liability risks for data exporters and data importers.

At this stage, there are many variables and uncertainties with the Bill. For instance, we don’t yet know if the Brazilian Model Clauses will be issued at all, and if so, what they will look like and whether they will go beyond the already existing EU Standard Clauses for data controllers and data processers. The safest approach currently available to international companies that do business in Brazil is to disclose any international data transfers in the Brazilian Privacy Policy (especially if personal data is stored in the United States), the reasons why they are necessary, the transfer’s purposes, and a description of the risks in the receiving country. These companies should then ask the individual user or customer for specific consent on that basis. In any event, the Bill presents the Brazilian government’s initial views on the text of the law. Corporations and their data controllers should closely follow the next steps, which will include a revised Bill by the government (following public consultation), additional discussions, a vote in the Brazilian Congress, and potential implementation deadlines.

Copyright © 2023 by Morgan, Lewis & Bockius LLP. All Rights Reserved.National Law Review, Volume V, Number 53

About this Author

Mark Krotoski, Litigation attorney, Morgan Lewis

Mark L. Krotoski represents and advises clients on antitrust cartel investigations; cybersecurity and privacy matters; trade secret, economic espionage, fraud, and foreign corrupt practices cases; and government investigations. With nearly 20 years of experience as a federal prosecutor and a leader in the US Department of Justice (DOJ), Mark provides clients with a unique blend of litigation and investigative experience. He has tried 20 cases to verdict and successfully argued appeals before the US Court of Appeals for the Ninth and Sixth Circuits.

Stephanie "Tess" Blair, E-discovery and information governance attorney, Morgan Lewis

Tess Blair and her team offer full-cycle electronic discovery and information governance services to organizations across the globe. Tess is the founder and leader of Morgan Lewis’s eData practice, which seeks to combine great lawyering with technology and process to deliver real efficiency and value to clients. The team includes both lawyers and technologists who support a state-of-the-art data center and technology portfolio to deliver comprehensive counseling and technical services under one roof.

Barbara Melby, Morgan Lewis, data privacy and cybersecurity lawyer

Barbara Melby has been active in the outsourcing and technology transaction legal market for the last 25 years. As leader of the firm’s technology, outsourcing & commercial transactions practice, she represents clients in such complex transactions as outsourcing, strategic alliances, technology and data-related agreements, and other services transactions. She also advises businesses on privacy and security issues that arise in transactions involving sensitive data and technologies.

Gregory Parks, privacy and cybersecurity lawyer, Morgan Lewis

Gregory T. Parks counsels and defends retail companies and other consumer facing clients in matters related to privacy and cybersecurity, class actions and Attorney General actions, consumer protection laws, loyalty and gift card programs, retail operations, payment mechanisms, product liability, waste management, shoplifting prevention, compliance, antitrust, and commercial disputes. If it is important to a retail company, Greg makes it his business to know it. He handles all phases of litigation, trial, and appeal work arising from these and other areas. Greg is the co...

Dr. Axel Spies, Telecommunications and technology lawyer, Morgan Lewis
Special Legal Consultant

Dr. Axel Spies has advised clients for many years on various international issues, including licensing, competition, corporate issues, and new technologies such as cloud computing. He counsels on international data protection (EU General Data Protection Regulation), international data transfers (Privacy Shield), healthcare, technology licensing, e-discovery, and equity purchases. A member of the Sedona Conference on Electronic Discovery, Dr. Spies is frequently quoted in the media for his telecommunications and privacy knowledge.