Brazil Bill Implements New Provisions for International Data Transfers
The Bill’s provisions on international data transfers are most relevant to foreign companies that do business in Brazil.
The Brazilian government has issued a Bill for the Protection of Personal Data (Bill) for public consultation. The Bill follows the European Union (EU) concept of “adequate data protection” in the receiving country and the provisions of the Brazilian Civil Rights Framework for the Internet (in Portuguese, Marco Civil da Internet, officially Law No 12.965), the law that governs Internet use in Brazil. Compared to the Marco Civil, the Bill is more specific and covers all forms of the processing of personal data—not only via the Internet. According to Article 28 of the Bill, a data transfer from Brazil to countries without adequate data protection (which likely includes the United States) is legal only if one of the following five exceptions applies:
I - when the transfer is necessary for international judicial cooperation between public intelligence and investigation agencies, according to the instruments of international law;
II - when the transfer is necessary for the protection of life or physical safety of the owner or a third party;
III - when the competent body authorizes the transfer pursuant to a regulation;
IV - when the transfer results from a compromise assumed under an international cooperation agreement;
V - when the transfer is necessary for the enforcement of public policy or legal authority of the public service, made public pursuant to paragraph 1 of article 6.
Compared to the EU Data Protection Directive 95/46/EC (EU Directive) that is the likely role model for this part of the Bill, the above exemptions are more narrowly designed. For instance, they would not cover data transfer for “the establishment, exercise or defense of legal claims,” e.g., for e-discovery purposes in the United States as Article 26 (1)(c) of the EU Directive allows under certain conditions. Article 26 (1)(b) of the EU Directive also authorizes a data transfer if it “is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject's request.” The Bill doesn’t mention this possibility. Instead, it relies heavily on prior authorizations of the international data transfers by the applicable data protection agency and alternatively on individual consents:
Article 30 of the Bill states that an authorization of the applicable data protection agency shall be provided if the controller “offers sufficient guarantees that the general principles of protection and the holder's rights will be observed by means of contractual clauses approved for a specific transfer, contractual standard clauses or global corporate standards, in accordance with the regulation.” For this purpose, the data exporter and importer may
use approved Brazilian Model Clauses (not yet released), or
submit its internal privacy policies for approval (which are similar to the Binding Corporate Rules concept in Europe).
Individual consent is also possible as a legal basis, but each consent must be obtained separately and be based on “prior and specific information on the international character of the operation, warning about the risks involved, according to specific circumstances of [vulnerability] in the receiving country.”
It is unclear whether countries such as the EU/European Economic Area (EEA) Member States provide adequate protection. One motive for this reluctance could be that Brazil wants to keep this determination as a bargaining chip with the Europeans because Brazil is not yet recognized by the European Commission as a “country of adequate data protection for personal data” from the EU/EEA, in contrast to Argentina and Uruguay, which have already gained this status. Presumably, this is a longer process that could take many months. A country's data protection level will be assessed by the competent government agency and take into account the following:
I - general and specific rules of the legislation in force in the country of destination;
II - nature of the data;
III - compliance with the general principles of protection of personal data provided in the Brazilian Data Protection Law;
IV - adoption of security measures provided for in Regulation; and
V - other specific circumstances related to the transfer.
We also observe a provision on joint and several liability of the data exporter and the data importer under the law (Article 31 of the Bill)—“regardless of fault” that facilitates the law’s enforcement in Brazil and results in additional liability risks for data exporters and data importers.