Data Protection
& Privacy
Jurisdictional comparisons
S
econd edition 2014
Preface Monika Kuschewsky Covington & Burling LLP
Forewords
Isabelle Falque-Pierrotin Chair of the CNIL and Chair of the Article 29 Working Party
Kamala D. Harris Attorney General California Department of Justice
Hielke Hijmans Head of Unit EDPS
Jean Gonié Director of Privacy Policy Microsoft Europe, Middle East and Africa
Regional Summary: Asia-Pacific Scott Livingston Covington & Burling LLP
Regional Summary: Latin America Stephen Satterfield Covington & Burling LLP
Argentina Gustavo P. Giay & Mariano J. Peruzzotti Marval, O’Farrell & Mairal
Australia Peter Leonard, Michael Burnett & Ewan Scobie Gilbert + Tobin
Austria Dr Rainer Knyrim Preslmayr Rechtsanwälte OG
Belgium Monika Kuschewsky & Kristof Van Quathem Covington & Burling LLP
Brazil Renato Opice Blum, Juliana Abrusio & Rita P. Ferreira Blum Opice Blum, Bruno,
Abrusio and Vainzof Attorneys at Law
Chile Pablo Palma Calderón Palma & Palma Abogados
Colombia Daniel Peña & Diego Arévalo Peña Mancero Abogados
Czech Republic Richard Otevřel Havel, Holásek & Partners
Denmark Johnny Petersen Delacour Dania
Estonia Pirkko-Liis Harkmaa & Martin-Kaspar Sild LAWIN Attorneys at Law
EU Monika Kuschewsky Covington & Burling LLP
EU Institutions & Bodies Philippe Renaudière Data Protection Officer European Commission
France Raphaël Dana & Tressy Ekoukou Sarrut Avocats
Germany Monika Kuschewsky Covington & Burling LLP
India Vijay Pal Dalmia & Pavit Singh Katoch Vaish Associates Advocates
Republic of Ireland Jeanne Kelly & Aoife Young Mason, Hayes & Curran
Israel Yoheved Novogroder-Shoshan Yigal Arnon & Co
Italy Gerolamo Pellicanò & Giovanna Boschetti CBA Studio Legale e Tributario
Japan Chie Kasahara Atsumi & Sakai
Lithuania Dr Jaunius Gumbis & Julius Zaleskis LAWIN Lideika, Petrauskas,
Valiūnas ir partneriai
Malaysia Deepak Pillai Haryati Deepak
Malta Michael Zammit Maempel GVTH Advocates
Mexico Cédric Laurant & Liliana Arellano Dumont Bergman Bider & Co., S.C.
Netherlands Polo van der Putt & Tessa Stallaert Vondst Advocaten
Philippines Noel A. Laman & Dina D. Lucenario Castillo Laman Tan Pantaleon & San Jose
Poland Agata Szeliga Sołtysiński, Kawecki & Szlęzak
Portugal Mónica Oliveira Costa Coelho Ribeiro e Associados
Romania Roxana Ionescu & Ovidiu Balaceanu Nestor Nestor Diculescu Kingston Petersen
Singapore Lam Chung Nian WongPartnership LLP
Slovakia Richard Otevřel, Jaroslav Šuchman & Vladimír Troják Havel, Holásek & Partners
Slovenia David Premelč & Sandra Kajtazović Rojs, Peljhan, Prelesnik & Partners
Spain Cecilia Álvarez Rigaudias Uría Menéndez
Sweden Erica Wiking Häger & Anna Nidén Mannheimer Swartling
Switzerland Dr Lukas Morscher & Christian Meisser Lenz & Staehelin
Taiwan Ken-Ying Tseng & Rebecca Hsiao Lee and Li, Attorneys-at-Law
Turkey Gönenç Gürkaynak & İlay Yılmaz ELIG Attorneys-at-Law
United Kingdom Daniel Cooper Covington & Burling LLP
United States Kurt Wimmer Covington & Burling LLP
General Editor: Monika Kuschewsky
Covington & Burling LLP
Data Protection
& Privacy
Jurisdictional comparisons
Second edition 2014
General Editor:
Monika Kuschewsky
Covington & Burling LLP
General Editor
Monika Kuschewsky
Covington & Burling LLP
Commercial Director
Katie Burrington
Commissioning Editor
Emily Kyriacou
Senior Editor
Paul Nash
Publishing Assistant
Nicola Pender
Design and Production
Dawn McGovern
Published in 2014 by
Thomson Reuters (Professional) UK Limited
trading as Sweet & Maxwell,
Friars House, 160 Blackfriars Road, London SE1 8EZ
(Registered in England & Wales, Company No 1679046.
Registered Office and address for service:
2nd floor, Aldgate House, 33 Aldgate High Street, London EC3N 1DL)
A CIP catalogue record for this book is available from the British Library.
ISBN: 9780414032521
Thomson Reuters and the Thomson Reuters logo are trade marks of Thomson Reuters.
Crown copyright material is reproduced with the permission of the
Controller of HMSO and the Queen’s Printer for Scotland.
While all reasonable care has been taken to ensure the accuracy of the publication,
the publishers cannot accept responsibility for any errors or omissions.
This publication is protected by international copyright law.
All rights reserved. No part of this publication may be reproduced or transmitted in any form or by
any means, or stored in any retrieval system of any nature without prior written permission, except for
permitted fair dealing under the Copyright, Designs and Patents Act 1988, or in accordance with the terms
of a licence issued by the Copyright Licensing Agency in respect of photocopying and/or reprographic
reproduction. Application for permission for other use of copyright material including permission to
reproduce extracts in other published works shall be made to the publishers. Full acknowledgement of
author, publisher and source must be given.
© 2014 Thomson Reuters (Professional) UK Limited
Data Protection & Privacy
Contents
Preface Monika Kuschewsky Covington & Burling LLP
v
Forewords
Isabelle Falque-Pierrotin Chair of the CNIL and Chair of the Article 29 Working Party
1
Kamala D. Harris Attorney General California Department of Justice
3
Hielke Hijmans Head of Unit EDPS
5
Jean Gonié Director of Privacy Policy Microsoft Europe, Middle East and Africa 7
Regional Summary: Asia-Pacific Scott Livingston Covington & Burling LLP
9
Regional Summary: Latin America Stephen Satterfield Covington & Burling LLP 13
Argentina Gustavo P. Giay & Mariano J. Peruzzotti Marval, O’Farrell & Mairal 17
Australia Peter Leonard, Michael Burnett & Ewan Scobie Gilbert + Tobin
35
Austria Dr Rainer Knyrim Preslmayr Rechtsanwälte OG
65
Belgium Monika Kuschewsky & Kristof Van Quathem Covington & Burling LLP
89
Brazil Renato Opice Blum, Juliana Abrusio & Rita P. Ferreira Blum
Opice Blum, Bruno, Abrusio and Vainzof Attorneys at Law
113
Chile Pablo Palma Calderón Palma & Palma Abogados
131
Colombia Daniel Peña & Diego Arévalo Peña Mancero Abogados
147
Czech Republic Richard Otevřel Havel, Holásek & Partners
173
Denmark Johnny Petersen Delacour Law Firm
195
Estonia Pirkko-Liis Harkmaa & Martin-Kaspar Sild LAWIN Attorneys at Law 215
EU Institutions & Bodies Philippe Renaudière Data Protection Officer European Commission
233
European Union Monika Kuschewsky Covington & Burling LLP
255
France Raphaël Dana & Tressy Ekoukou Sarrut Avocats 291
Germany Monika Kuschewsky Covington & Burling LLP
313
India Vijay Pal Dalmia & Pavit Singh Katoch Vaish Associates Advocates 347
Republic of Ireland Jeanne Kelly & Aoife Young Mason Hayes & Curran
363
Israel Yoheved Novogroder-Shoshan Yigal Arnon & Co 383
Italy Gerolamo Pellicanò & Giovanna Boschetti CBA Studio Legale e Tributario
415
Japan Chie Kasahara Atsumi & Sakai 435
Lithuania Dr Jaunius Gumbis & Julius Zaleskis LAWIN Lideika, Petrauskas, Valiūnas ir partneriai 451
Malaysia Deepak Pillai Haryati Deepak
473
Malta Michael Zammit Maempel GVTH Advocates
499
Mexico Cédric Laurant & Liliana Arellano Dumont Bergman Bider & Co, S.C.
521
iii
Data Protection & Privacy
Netherlands Polo van der Putt & Tessa Stallaert Vondst Advocaten NV
551
Philippines Noel A. Laman & Dina D. Lucenario Castillo Laman Tan Pantaleon & San Jose 573
Poland Agata Szeliga Sołtysiński, Kawecki & Szle˛zak
591
Portugal Mónica Oliveira Costa Coelho Ribeiro e Associados
621 Romania Roxana Ionescu & Ovidiu Balaceanu Nestor Nestor Diculescu Kingston Petersen
643
Singapore Lam Chung Nian WongPartnership LLP
671
Slovakia Richard Otevřel, Jaroslav Šuchman & Vladimír Troják Havel, Holásek & Partners 691
Slovenia David Premelč & Sandra Kajtazović Rojs, Peljhan, Prelesnik & Partners
715
Spain Cecilia Álvarez Rigaudias Uría Menéndez
745
Sweden Erica Wiking Häger & Anna Nidén Mannheimer Swartling
769
Switzerland Dr Lukas Morscher & Christian Meisser Lenz & Staehelin
795
Taiwan Ken-Ying Tseng & Rebecca Hsiao Lee and Li, Attorneys At Law
817
Turkey Gönenç Gürkaynak & İlay Yılmaz ELIG, Attorneys-at-Law
835
United Kingdom Daniel Cooper Covington & Burling LLP
853
United States Kurt Wimmer Covington & Burling LLP 885
Contacts
911
iv
EUROPEAN LAWYER REFERENCE SERIES
Preface
Preface
Monika Kuschewsky Covington & Burling LLP
I am very pleased to present the second edition of this multi-jurisdictional
handbook on data protection and privacy.
The new edition comes timely as data protection has never been
more prominent. This is not only due to the ongoing data protection
reform debate in the EU and the ‘Snowden revelations’ in connection
with US agencies’ surveillance activities, but there have been numerous
developments all over the world, such as the data broker investigation of
the US Federal Trade Commission, the US White House’s Big Data Report,
prominent data security breaches or the recent privacy sweeps of the Global
Privacy Enforcement Network (the ‘GPEN’) targeting privacy practice
transparency and mobile apps, to mention just a few examples.
Governments try to keep abreast of the technological developments
by adjusting legal frameworks which pre-date the Internet to the modern
globalised interconnected world. The Council of Europe continues its work
on the modernisation of the 1981 Convention for the Protection of Individuals
with regard to Automatic Processing of Personal Data (‘Convention 108’),
while the 1980 OECD Guidelines on the Protection of Privacy and Transborder
Flows of Personal Data were updated in 2013. In December 2013, the UN
General Assembly adopted a resolution proposed by Germany and Brazil on
protecting online privacy, and there is a growing number of countries with
data protection laws. Global corporations are also delving deeper into data
protection – for instance, this topic was at the core of last year’s October
meeting of the World Economic Forum.
Data protection is cropping up in international agreements, such as
the proposed agreement between the EU and Switzerland concerning
cooperation on the application of their competition laws. The EU and the
US continue negotiating an umbrella agreement for transfers and processing
of data in the context of police and judicial cooperation and have started
negotiations on the EU–US Safe Harbour scheme. Data protection matters
also increasingly are finding their way to the EU’s highest court. After
the rulings on the independence of the supervisory authorities in Austria
and Germany in 2010 and 2012 respectively and more recently regarding
Hungary, in the first half of 2014 the Court of Justice of the European Union
issued two landmark rulings on the EU Data Retention Directive and in the
so-called ‘Google Spain’ case.
This second edition covers the major developments and trends that have
occurred in the two years since the first edition was published. Although the
reform process of the EU data protection legal framework has stalled, the
data protection landscape has undergone significant changes everywhere.
This edition features 38 major jurisdictions from five continents, eight
EUROPEAN LAWYER REFERENCE SERIES
v
Preface
more than the first edition, and includes countries that have only recently
adopted data protection legislation for the first time. In addition to a chapter
on the EU, it also contains two regional summaries on data protection law in
both the Asia-Pacific and Latin America.
We have added a number of sections to address the data protection
implications of some of the major technological developments such as big
data, mobile apps, cloud computing and Bring Your Own Device (‘BYOD’).
Obviously, this book does not endeavour to cover any of these topics
comprehensively and cannot substitute for the advice of local counsel.
Rather, our goal was to provide a starting point for companies, legal
professionals and data protection officers, reflecting the status of the law at
the time of writing.
This edition covers, in summary form, key aspects of existing data
protection and privacy laws and pending legislation; the data protection
authorities; the legal basis for data processing and data quality requirements;
information, registration and security obligations; rules on outsourcing and
on international data transfers; rights of individuals, as well as enforcement
trends, sanctions, remedies and liability. We also separately address major
elements of accountability; in particular, data protection impact assessments,
audits, seals, data protection officers and industry self-regulation by codes of
conduct.
We have kept the reader-friendly Q&A format, which allows for easy
cross-jurisdictional comparisons on key issues. The Q&As have been slightly
restructured. Importantly, we give more room to sector-specific rules, such
as in the health, finance and telecoms industries, and also to data breach
notification and cybersecurity laws. Given the importance of employee data
protection for all organisations, irrespective of their business activities and
industry sector, we also dedicate an entire section to the specific rules that
apply in the employment context.
I would like to thank the contributors to this book, who are leading local
practitioners and experts in the field of data protection and privacy, and also
welcome the data protection officer of the European Commission as a new
contributor. The book not only demonstrates the diversity in approach to
data protection and privacy, but also highlights a number of commonalities.
I therefore hope that it will not only help to get a better understanding of
the different rules, but also point the way towards greater interoperability
and convergence, which is urgently needed.
I would like to thank my colleagues and staff members at Covington &
Burling LLP as well as the publisher for their contributions and support.
July 2014
vi
EUROPEAN LAWYER REFERENCE SERIES
Foreword
Foreword
Isabelle Falque-Pierrotin Chair of the CNIL
(Commission nationale de l’informatique et des
libertés) Chair of the Article 29 Working Party
Never was so much said and written about the protection of personal data.
Every day, one hears of the data privacy challenges raised by the launching
of a new product or service, the development of a technological trend, the
announcement of a merger or the acquisition of a new company by a major
Internet player.
Such a development is not surprising. Within a few years, we have
entered the world of ‘datification’, a word coined to illustrate the major
importance which personal data now holds, whether in economic, social,
political or even ethical terms. Big data is the new iconic trend; personal
data is presented as the ‘fuel’ or the ‘raw material’ of the new economy;
predictive models of exceptionally high accuracy are to be implemented to
fight against terrorism and crime, improve online or offline retail, optimise
Internet-based dating services etc. Beyond slogans used in the media or
for marketing purposes, a new reality has emerged. Data now feeds all the
services of the information society, as they are developed by Internet giants
who have put data at the heart of their business models, or by traditional
economic players who routinely process data for their daily business and to
innovate. Little by little, the online world interconnects with the physical
world: the Internet of things and the quantified-self movement bear witness
to this evolution.
When the first data protection laws were passed in Europe and Northern
America in the 1970s, no one could reasonably anticipate that some would
assimilate personal data to common consumer goods, the trade with which
would define totally new markets driven by incredibly powerful economic
forces operating at worldwide level. Nor could one anticipate that data
protection would once be put forward as a competitive advantage by
industrial players or start-ups.
These evolutions have major consequences in terms of regulation. Within
a few years, all the major texts applicable to the protection of personal data
in the different parts of the world have entered parallel revision processes
aiming at adapting privacy rules to the 21st century. In Europe, both
Convention 108 of the Council of Europe of 28 January 1981 and the EU Data
Protection Directive 95/46/EC of 24 October 1995 are being revised, giving rise
to unprecedented lobbying in Brussels or Strasburg. On the international
level, the OECD Guidelines on the Protection of Privacy and Transborder Flows of
Personal Data of 23 September 1980 are also being renegotiated. In 2012, the
Obama administration also presented a new Consumer Privacy Bill of Rights,
essentially based on the principles of the OECD guidelines.
EUROPEAN LAWYER REFERENCE SERIES
1
Foreword
These developments cannot be considered separately: international
competition on the relevant digital markets necessarily echoes the
interpenetration of national, regional and international regulatory
frameworks – sometimes even the collision between them.
In practical terms, this means that different privacy rules may apply at
global level, which can entail important challenges in terms of compliance,
namely for global players.
Deep down, these developments push the need to seek the adoption of
a global standard for data protection. But such an objective is not realistic
in the short run because it involves reconciling different philosophies in
privacy and data protection (fundamental rights on the one side, consumer
rights of the other) as well as different cultures in terms of regulation.
Personally, I also believe that this diversity is a collective asset.
Therefore, seeking an alternative is possible, bearing in mind that all
existing instruments have their own merits and that it certainly makes more
sense to promote efforts to ensure their interoperability.
A first example of this collaborative approach can be found in the
elaboration of the recent referential on EU Binding Corporate Rules and the
Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules. A few
years ago, the Article 29 Working Party and APEC decided to work together
on the subject, trying to build on their shared similarities rather than on
their dividing differences. Together, we thought that there was great value
in trying to compare, map and analyse these tools. After almost three years
of exchanges, this highly successful cooperation led to the finalisation of
a referential that gives, in a single document, all the requirements which
a multinational entity should follow and respect in order to obtain a
double certification of its privacy practices. This pragmatic tool is a useful
deliverable – a concrete outcome for multinational entities operating in both
geographical zones. We succeeded, even with our differences.
Indeed, the data protection field is a perfect laboratory for globalisation
and the development of innovative methods that can bridge cultural and
legal differences.
It is one of the many virtues of a comprehensive publication like this
to provide professionals with the necessary material to build such bridges,
beyond the indispensable task of advising their clients on compliance, users’
expectations and regulators’ requirements.
I therefore wish to congratulate the editors for taking the initiative to
publish a second edition of this handbook. It will, no doubt, contribute to
make progress in the implementation of data protection and privacy laws in
the EU and elsewhere.
2
EUROPEAN LAWYER REFERENCE SERIES
Foreword
Foreword
Kamala D. Harris Attorney General
California Department of Justice
For more than 40 years, California’s constitution and state statutes have
been at the vanguard of privacy law. We enacted the US’ first data breach
notification law in 2002, as well as the first law ensuring online privacy
rights for consumers in 2003. I believe it is fair to say that, generally,
Californians enjoy a broader range of privacy rights than any other state in
the country. Each year, the California Legislature considers many bills on
privacy issues, and so far in 2014, at least 12 new bills have been introduced.
Moreover, California has often led the way for federal regulation, as in
the case of the 2003 amendments to the Fair Credit Reporting Act that
introduced several identity-theft protections and remedies. California’s
privacy laws have also achieved international influence.
Above all, California has proven that robust and balanced privacy
protection is fully consistent with a thriving innovation economy. As
California’s Attorney General, I am proud that our state is at the center
of a revolution in digital technology. Leading US tech companies like
Apple, Google, Oracle, Facebook, Qualcomm, Intel, Cisco and Twitter are
all headquartered in California, which in part explains why we have the
ninth largest global economy in the world. These Californian companies are
building technologies that are literally changing the world and how we live.
Policymakers, regulators and lawyers need to understand what is driving
these changes. Four trends lie at the core of this technology revolution. First,
the speed of microprocessors has doubled every two years or so over the last
30 years. As a result, lightweight and mobile computer devices are now part
of everyday life. Second, the Internet – a global system of interconnected
computer networks – has profoundly empowered digital devices. Third, data
storage has become increasingly more powerful and less expensive: devices
that fit in our pockets can store more data than a room-sized mainframe
from the last decade. Consequently, the volume and detail of electronically
stored data has exploded. Finally, our ability to process large and complex
data sets has grown exponentially, so that we are able to draw increasingly
meaningful inferences and uses from the data that we generate.
As a result of these trends, California – and the world – is on the verge
of an historic turning point as profound as the invention of the wheel, the
advent of the printing press or the Industrial Revolution. To fully realize
this digital revolution, the public sector must embrace it in a way that fulfils
the promise of government, promotes innovation and preserves core values.
Moreover, in our connected world, we must all be mindful that the privacy
laws of one jurisdiction likely have global impact.
For these reasons, I welcome with great enthusiasm the second edition of
EUROPEAN LAWYER REFERENCE SERIES
3
Foreword
the cross-border Data Protection & Privacy treatise of The European Lawyer
Reference Series, which provides a comparative overview of data protection
and privacy laws of multiple jurisdictions across the globe, including
California. A guide like this helps attorneys and privacy practitioners to
navigate the regulatory landscape as personal data moves rapidly through
the borderless world of the Internet, while also ensuring that regulators
everywhere understand the impact of their actions on individuals, small
businesses and multinational companies subject to privacy requirements
across many jurisdictions.
4
EUROPEAN LAWYER REFERENCE SERIES
Foreword
Foreword
Hielke Hijmans Head of Unit EDPS
I am pleased to write one of the forewords for this second edition of the
multi-jurisdictional handbook on privacy and data protection. This book
comes at the right time.
As we all know, it is impossible to deal with privacy and data protection
in the present interconnected world without recognising that the application
of data protection law necessarily has multi-jurisdictional elements. On
the Internet, one always has to deal with the extraterritorial application of
laws and, as a result, with conflicts of jurisdiction. Citizens need protection,
including when their personal data is processed outside their own jurisdiction.
To illustrate this, it is sufficient to mention some major events in the area
of privacy and data protection that we have been confronted with in recent
years as lawyers and policymakers at European level.
In January 2012, the European Commission adopted its proposal for a
General Data Protection Regulation, which aims at putting an end to the
fragmentation of data protection law within the EU, by creating one data
protection law for the entire EU, replacing the general national laws of the
Member States in this area. This proposal will therefore end or diminish
many jurisdictional issues within the territory of the Union. This is not
the place to analyse to what extent this result will be achieved, but it is
the strategic goal. At the same time, the proposed Regulation creates new
jurisdictional issues by widening the scope of application of European data
protection law to data processing activities of non-EU data controllers to all
situations where they offer goods or services to data subjects in the EU or
monitor their behaviour.
In summer of 2013, we were confronted with the revelations about the
wide access by the US National Security Agency (the ‘NSA’) to personal data
of citizens living in countries all over the world. It is important to note that
this involved citizens who do not move outside the EU, or sometimes do not
even engage with companies in third countries. Due to the structure of the
Internet it was possible for the authorities of one country (the US in this case)
to have access to personal data at global level, which necessarily infringes
the data protection laws of other countries. The NSA scandal demonstrates
that the extraterritorial application of data protection law and the positive
conflicts of jurisdiction are unavoidable in an interconnected world.
In the spring of 2014, the Court of Justice of the EU (the ‘CJEU’) delivered
two landmark judgments that not only gave a wide interpretation of the
rights to privacy and data protection enshrined in Articles 7 and 8 of the
Charter of the Fundamental Rights of the European Union (the ‘Charter’),
but also have clear implications for the application of EU law outside the
territory of the EU. By doing so, they impact on other jurisdictions.
EUROPEAN LAWYER REFERENCE SERIES
5
Foreword
In Joined cases C-293/12 and C-594/12C (Digital Rights Ireland and
Seitlinger), the Court annulled the EU Data Retention Directive because
it did not respect the Charter. Of course, this judgment has primarily an
internal effect within the EU since it annuls a directive providing for the
obligation of telecommunications providers to store telecommunications
data, but it also has external effects. This is because the strong emphasis on
a high standard for fundamental rights shall also be upheld in the external
policies of the EU. For instance, when the European institutions negotiate
agreements or other arrangements with third countries or international
organisations, they can be held accountable for ensuring a high level of data
protection. This will unavoidably have repercussions on the relationship
with other jurisdictions.
The second judgment, Google Spain (C-131/12), is equally important
since the CJEU gives a wide interpretation of the territorial scope of EU
data protection law in a case concerning the activities of a company
headquartered outside the EU in a third country. The CJEU held that the
activities of a search engine, which explores the Internet automatically,
constantly and systematically in search of information that is published
there, is considered ‘processing’ of personal data. The search engine –
irrespective of the place of its main establishment – was considered a data
controller subject to EU data protection law. As a result, the non-EU-based
search engine is arguably – at least as far as EU citizens are affected – subject
to EU data protection law, which will unavoidably lead to the simultaneous
application of different legal systems to the same activities and may
therefore give rise to jurisdictional issues.
All of the aforementioned events show the relevance of this book.
I would like to add that a situation where the same activities are subject
to the rules of multiple jurisdictions is not necessarily bad, provided
that the obligations stemming from these different jurisdictions do not
conflict. In other words, the different legal systems should be compatible.
‘Interoperability’ is a word that is often used in this context. Where needed,
new bridges have to be built, for instance to reconcile the approach in the
EU, and – more widely, in the Council of Europe, which is strongly human
rights-directed – with other legal systems where privacy may be primarily
seen as a concern for the consumer rather than for all individuals. This is,
for instance, the case in the US, where enforcement of ‘data privacy’ – as it is
called there – is to a large extent a task of the Federal Trade Commission as
part of consumer protection.
Of course, in order to build bridges, a deep understanding of the diverging
legal systems around the world is needed, not only of those of the EU or
European countries and the US. This book, which describes and analyses so
many jurisdictions, will definitely help in this huge task.
Brussels, May 2014
(The views expressed are purely personal and do not reflect any position of the
European Data Protection Supervisor.)
6
EUROPEAN LAWYER REFERENCE SERIES
Foreword
Foreword
Jean Gonié Director of Privacy Policy
Microsoft Europe, Middle East and Africa
More and more people use online and mobile services to do email, online
shopping, social networking and many other ‘big data’ activities.
The world of data has changed such that data can be used today and in
the future for beneficial purposes never envisioned before. Companies sit
on a trove of data about our most banal daily pursuits. And the kind of data
that they gather will only grow more diverse, especially as the rise of the
‘Internet of things’ and big data make daily interaction with sensors, screens
and other data-capturing devices unavoidable. This change is recent (90 per
cent of the data ever created was created over the last two years) and will do
nothing but grow (from 2012 to 2017 the machine-to-machine traffic will
grow 24 times and there is an estimate that in 2020, 50 billion devices will
be connected).
Big data, the Internet of things, cloud computing, smart grid – these
trends shape our future but also constitute new challenges for the future of
privacy.
Authorities are understandably concerned about the privacy of citizens
as they engage in such online activities, and the EU has in many ways led
the way in protecting citizens’ privacy, under data protection rules that date
back to 1995. Everybody agrees that the EU data protection rules – now 19
years old – need to adapt to reflect the explosion of technology use.
The technologies have redefined how, where and by whom data is
collected, transmitted and used – raising fundamental questions on matters
such as notice and consent, jurisdiction or geographic limitations on data
flows. Improvements to the data protection regime are crucial to allow
new technologies to thrive and contribute to technological innovation and
growth in Europe.
It is very important for any responsible company to support effective
privacy protection for users, and clearer and more workable rules for
businesses to achieve such protection. For a worldwide company like
Microsoft, this requires a high degree of responsibility to ensure that we are
doing the right thing.
To address these challenges, a global organisation – like any other
company – needs certainty and greater clarity, including about what law
or laws apply to the processing of data and what the requirements are. We
believe that each provision of any proposed data protection legislation
should be tested against certain fundamental criteria such as certainty,
flexibility – focusing on accountability and desired outcomes (eg consent),
consistency and technology neutrality – avoiding preferences for particular
technological solutions.
EUROPEAN LAWYER REFERENCE SERIES
7
Foreword
Microsoft has worked hard to ensure that all of our company’s products,
services, processes and systems incorporate measures designed to help
protect user privacy. A commitment to consumer privacy by design has long
been an important part of Microsoft’s DNA.
So as to get to know consumers’ expectations better, in April 2013 we
launched a limited, consumer-focused marketing campaign ‘Your Privacy
Is Our Priority’ in four countries. We surveyed 4,000 consumers in the UK,
France, the US and in Germany to gain a quantitative perspective of how
they feel about privacy issues. 84 per cent of those polled expressed concern
about their online privacy. Only 47 per cent of the respondents were actively
taking measures to protect their privacy online. Not surprisingly, there is a
wide gap between interest and action.
Our customers tell us they expect strong privacy protections as they use
the Internet to find information, connect with friends, shop or manage
their money online. Consumers also tell us that they want to take control
of their personal information online through our products. For this purpose
we have built our privacy model around the concept of ‘putting people first’,
ensuring that citizens benefit from robust protections that safeguard their
fundamental rights, while addressing their expectations in the digital era. In
this regard, users should be informed of all possible risks in connection with
their digital experience and should also be offered more control over their
data via a robust user control model.
Industry has an important task in an ever-evolving privacy landscape. The
strongest commitment is to create trust and transparency. A popular maxim
in IT circles states, ‘you can have security without privacy, but you can’t
have privacy without security’. We can add that ‘you cannot have privacy
without transparency’. All the challenges that a company like Microsoft
now faces depend on users having confidence in our ability to responsibly
manage and protect their data. Any company has to work closely with
regulators, industry and civil society organisations to develop responsible
business practices.
It is also important to strengthen national and international legal
frameworks for data protection. Given the acceleration of the adoption
of privacy laws all over the world (from less than 10 laws in the 1970s to
more than 100 laws today), all players need to have robust and up-to-date
references to guide them through this new environment. This book is clearly
the vade mecum for privacy and data protection professionals that, more
than ever, need a legal guide to navigate through the complex legal systems
including with respect to future developments.
8
EUROPEAN LAWYER REFERENCE SERIES
Regional Summary: Asia-Pacific
Regional Summary:
Asia-Pacific
Covington & Burling LLP Scott Livingston
Data protection laws in the Asia-Pacific (the ‘AP’) defy easy categorisation.
In a region characterised by vast differences in legal systems, economics
and demographics, the establishment of national data protection laws has
proceeded in an individualised and almost ad hoc manner. National laws
adhere to many of the common features contained in data protection laws
worldwide, but lack an internal consistency that would support the idea of
a distinctly ‘Asian’ data privacy framework. Notwithstanding this lack of
uniformity, the fact that more countries in the region have recently adopted
comprehensive data protection laws suggests that there may be increasing
opportunity for such countries to cooperate in the further development of
regional standards.
Such regional cooperation is not without precedent. In 2004, the AsiaPacific Economic Cooperation (‘APEC’) officially adopted the APEC Privacy
Framework, a non-binding document setting out nine basic privacy
principles intended to provide a minimum standard of privacy protection
for APEC member countries:
• Preventing Harm: Personal information should not be misused in a
manner that causes harm to an individual.
• Notice: Individuals should be properly notified of the purposes for which
a personal information controller (a person or organisation who controls
the collection, holding, processing or use of personal information)
collects their personal information, their rights in the information and
the identity of any potential recipients of the collected information.
• Collection Limitation: Collection of an individual’s personal information
should be limited to only that information which is relevant to the
purposes of the collection, and should be collected only with the
individual’s consent.
• Uses of Personal Information: Personal information should only be used
for fulfilment of the purposes notified to the individual or under certain
other exceptions (eg where disclosure is legally required).
• Choice: Individuals should have a choice regarding whether an entity
can collect, use and disclose their personal information.
• Integrity of Personal Information: Personal information controllers should
keep all collected personal information accurate, complete and up to
date.
• Security Safeguards: Personal information controllers should protect
personal information with reasonable security safeguards.
EUROPEAN LAWYER REFERENCE SERIES
9
Regional Summary: Asia-Pacific
•
Access and Correction: Individuals should have the right to request
information on their personal information stored by a personal
information controller, and to have the opportunity to correct any
mistakes in the information.
• Accountability: Personal information controllers should be held
accountable for the treatment of personal information once it is
transferred to third parties.
Based on the 1980 OECD Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data, these nine principles should have paved
the way for a regional standard equivalent to the EU Data Protection Directive
(the ‘Directive’), but their impact has been limited due to the APEC Privacy
Framework’s non-prescriptive approach and lack of a central enforcement
body. While the framework has focused member countries’ attention on the
need to develop national data protection laws, it has been criticised for its
lack of detail and for providing baseline privacy protections actually weaker
than those already contained in member countries’ laws, such as Australia
and Japan. As a result, member countries have adopted different ways to
implement the APEC Privacy Framework, and AP data protection laws have,
so far, lacked the cohesion of the Directive.
But while Asian countries may lack a commonly accepted regional
standard, there has been a high level of legislative activity across the region,
especially in recent years. Since 2012, national data protection laws have
been promulgated for the first time in three of the eight countries identified
in this edition (Singapore, the Philippines and Malaysia), while expanded
measures supplementing previous national laws have been passed in Taiwan
and Hong Kong, and are under consideration in India. Meanwhile, Australia
and Japan – the region’s early adopters – have continued to tweak and refine
their own national and sub-national laws and regulations.
Interestingly, the emergence of these recent laws appear to have been
influenced more by the Directive than by the APEC Privacy Framework or a
US-style sectoral approach. Some of this may partly be due to the continued
impact of historical ties – Macau’s data protection laws, for example, appear
to be heavily informed by the data protection laws of its former coloniser
Portugal – but a more persuasive argument may simply be that the EU data
protection framework is increasingly becoming the global norm and that the
APEC Privacy Framework fails to substantially improve on the EU principles
enough to constitute a viable alternative. For instance, in Malaysia, the
Personal Data Protection Act 2010 (the ‘PDP Act’), made law in November
2013, is reported to have been strongly influenced by the Directive in
addition to the Hong Kong and UK data protection laws. Limited to
commercial activities in the private sector (except for credit reporting), the
PDP Act sets up a data protection authority to implement and enforce the
law and also restricts overseas transfers of personal data. In the Philippines,
the Data Privacy Act of 2011 applies to individuals’ personal data in
information and communications systems in both the government and
private sector. Like the Directive, it puts a strong emphasis on the principles
of legitimacy, purpose limitation, transparency and proportionality.
10
EUROPEAN LAWYER REFERENCE SERIES
Regional Summary: Asia-Pacific
Although less directly correlated with principles found in the Directive,
the implementation of national data privacy laws in Singapore and
Taiwan have also largely eschewed the type of sectoral self-regulating
approach found in the US in favour of broadly applicable rules protecting
the security of individuals’ personal data. In Singapore, the enactment
and implementation of the Personal Data Protection Act (Act 26 of 2012)
provides a robust framework for the protection of individuals’ personal
data by organisations. In Taiwan, the Personal Data Protection Act of 2010
(effective October 2012) amended the 1995 Computer-Processed Personal
Data Act, expanding its coverage to all forms of personal data (and not
merely ‘computer processed’) and differentiating between general and
sensitive data.
Although lacking a distinct regional framework, the prospect of regional
harmonisation amongst APEC members has recently increased as the
region’s various countries consider joining a cross-border data scheme to
ensure the integrity of data flows between member countries. First started
in 2011, the APEC Cross-Border Privacy Rules (the ‘CBPR’) promotes a
baseline set of privacy practices for organisations (ie businesses) across
participating APEC economies. Under the CBPR, companies in member
countries can attain certification of their privacy practices from approved
‘accountability agents’. Such certification then enables the organisation
to transfer personal information overseas to other certified companies in
the APEC region in a manner that promotes unified privacy rules across
the region while providing an assurance of security for individuals whose
personal information is transferred. This scheme has similarities to the
binding corporate rules (the ‘BCRs’) for international data transfers under
the Directive, as reflected in the Referential for requirements for Binding
Corporate Rules submitted to national Data Protection Authorities in the EU and
Cross Border Privacy Rules submitted to APEC CBPR Accountability Agents, which
was endorsed by APEC senior officials and the Article 29 Data Protection
Working Party in February 2014. That referential provides ‘an informal
pragmatic checklist’ for organisations considering applying to either or both
schemes, and indicates a number of significant commonalities between the
two cross-border transfer mechanisms, despite remaining discrepancies.
In July 2012 and January 2013, the US and Mexico were approved as the
CBPR’s initial participants, with Japan joining as the third member in June
2013. Although still in its early stages of implementation, the development
of the CBPR points to the potential for greater cooperation among APEC
member countries, and the possible future emergence of a more influential
AP data protection standard.
EUROPEAN LAWYER REFERENCE SERIES
11
Regional Summary: Latin America
Regional Summary:
Latin America
Covington & Burling LLP Stephen Satterfield
Latin America has one of the most dynamic – and, from a compliance
standpoint, most challenging – data protection landscapes in the world.
In the past four years alone, no fewer than six countries in the region
have adopted comprehensive data protection laws. To varying degrees,
these countries – Colombia, Costa Rica, the Dominican Republic, Mexico,
Nicaragua, and Peru – have followed the examples of Argentina and
Uruguay, which enacted EU-style comprehensive legislation in 2000 and
2008, respectively. The principal motivation behind these laws is legislators’
desire to provide basic rights for individuals against public and private
entities that maintain personal data.
Many of these laws were also enacted in order to secure an ‘adequacy’
finding from the European Commission and thereby promote the free flow
of personal data – and the economic benefits that come with it – to and
from Europe. So far, Argentina and Uruguay have been declared adequate,
and other countries in the region are sure to follow. But while spurring
economic growth by enhancing trade ties with Europe has been a goal
underlying the push for data protection laws in Latin America, the resulting
laws have given some businesses pause as they consider expanding into
the region’s emerging economies. These laws’ reliance on certain concepts
(eg cross-border transfer restrictions) from the nearly two-decade-old EU
Data Protection Directive 95/46/EC (the ‘Directive’) could present compliance
challenges for companies that provide or rely on 21st-century technologies,
such as cloud computing. And some of the laws appear to go beyond the
already-strict obligations imposed by the Directive – not to mention the
more modest approach to the regulation of data processing in the US, a key
trading partner for many countries in the region. Uncertainty about whether
and how the laws will be enforced by the newly created data protection
authorities compounds these issues.
At the foundation of data protection law in Latin America is the writ of
‘habeas data’, which protects individuals’ rights to access their own personal
data, correct inaccuracies and (at least in some countries) have their data
destroyed. These rights are embodied in constitutions and laws throughout
the region, and usually apply regardless of whether the personal data is held
by a public or private entity.
Habeas data rights were first introduced in Latin America in Brazil’s 1988
Constitution, and were quickly adopted thereafter by a number of other
countries, including Argentina, Bolivia, Colombia, the Dominican Republic,
EUROPEAN LAWYER REFERENCE SERIES
13
Regional Summary: Latin America
Guatemala, Mexico, Panama, Paraguay, Peru and Venezuela. Translated
literally, ‘habeas data’ means ‘you should have the data’. An individual
generally seeks the writ by bringing an action in a constitutional court
asking that the entity in possession of the personal data be required to give
the individual access or correction rights. This has led some to criticise
habeas data as reactive – because it typically provides individuals relief only
after an issue has arisen with regard to their personal data – and to contrast
it with comprehensive data protection regimes that require entities that
maintain personal data to take proactive measures to protect it.
Partly in reaction to this criticism, many countries in the region have
enacted comprehensive data protection laws in the 21st century. Beginning
with the enactment of Argentina’s landmark Personal Data Protection Act
in 2000, comprehensive laws modelled on the Directive have emerged
in many Latin American countries, including Colombia, Costa Rica, the
Dominican Republic, Mexico, Nicaragua, Peru and Uruguay. (In addition,
Chile’s Personal Data Protection Act contains many of the elements that
characterise the EU’s approach to data protection, and proposals are
pending that would bring the law in line with the comprehensive laws in
these other countries.)
These laws generally include the following types of provisions:
• Establishment of data protection authority and database registration
requirements. Most of the laws provide for the establishment of a
data protection authority and require data controllers – entities that
determine the purposes and means of processing personal data – to
register with that authority. The laws in Chile and the Dominican
Republic do not provide for a data protection authority, and in certain
other countries, the authority called for by the law has not yet been
established. Database registration requirements are the norm throughout
the region, with Mexico’s and Peru’s laws standing as notable
exceptions.
• Notice and consent requirements. The laws generally require data
controllers to notify individuals about the types of personal data that
will be processed, the purposes of the processing, the entities with
which the data will be shared, and individuals’ rights with respect to the
data. The laws also generally require the data controller to obtain the
consent of the individual before processing the data. Many of the laws
require that consent be ‘express’, with several providing further that
the consent be in writing (at least in certain circumstances). Mexico’s
and Nicaragua’s laws are notable exceptions to this approach, with each
providing that implied consent is permissible for most types of data
processing.
• Access, correction, cancellation and objection rights. The laws also generally
provide individuals with robust rights to access personal data about
them that is held by the data controller, as well as rights to request
that the data controller correct erroneous data, to delete (or ‘cancel’)
data, and to object to (or oppose) certain forms of data processing. The
procedures for exercising these rights are often the most detailed aspects
14
EUROPEAN LAWYER REFERENCE SERIES
Regional Summary: Latin America
of these laws, a fact that reflects the region’s experience with habeas
data, which, in many ways, is the predecessor to these rights. Some of
these laws go well beyond habeas data, however. Most notable in this
regard is Nicaragua’s law, which codifies a right to ‘digital oblivion’. This
right – which is similar to the ‘right to be forgotten’ contained in the
European Commission’s proposed General Data Protection Regulation
– permits individuals to request that providers of social networking
services (and other online service providers) delete the individual’s
personal data from their databases.
• Security, integrity and retention requirements. The laws generally require
data controllers to take appropriate technical and administrative
security measures to protect personal data and prevent its unauthorised
access, use, alteration or disclosure. In addition, data protection
authorities in countries such as Argentina and Mexico have
promulgated more specific security standards. The laws also generally
require data controllers to ensure that personal data they maintain is
adequate, relevant and correct, and that the data is retained only for
so long as necessary to fulfil the purpose for which it was collected.
Notably, Costa Rica’s law limits the amount of time for which a data
controller may store personal data to ten years, unless a longer period is
required by law or the data is anonymised.
• Breach notification requirements. Several countries – including Colombia,
Costa Rica, Mexico and Uruguay – require data controllers to disclose
data security incidents to affected individuals and/or data protection
authorities. The laws vary with respect to the types of incidents that
require disclosure and the persons or entities to whom the disclosure
must be made. For example, while Colombia’s law requires notification
of certain incidents to be provided to the data protection authority,
Mexico’s law requires notice only to affected individuals.
• Cross-border transfer restrictions. Many of the laws have provisions
that restrict data controllers’ ability to transfer personal data to other
countries. Most of these provisions permit transfer only to countries
with ‘adequate’ data protection laws, unless the individual consents
or another exception permits transfer to another country. (In some
countries, including Colombia, cross-border transfers between
data controllers and data processors may be subject to less onerous
requirements.) Even in countries without specific cross-border transfer
rules, such as Costa Rica, data controllers still must comply with general
transfer restrictions, which often require prior express consent from
individuals before personal data may be transferred to any third party,
foreign or domestic.
These common elements notwithstanding, there is notable variation in
how Latin American countries have chosen to approach data protection.
While many have chosen to adhere closely to EU-style legislation, others
have drawn from other regimes and principles and even implemented
novel approaches.
EUROPEAN LAWYER REFERENCE SERIES
15
Regional Summary: Latin America
Mexico’s approach stands out in many respects. Inspired by the Asia
Pacific Economic Cooperation (‘APEC’) framework and displaying some of
the moderate features that characterise the approach of its neighbour, the
US, Mexico’s law attempts to strike a balance between protecting the rights
of individuals and accommodating the legitimate needs of businesses. So, for
example, Mexico’s law generally focuses more on the importance of keeping
individuals informed about data processing than it does on obtaining prior
consent. As noted above, Mexico’s law permits implied consent for most
types of data processing, and only requires more robust forms of consent
when the processing involves more sensitive data. This graduated approach
to consent is reminiscent of guidance from the Federal Trade Commission in
the US, which generally encourages companies to provide notice and choice
with respect to certain data practices, but advises that affirmative express
consent is only appropriate for the processing of certain types of information
(such as health, financial, children’s and geolocation data).
In addition, although Mexico’s law includes a provision restricting
cross-border data transfers, this provision is far more nuanced than similar
provisions in the laws of other countries in the region. For example, the
law permits transfers among business affiliates without the consent of the
individual, provided that the transferee organisation follows the same data
protection policies as the transferor. This is a key provision for the many
multinational companies with offices in the country. Finally, and perhaps
most notably, the regulation implementing Mexico’s law includes a separate
framework that addresses the unique data processing relationships that
characterise cloud computing. Like Mexico’s law in general, the framework
seeks to address individuals’ privacy interests while still encouraging the
development of what promises to be one of the century’s most important
technological innovations.
Mexico’s law is, of course, not the only law in the region to feature novel
elements. From Nicaragua’s ‘right to digital oblivion’ to Costa Rica’s tenyear limitation on the retention of personal data, legislators and regulators
throughout Latin American have sought new ways to protect privacy in the
digital age. The laws in existence will continue to evolve as new priorities
emerge, and the remaining countries in the region that have not adopted
comprehensive data protection legislation, such as Brazil, may soon join the
majority that have. We therefore can expect even more novel solutions to
the data protection challenges of the 21st century.
16
EUROPEAN LAWYER REFERENCE SERIES
Brazil
Brazil
Opice Blum, Bruno, Abrusio and Vainzof Attorneys at Law
Renato Opice Blum, Juliana Abrusio & Rita P. Ferreira Blum
1.LEGISLATION
1.1
Name/title of the law
In Brazil, there is no general data protection legislation. Brazil is in the
process of improving its rules in this area of law and several bills of law
concerning privacy are currently pending (see section 1.2 below).
However, the Brazilian Federal Constitution (‘Federal Constitution’) 1988
provides relevant rules on the fundamental right of privacy. In particular,
Article 5, item X establishes that Brazilians and foreign nationals residing
in the country have a fundamental right related to the protection of their
privacy, private life (ie intimacy), honour and image. Since this is an open
clause it leaves space for broad interpretation by the courts.
Besides, Brazil also has a set of rules concerning privacy, including but not
limited to the ones listed below:
• Articles of Federal Law No. 10,406 dated as of 10 January 2002 –
Brazilian Civil Code, which enhances the right to intimacy and privacy
of life, and guarantees damages in case there is a violation. As per said
Code, intimacy and privacy of individuals are considered ‘undisposable’
or ‘inalienable’ rights, except in a few cases.
• An Article of Federal Law No. 8,078 of 11 September 1990 – Consumer
Defense Code (‘Consumer Law’), that regulates consumer data databases,
particularly but not limited to negative data on consumer credits.
• Federal Law No. 12,414 of 9 June 2011, the so-called Law of Positive
Registrations (Lei do Cadastro Positivo), which regulates the collection of
data to form databases with positive data of individuals or legal entities.
The data storage basically relates to payments that the individual or
legal entity has made on the due date. Its objective is to register positive
credit history in databases.
• Ministry of Justice’s Ordinance No. 5, dated as of 27 August 2002 (‘Ordinance
No. 5/2002’), which regulates abusive practices regarding transfer of
consumer data and creation of consumer databases without prior notice.
• Federal Law No. 12,527, dated as of 18 November 2011, the so-called
Brazilian Access to Public Information Law, which regulates access to
data stored in databases of public organisations.
• Federal Law No. 12,965, which is known as the Internet Legal Framework
(Lei do Marco Civil da Internet), dated as of 23 April of 2014, which
concerns the regulation of Brazilian cyberspace and also contains
provisions on web users’ privacy. Said Law was published in the Brazilian
Official Gazette on 24 April 2014 and entered into force on 23 June 2014.
EUROPEAN LAWYER REFERENCE SERIES
113
Brazil
1.2
Pending legislation
There are several pieces of legislation under discussion, which all intend to
increase the level of data protection in Brazil. The most relevant in terms of
content and their possibility of enactment are:
• Bill of the Senate No. 281 of 2012, which intends to modify the
Consumer Law adding to this Law: a principle related to consumer
privacy; a rule related to breach of data security that will be stricter
than current legislation; and a newly defined crime that will apply in
case of violation of a certain consumer right to privacy.
• Draft Bill on the Protection of Personal Data, being drafted by the
Ministry of Justice, which aims to regulate the protection of personal
data in Brazil, for both private and public organisations. This draft Bill
is clearly influenced by the EU Data Protection Directive 95/46/EC.
1.3
Scope of the law
1.3.1 The main players
As explained in section 1.1 above, Brazil has a raft of specific data protection
rules. Thus, the main players will slightly vary according to the specific
area of law under analysis. Among the relevant legislation, the Consumer
Law, the Law of Positive Registrations and the Brazilian Access to Public
Information Law are the ones that specifically mention ‘databases’. In case of
said laws, it is possible to identify the following three main players:
(i) the ‘manager of a database’ or ‘data supplier’ is the legal entity
responsible for the administration of personal data, storage, analysis
and which manages the access of third parties to the data stored. That
organisation could be either public or private, and could coincide or
not with the one that collects the data;
(ii) the ‘registered person’ is the individual whose data is stored in the
database. Note that in both the Consumer Law and the Law of Positive
Registrations both natural persons (ie individual) and legal entities fit
under the concept of ‘registered person’ or ‘data consumer’; and
(iii) the ‘consultant to a database’ is an individual or legal entity that
has access to the database’s storage data and has right to consult the
database. This person could be the registered person or third party who
seeks data stored in the database.
The Law of Positive Registrations, concerning personal credit history,
also encompasses the following two players that apply to the area of law
regulated by said rule:
(i) ‘source’ is a natural person or legal entity that grants credit or performs
sale transactions or other commercial and business transactions that
involve financial risk; and
(ii) ‘consultant’ is a natural person or legal entity that accesses data
stored in the database for any reason allowed by the Law of Positive
Registrations.
The Internet Legal Framework does not specifically mention the term
‘databases’; however, it regulates the activity of entities who manage the
storage and disclosure of data collected via the Internet. This data could
114
EUROPEAN LAWYER REFERENCE SERIES
Brazil
be in the form of either: ‘connection logs’; ‘access to Internet applications
logs’, which are terms defined by this Law; and/or the personal data of
Internet users.
1.3.2 Types of data
The Brazilian Federal Constitution, the Brazilian Civil Code, the Consumer
Law and the Internet Legal Framework mentioned in section 1.1. above do
not define personal data. The Consumer Law, however, defines quality of
data, as explained in section 5 below. However, the following ‘types of data’
can be distinguished based on specific data protection rules that regulate
certain areas of law as well as on concepts extracted from either case law or
legal scholars.
Specific data protection rules:
• Article 4 of the Brazilian Access to Public Information Law defines
‘personal information’ for matters related to public databases owned by
public authorities or by private organisations that provide services to the
government as ‘that related to an identified or identifiable natural person’.
• The Internet Legal Framework establishes a connection between
personal data and the fact that said data might permit the identification
of a particular web user.
• In addition, Article 4 of the Brazilian Access to Public Information
Law defines ‘secret information’ as ‘the one submitted temporarily to the
restriction of public access, considering it is indispensable for the safety of
society and state’.
• The Law of Positive Registrations foresees that the database might
contain data about consumer compliance with its debts liabilities for
the purpose of describing its history of credit, following the rule of this
law and prohibits the storage of sensitive data related to consumers,
namely data ‘that refers to race or ethnic, health, genetic information, sexual
orientation, as well as to political, philosophical or religious conviction’.
• Finally, based on the Brazilian General Telecommunications Law (the
‘LGT’), Federal Law No. 9,472 of 16 July 1997, there is also another type
of data, called ‘aggregated data’. This type of data can be disclosed by
the telecom carrier that holds it, provided that said action will not cause
the identification – direct or indirect – of the telecom user who owns the
data. For further details regarding this matter, see section 4.4 below.
Concepts extracted from case law and legal scholars:
• As per case law and legal scholars, data can be categorised as either
‘personal data’ or ‘sensitive data’. ‘Personal data’ usually involves data that
could identify a person directly or indirectly and could comprise the name,
date of birth, address, profession, age, marital status and identification
number under the Civil Registry of Natural People. ‘Sensitive data’ is
roughly that, which once disclosed, could cause the discrimination of
the owner (see also the concept of ‘sensitive data’ in the Law of Positive
Registrations). The two types of data differ in terms of the level of
confidentiality. In certain circumstances, personal data is not deemed
confidential, whereas sensitive data in the mostly likely situations, is.
EUROPEAN LAWYER REFERENCE SERIES
115
Brazil
1.3.3 Types of acts/operations
Not applicable.
1.3.4Exceptions
Not applicable.
1.3.5 Geographical scope of application
Since the norms listed in section 1.1 above were issued at the federal level,
they apply all over the Brazilian territory.
1.3.6Particularities
Brazil has no general data protection legislation, but recognises certain data
protection rights in the Constitution, in other laws and in case law.
2.
DATA PROTECTION AUTHORITY
Although there is currently no one authority solely responsible for the
monitoring of the existing data protection rules similar to the data protection
authorities in the EU, a consumer authority or agency at the federal, state
or municipal level in Brazil has the competence to act in case of noncompliance with the existing consumer database rules in the Consumer Law.
It should be noted that the above-mentioned authorities will restrict their
focus of activity to relations established by and between a data consumer
and a data supplier.
2.1
Role and tasks
As per the Federal Law Decree No. 2,181/1997 that regulates the Consumer
Law, a consumer authority or agency at the federal, state or municipal level in
Brazil has the competence to act in case of non-compliance with the consumer
database rules or disrespect of data consumers’ basic right of security, regarding
inappropriate access to consumer data once stored in a database managed by a
supplier. Furthermore, the consumer authority at the federal level has the power
to establish policies for the protection of personal consumer data, to be observed
by both federal and local (ie state and municipal) consumer protection agencies.
2.2Powers
The main activities involving data protection that, in general, are the
responsibility of the consumer protection agency, are:
• to receive and check complaints made by data consumers against data
suppliers regarding the non-compliance of the Consumer Law’s Article
relating to databases;
• to receive and check complaints made by a data consumer against a
data supplier regarding a breach of security that results in the data
consumer’s data being leaked to the public;
• to provide data and agency policy to data consumers relating to data
consumers’ data protection rights; and
• to conduct regulatory activities and enforce administrative sanctions to
data suppliers that disrespect data consumer rights.
116
EUROPEAN LAWYER REFERENCE SERIES
Brazil
2.3Priorities
Consumer protection agencies in Brazil prefer to focus on the expansion
of their activities as a whole, rather than the implementation of a single
plan regarding a particular matter, eg data privacy. The specific action of
an agency will mostly be in response to a particular claim made by a data
consumer relating to data privacy.
However, in 2013-14, the federal government has shown an increasing
level of concern with regards data privacy. For example, Federal Law
Decree No. 7,963/2013, dated as of 15 March 2013, which encompasses the
National Plan for Consumer and Citizen Matters, states a guideline about
the data consumer rights of ‘self-determination, privacy, confidentiality and
security’ in relation to personal data either provided by data consumers to
data suppliers or collected by data suppliers.
3.
LEGAL BASIS FOR DATA PROCESSING
As explained above, in Brazil there is no general data protection legislation.
Among the existing sector-specific data protection rules, the Consumer Law,
the Law of Positive Registrations and the Internet Legal Framework are the
pieces of legislation that expressly regulate the processing of personal data
concerning their respective areas of law.
3.1Consent
As regards the Consumer Law, the Ordinance No. 05/2002, among other things,
request the express consent of the consumer to the contractual provision
that states his/her authorisation for the transfer of the consumer’s data to a
third party. If the Bill of the Senate No. 281/2012 which aims to update the
Consumer Law with e-commerce rules becomes law, it will modify the existing
Consumer Law. Said Bill defines a new crime regarding the transfer of consumer
data without the prior written authorisation of the data consumer.
The Law of Positive Registrations requires the data supplier of the product,
services or credit to obtain the previous authorisation of the data consumer
prior to opening a register with positive credit data of a data consumer. The
authorisation also covers amendments to the register.
The Internet Legal Framework establishes the right for the data consumer
of non-disclosure to third parties of his/her personal data, including
connection logs and access logs for web applications, except through freely
given and informed consent in writing or in cases provided by the law.
3.1.1Definition
There is no general definition of consent. However, according to Ordinance
No. 05/2002, general terms and conditions of data suppliers which presume
data consumers’ consent, thus requiring data consumers to object to the
disclosure of their personal data, are considered to be unfair.
3.1.2Form
Any preformulated contractual clause in a consumer contract requiring the
data consumer to oppose the disclosure of his/her personal data to third
EUROPEAN LAWYER REFERENCE SERIES
117
Brazil
parties is deemed unfair. As a result, data consumers must be given the
option to ‘opt in’ (eg by actively ticking a box) into the disclosure of his/her
personal data to a third party.
The Law of Positive Registrations requires prior authorisation by the
registered persons for the opening of a register which must be obtained
through informed consent by signature in a specific legal instrument or in
isolated clause. Such authorisation can be revoked by the data consumer at
any time.
The Internet Legal Framework provides that the consent of the Internet
user regarding the collection, use, storage and processing of personal data
must be highlighted or separate from the other clauses.
3.2. Other legal grounds for data processing
Not applicable.
3.3
Codes of conduct
There are no sector-specific codes of conduct related to data protection.
Although the Law No. 12,846, dated as of 1 August 2013 (known as the
Clean Company Act) recommends the adoption of ethics codes and codes of
conduct, in general, by organisations. However, this Law does not explicitly
recommend the adoption of codes of conduct regarding data privacy.
4.
SPECIAL RULES
4.1Employment
Not applicable (but see section 4.8 below).
4.2Health
Pursuant to the Medical Ethical Code as a fundamental principle, doctors
must respect patient confidentiality with regards to any data that they hold
as a result of their duties, with the exception of the cases mentioned in the
legislation.
In addition, Resolution No. 44/2009 of the National Agency of Sanitary
Surveillance (the ‘ANVISA’) which deals with the sanitary disposal of
drugs, medicines, pharmaceutical raw materials and related products, as
well as with dispensing medicines, drugs and related products requires any
pharmaceutical company, which operates an electronic website or respective
pharmacy or drugstore for the dispensing of drugs to ensure: the data
confidentiality, the privacy of the web user (ie data consumer), warranting
that undue access and non-authorised access to the consumer’s data will not
occur and that the secrecy of the consumer’s data will be assured.
4.3Finance
Banking secrecy is protected by the Federal Constitution and is defined
by legal scholars as the duty imposed on banks and similar financial
organisations to not disclose to third parties the data that arises from the
relation stipulated in the bank or finance contract.
In Brazil, there are federal rules regulating the local financial sector.
118
EUROPEAN LAWYER REFERENCE SERIES
Brazil
Among said rules, Supplementary Law (Lei Complementar) No. 105, dated
as of 10 January 2001, stipulates a duty of confidentiality in the active and
passive operations of services provided by banks and similar organisations.
The Law specifies exceptional cases where a breach of banking secrecy
is authorised; for example, cases of criminal investigation involving the
occurrence of illicit financial operations. However, any breach of secrecy that
is deemed not to fall within the authorised exceptional cases is considered a
crime and offenders will be subject to a punishment that varies from one to
four years’ imprisonment and a monetary fine, without prejudice to other
sanctions established in the legislation.
4.4Telecommunications
Relevant legal protection in terms of Brazil’s telecom sector is provided
for in the Federal Constitution. The fundamental right to life, liberty,
equality, safety and property encompasses the inviolability of the secrecy
of correspondence and telegraph communications, data and telephone
communication. An exception applies in case of telephone communications,
by virtue of a court order, which can be granted on the condition and in
the form that the law establishes, for criminal investigation or criminal
procedure purposes (Federal Law No. 9,296, dated as of 24 July 1996).
The Brazilian General Telecommunications Law regulates the processing
of the data of users of telecommunications services. In particular, the
telecom carrier might use individual’s data related to user utilisation of the
telecommunication service only in the execution of its own activity and may
only disclose a user’s individual data to third parties with the express and
specific authorisation of the user, except where the data concerning the use
of their services has been aggregated and provided that said aggregated data
does not allow the identification of the user.
4.5
Historical, statistical and scientific research purposes
Not applicable, although certain laws exist in the public sector. For instance,
the Brazilian Access to Public Information Law aims to regulate the access
to data stored in public databases, including the archives of historical or
memorial governmental bodies.
Federal Law No. 5,534, dated as of 14 November 1968 (supplemented
by Decree-Law No. 161, dated as of 13 February 1967) lays down the duty
of every individual or legal entity under Brazilian jurisdiction to provide
data requested by the Brazilian Institute of Geography and Statistics (the
‘IBGE’) in relation to the demographic census that is conducted in Brazil
every 10 years with the objective of counting the population of the country,
identifying their characteristics and revealing how they live – all forming
a detailed part of the census’ questions. The Law also sets out that the
data provided will be treated as confidential and will be used for statistical
purposes only.
There is no specific legislation in Brazil on scientific research (as regards
the specific rules concerning confidentiality and secrecy see section 4.2
above). However, we have made an informal enquiry, via telephone, with
EUROPEAN LAWYER REFERENCE SERIES
119
Brazil
professionals who conduct scientific research at Brazilian universities. As a
result, we have concluded that there are well-known recommendations for
scientific researchers, as follows:
• disclose to third parties only aggregated data concerning their research
on individuals which does not allow for the identification – direct or
indirect – of the individual who owns the data – this recommendation
ensures the non-violation by the researcher of the individual’s privacy or
confidentiality; and
• re-identify personal data only provided that prior written consent has
been obtained from the individual authorising the disclosure of his/her
data in that particular technical work and for scientific purposes only.
It should be noted that these recommendations are good practices,
adopted by researchers, and not provisions stated in a specific law. Thus,
they are not legally binding. Despite this fact, it is our understanding that
the two good practices listed above comply with the relevant rules regarding
a fundamental right of privacy as stated in the Federal Constitution and, as
such, must be observed by researchers in order to minimise the risk of being
in breach of the right of privacy of individuals who have participated in
research for scientific purposes.
4.6Children
In Brazil, there is no specific legislation regulating the data protection of
children. However, Article 3 of the Brazilian Child and Teenager Statute (the
‘ECA’), Law No. 8,609, dated as of 13 July 1990, establishes that children
have the same fundamental rights as adults. Since privacy is a fundamental
right, as a consequence children also have said right.
Moreover, the Brazilian Code of Civil Procedure, Law No. 5,869, dated as
of 11 January 1973, obligates the application of judicial secrecy to lawsuits
that relate to one or more of the following matters: marriage, filiation,
separation, conversion of the separation into divorce, child maintenance
and custody of children.
4.7Whistleblowing
Not applicable.
4.8
Email, Internet and video monitoring
The Federal Constitution provides for a fundamental right to life, liberty,
equality, safety and property that relates to the inviolability of the
confidentiality of correspondence and telegraph communications, data and
telephone communication. Therefore, it is prohibited to monitor telephone
conversations and other communications except with prior consent or in
cases provided by the law.
Until the publication of the Internet Legal Framework in the Official
Gazette (for date of publication and date of entry into force of said Law, see
section 1.1. above), there was no specific legislation for the monitoring of
emails. However, the case law of the Superior Labour Court distinguishes
between personal email and corporate email. Several court cases state that
120
EUROPEAN LAWYER REFERENCE SERIES
Brazil
corporate emails can be monitored since their purpose is to perform the
work itself. Another reason allowing (some legal scholars even suggest
requiring) corporate email to be monitored is the risk for the employers’
reputation due to the incorrect or improper use of corporate email and the
responsibility of companies for the actions of their employees. However,
bearing in mind the constitutional fundamental right to privacy that
individuals including employees, have, the organisation shall adopt a policy
that will enable it to prove that employees have been previously informed
that they are going to be monitored in the execution of their functions.
With regards email monitoring, Article 7, subsection III of the Internet
Legal Framework establishes the right of inviolability and confidentiality of
Internet users’ private communications stored, except under court order.
In addition, Article 8 of the same Law states that contractual terms that
violate the rights of privacy of Internet users shall be deemed null and
void. This type of provision includes, but is not limited to, any entity that
breaches said inviolability and confidentiality of private communications on
the Internet.
With regards Internet monitoring, other subsections of Article 7 of the
Internet Legal Framework establish several rights for Internet users that are
related to privacy. Among them we have highlighted the ones listed below.
It should be noted that, in order to avoid any overlap of data, Internet-user
rights that have been listed in other more specific sections of this chapter
have not been repeated herein:
• (subsection I) – inviolability of privacy as well as of private life,
guaranteed by the right to the user’s protection against and
compensation for property or moral damages resulting from its
violation;
• (subsection II) – inviolability and confidentiality of the flow of the
user’s communications over the Internet, except under court order, as
provided by law;
• (subsection VI) – a clear and complete service agreement, with details of
the system of protection, of connection logs and access logs of Internet
applications; and
• (subsection X) – the permanent exclusion of personal data provided
to certain Internet applications, at the user’s request at the end of
the relationship between the parties, except in cases of mandatory
recordkeeping under this Law.
With regards video monitoring, at City Hall level, some cities have rules
concerning video surveillance. That is the case for the City of São Paulo as
well as for the City of Porto Alegre.
São Paulo Law No. 13,541, dated as of 24 March 2003, allows the practice
of video monitoring provided that a sign, informing people that images
of the internal or external environment are being recorded by surveillance
cameras, is placed in the monitoring environment. The São Paulo City Hall
Decree No. 43,236, dated as of 22 May 2003, requires that the following
sentence be displayed at the entry and exit points of the monitoring
environment: ‘THE ENVIRONMENT IS BEING RECORDED. THE IMAGES
EUROPEAN LAWYER REFERENCE SERIES
121
Brazil
ARE CONFIDENTIAL AND PROTECTED IN THE TERMS OF THE LAW.’
Law No. 8,115, dated as of 5 January 1998, of the City of Porto Alegre
regulates the practice of video monitoring in branches of banks for security
purposes.
4.9
Direct marketing and cookies
Brazilian legislation does not currently provide any specific data protection
concerning electronic marketing messages via email accounts. However, the
Bill of the Senate No. 281/2012 aims to update the Consumer Law in relation
to the section on e-commerce. If made law, this Bill will forbid the supplier
of the product or service to send unsolicited electronic marketing messages to
the recipient if: (i) the same (ie supplier) does not have a previous consumer
relation with the recipient of the message; and (ii) the consumer has not
given previous and express consent to receive electronic marketing messages.
At both state and City Hall level, there are several laws that allow the
data consumer to block the receipt of telemarketing calls on his/her mobile
phone or landline. In order to activate such call barring, the data consumer
must request the inclusion of his/her telephone number on some form
of data consumer non-disturb database, usually managed by a local data
consumer protection agency. These laws have been dubbed ‘non-disturb
laws’. In most cases, non-adherence by telemarketing companies of an
individual’s request to not receive marketing calls results in a fine.
Prior to the Internet Legal Framework, there were no statutory rules
regarding cookies and similar technologies which collect data about an
individual’s surfing activities.
However, Article 7, subsection VIII of the Internet Legal Framework
establishes that an Internet user has the right to receive: ‘clear and complete
information on the collection, use, storage, treatment and protection of the
user’s personal data, which can only be used for purposes which: a) justify their
collection; b) are not prohibited by legislation; and c) are specified in service
agreements or in the terms of use of Internet applications’.
It is our understating that the practice of collecting data about an individual’s
surfing activities, via cookies, might fall within the scope of the part of Article 7
that regulates the collection of a user’s personal data. Thus, we recommend that
said practice should be made transparent to the data consumer in the service
agreements or in the terms of use of Internet applications.
Prior to the Internet Legal Framework, the Consumer Law could, however,
already be interpreted in such a way that prior notice is required to be
given to the data consumer in cases where cookies and similar technologies
store consumer data, as arguably the stored data may qualify as a consumer
database. The general opinion among legal scholars is that in order for the
data supplier’s use of third-party cookies to be considered valid, said third
party would need to obtain the prior consent of the Internet user for the use
of cookie data.
4.10 Big data
Not applicable.
122
EUROPEAN LAWYER REFERENCE SERIES
Brazil
4.11 Mobile apps
Not applicable.
5.
DATA QUALITY REQUIREMENTS
Among the laws mentioned in section 1.1, the Consumer Law and the Law
of Positive Registrations set out data quality requirements.
According to the Consumer Law, the data registered in the database must
be objective, clear, true and comprehensively written, and not bearing any
negative data concerning a period of time prior to the last five years.
The Law of Positive Registrations establishes that database data regarding
credit protection must be objective, clear, true and easy to understand.
Moreover, the data must be connected with the purpose of evaluating
the financial status of the consumer. Thus, there must be compatibility
between the intended purpose to register the data and the data storage, and
disclosure in the database.
6.
OUTSOURCING AND DUE DILIGENCE
6.1Outsourcing
In Brazil, there is no specific legislation regulating data protection in terms
of outsourcing. However, the general Civil Code and Consumer Law articles
deal with responsibilities in case of damages.
Moreover, as regards cloud computing, Bill No. 5,344 of 2013 has
been presented before Brazil’s House of Representatives, which aims to
establish the directives and regulations for the promotion, development
and exploration of cloud computing activities in Brazil. If made law, this
new rule will also regulate data protection under the responsibility of the
depositary (ie supplier of the cloud computing service).
6.2
Due diligence
Not applicable. However, usually, any disclosure of data is preceded by a
one-way non-disclosure agreement (‘NDA one-way’), whereby the auditors
assume a duty of non-disclosure of the audited data to third parties, except
for the company that has contracted him/her to perform the due diligence
service.
7.
7.1
INTERNATIONAL DATA TRANSFERS
Applicable rules
There are no statutory rules regarding transborder transfer of consumer or
other personal data in Brazil.
Nonetheless, as explained above, pursuant to Ordinance No. 05/2002 it is
not good practice to transfer consumer data without gaining prior consent.
7.2
Legal basis for international data transfers
Not applicable.
7.2.1 Data transfer agreements
Not applicable.
EUROPEAN LAWYER REFERENCE SERIES
123
Brazil
7.2.2 Binding corporate rules
Not applicable.
7.2.3 Safe Harbour
Not applicable.
7.2.4 Other legal bases
Not applicable.
7.3
E-discovery and law enforcement requests
Not applicable.
7.4Representative
Not applicable.
8.
INFORMATION OBLIGATIONS
As per the Consumer Law, data suppliers that act as data managers have a
duty to inform data consumers in writing prior to the opening of a register
with negative credit data about said data consumers.
The Law of Positive Registrations establishes that the data consumer has
the right to be previously informed about the identity of the data manager
who will store its data consumer’s positive credit data, as well as in case of
transfer of data to other data managers and the reasons for this transfer.
As mentioned in section 4.9 above, the Internet Legal Framework
establishes that the data consumer has the right to receive fully
comprehensive and transparent information about the collection, use,
storage, treatment and protection of his/her personal data, which can only
be used for purposes mentioned in said section above.
8.1Who
Not applicable.
8.2What
Not applicable.
8.3Exceptions
Not applicable.
8.4When
Not applicable.
8.5How
Not applicable.
9.
RIGHTS OF INDIVIDUALS
According to the Consumer Law, the data consumer shall have free access to
any of his/her data held in reference files, index cards, records, personal and
consumer data, as well as their respective sources. Paragraphs 2–4 of Article
124
EUROPEAN LAWYER REFERENCE SERIES
Brazil
43 state the following:
• (2) ‘If not requested, the data consumer shall be informed in writing about the
inclusion of his/her name in any reference file, index card, register, personal
and consumer data’;
• (3) ‘Whenever finding any inaccuracy in his/her data and records, the data
consumer shall be entitled to require the prompt correction, and the person in
charge of such records shall communicate the alteration, within five weekdays,
to any possible addressee of the incorrect information’; and
• (4) ‘When the deadline for collecting data consumers’ debts has passed, the
respective Credit Protection Services shall no longer provide any information
that might prevent or make it difficult for data consumers to gain new access
to credit operations from suppliers’.
As clarified in section 4.9 above, the so-called ‘non-disturb laws’ provide
that the data consumer has the right to register his/her telephone number
on a non-disturb database to stop telemarketing companies contacting said
data consumer via telephone with the sole purpose of facilitating advertising
campaigns or selling products or services.
Article 7, subsection X of the Internet Legal Framework provides that the
data consumer has the right to permanently exclude his/her personal data
from being provided to certain Internet applications, at the data consumer’s
request at the end of the relationship between the parties, except in cases of
mandatory recordkeeping stipulated under said Law.
9.1Who
Not applicable.
9.2What
Not applicable.
9.3Exceptions
Not applicable.
9.4When
Not applicable.
9.5How
Not applicable.
9.6Charges
Not applicable.
10. SECURITY OF DATA PROCESSING
10.1Confidentiality
Regarding the confidentiality of data consumers’ personal data, the Decree
No. 7,963, dated as of 15 March 2013, supplements the Consumer Law and
has been issued with, among others, the intention of safeguarding data
consumers’ personal data at the national level with regards data consumption
EUROPEAN LAWYER REFERENCE SERIES
125
Brazil
and citizenship, aiming to ensure data consumers’ rights across the whole
Brazilian territory, through policy, programmes and directives. Said Decree
provides for a duty of confidentiality imposed on data suppliers with regard
to the storage of data consumers’ personal data. For the definition of ‘data
supplier’ under the Consumer Law, see section 1.3.1 above.
10.2 Security requirements
The Consumer Law aims to protect data consumers’ health and safety. It
states: ‘Products and services offered in the market shall not bring risks to the
consumers’ health or safety, except those risks which can be understood as normal
or foreseen in view of their nature and possession, suppliers being obliged in any
event to provide the necessary and appropriate information about them.’ Arguably,
the Consumer Law may be interpreted in the sense that this right creates an
assumption made by the data consumer that his/her data, once entrusted
to the supplier, will be stored by the latter subject to adequate data security
mechanisms available in the market at the time of disclosure.
Moreover, Law Decree No. 7,829, dated as of 17 October 2012, which
regulates the Law of Positive Registrations, establishes inter alia an obligation
for companies that work with databases of this type of data to obtain
certificates, which attest the quality of technical aspects of their activities,
including the following adequate measures:
(i) using an IT platform that is able to preserve the integrity and secrecy of
the stored personal data, observing good practices on data security, with
a data-recovery programme that encompasses an infrastructure for the
safe backup of stored personal data;
(ii) having a robust data security plan in place as regards the creation,
protection and disposal of personal data (including rules about the
transference or use of stored personal data by subcontractors of the
company); and
(iii)having a company policy in place that encompasses company liabilities
and requirements regarding the protection and confidentiality of
personal data, as well as the prevention of fraud.
Evidence of adherence to these certification requirements (as per items
(i)–(iii) above) must be periodically renewed.
10.3 Data security breach notification obligation
The above-mentioned draft Bill of the Senate No. 281/2012 would require
data suppliers that use electronic means or similar to have adequate and
efficient security measures in place to safeguard consumers’ personal data.
Furthermore, the draft Bill provides for a data security breach notification
obligation for data suppliers to inform consumers, immediately, about any
data security breach.
10.3.1Who
Not applicable.
126
EUROPEAN LAWYER REFERENCE SERIES
Brazil
10.3.2What
Not applicable.
10.3.3Exceptions
Not applicable.
10.3.4When
Not applicable.
10.3.5How
Not applicable.
10.4Cybersecurity
Law No. 12,737, dated as of 30 November 2012, regulates crimes related
to unauthorised computer access. As per said Law, it is a criminal offence,
subject to imprisonment and a monetary fine, to ‘invade the electronic device
of a third party, connected or not to a computer network, through the violation of a
security mechanism and with the intention to obtain, forge, manipulate or destroy
data without the express consent of the holder of the device or with the intent to
install vulnerabilities to gain illicit advantage’.
11. DATA PROTECTION IMPACT ASSESSMENTS, AUDITS
AND SEALS
See section 6.1 above.
12. REGISTRATION OBLIGATIONS
Not applicable.
12.1 Notification requirements
12.1.1Who
Not applicable.
12.1.2What
Not applicable.
12.1.3 Exceptions
Not applicable.
12.1.4When
Not applicable.
12.1.5How
Not applicable.
12.1.6Charges
Not applicable.
EUROPEAN LAWYER REFERENCE SERIES
127
Brazil
12.2 Authorisation requirements
Not applicable.
12.2.1Who
Not applicable.
12.2.2What
Not applicable.
12.2.3Exceptions
Not applicable.
12.2.4When
Not applicable.
12.2.5How
Not applicable.
12.2.6Charges
Not applicable.
12.3 Other registration requirements
Not applicable.
12.4Register
Not applicable.
13. DATA PROTECTION OFFICER
13.1 Function recognised by law
Not applicable.
13.2 Tasks and powers
Not applicable.
14. ENFORCEMENT AND SANCTIONS
14.1 Enforcement action
Not applicable.
14.2Sanctions
In case of non-compliance with the existing consumer database rules, the
federal or local consumer authority or agency of each state or city of Brazil,
if any, has authority to impose administrative sanctions. Article 56 of the
Consumer Law provides that infractions against consumer regulations,
including those concerning databases, will entail the application of
administrative sanctions, including a monetary fine.
It should be noted that the above-mentioned sanctions also apply in case
of breach of provisions under the Law of Positive Registrations.
128
EUROPEAN LAWYER REFERENCE SERIES
Brazil
14.3 Examples of recent enforcement of data protection rules
Not applicable.
15. REMEDIES AND LIABILITY
15.1 Judicial remedies
In Brazil, in cases involving an individual or legal entity who feels that his/
her privacy has been violated, a request for compensation in the form of a
lawsuit can be presented to the Brazilian Court. Said legal action may base
its legal argument on one or more of the rules mentioned in section 1.1
above.
Also, a data consumer who wants to gain access to his/her data can
take either a non-litigation route, based on paragraph 3 of Article 43 of
the Consumer Law (for example, making a complaint to the consumer
authority or agency against a particular data supplier that has stored his/
her personal data), or initiate a lawsuit before a Brazilian court. The specific
judicial remedy in this case is called habeas data, which is regulated by a
specific law. The purpose of habeas data is the removal or the correction of
certain erroneous data that is stored in the database of public entities.
A legal scholar’s interpretation of the Consumer Law could, in this case,
be that if a data consumer’s database, reference files, credit protection
services and similar services are considered to be a database of public
entities too, consumer data can also motivate a habeas data claim.
15.2 Class actions
Pursuant to the Consumer Law, ie the rights of data consumers, claimants
may file lawsuits either individually or collectively. The Consumer Law can
be interpreted to mean that non-compliance of consumer database rules
(for instance, due to a data security breach that causes the loss of multiple
consumer data) may result in a collective lawsuit.
15.3Liability
Most cases relate to requests for indemnification or compensation presented
by data consumers to the court against a data supplier, as a result of his
non-compliance with the credit information database rules that protect the
data consumer.
The following two court cases concern the protection of personal data
not related to consumer credit data:
• STJ, Reporting Judge: Minister Felix Fischer, EDcl No. 25375/PA on
the MS 2007/0241057-9. Decision date, 18 November 2008. Appeal
presented by Federal Public Prosecutor’s Office (‘MINISTÉRIO PÚBLICO
FEDERAL’) v Federal Government (‘UNIÃO’), EDcl No. 25375/PA in the MS
2007/0241057-9. This case is about which type of personal data shall be
considered to be under the protection of banking and tax secrecy law.
• Federal Regional Court -3- AMS: 28312 SP 2002.61.00.028312-3,
Reporting Judge: Court of Appeal Judge Consuelo Yoshida. Decision
date, 2 December 2010, Sixth Chamber. Parties: BANCO SAFRA S/A v
União Federal FAZENDA NACIONAL. This case is also about which type
EUROPEAN LAWYER REFERENCE SERIES
129
Brazil
of consumer data, disclosed to the bank as a consequence of a banking
relationship, is considered to be under the protection of banking secrecy
law.
130
EUROPEAN LAWYER REFERENCE SERIES
Contact details
Contact details
GENERAL EDITOR
BELGIUM
Monika Kuschewsky
Covington & Burling LLP
Kunstlaan 44/Avenue des Arts 44
1040 Brussels
Belgium
T: +32 2 549 52 49
F: +32 2 549 10 49
E:[email protected]
W:www.cov.com
Monika Kuschewsky
& Kristof Van Quathem
Covington & Burling LLP
Kunstlaan 44/Avenue des Arts 44
1040 Brussels
Belgium
T: +32 2 549 52 49
F: +32 2 549 10 49
E:[email protected]
E:[email protected]
W:www.cov.com
ARGENTINA
Mariano Peruzzotti
Marval, O’Farrell & Mairal
Leandro N. Alem 928, 7th Floor
C1001AAR Buenos Aires
Argentina
T: +54 11 4310 0100
F: +54 11 4310 0200
E:[email protected]
W:www.marval.com
AUSTRALIA
Peter Leonard, Michael Burnett &
Ewan Scobie
Gilbert + Tobin
Level 37, 2 Park Street
Sydney NSW 2000
Australia
T: +61 2 9263 4003
F: +61 2 9263 4111
E:[email protected]
W:www.gtlaw.com.au
AUSTRIA
Dr Rainer Knyrim
Preslmayr Rechtsanwälte OG
Universitätsring 12
1010 Vienna
Austria
T: +43 1 5331695
F: +43 1 5355686
E:[email protected]
W:www.preslmayr.at
EUROPEAN LAWYER REFERENCE SERIES
BRAZIL
Renato Opice Blum, Juliana Abrusio &
Rita P. Ferreira Blum
Opice Blum, Bruno, Abrusio E Vainzof
Advogados Associados
Alameda Joaquim Eugênio de Lima
No. 680 – 1st Floor
City of São Paulo
01403-000 State of São Paulo
Brazil
T: +55 11 2189-0061
F: +55 11 2189-0062
E:[email protected]
[email protected]
[email protected]
W:www.opiceblum.com.br
CHILE
Pablo Palma Calderón
Palma & Palma Abogados
Cochrane 667 of. 603
Valparaíso, V Región
Chile
T: +56 9 7623 7648
E:[email protected]
W:www.palma-palma.cl
911
Contact details
COLOMBIA
EU INSTITUTIONS & BODIES
Daniel Peña & Diego Arévalo
Peña Mancero Abogados
Calle 94 A No. 11 A 66 Oficina 301
Bogotá DC
Colombia
T: +57 1 3000 222
E:[email protected]
W:www.pmabogados.co
Philippe Renaudière
European Commission
Rue de la Loi 200
1040 Brussels
Belgium
T: +32 22 968 750
E:[email protected]
W:www.ec.europa.eu/
dataprotectionofficer/index_en.htm
CZECH REPUBLIC
Richard Otevřel
Havel, Holásek & Partners
Na Florenci 2116/15
110 00 Prague 1
Nové Město
Czech Republic
T: +420 255 000 943
F: +420 255 000 110
E:[email protected]
W:www.havelholasek.cz
DENMARK
Johnny Petersen
Delacour
Langebrogade 4
DK-1411 Copenhagen
Denmark
T: +45 7011 1122
F: +45 7011 1133
E:[email protected]
W:www.delacour.dk/
ESTONIA
Pirkko-Liis Harkmaa
& Martin-Kaspar Sild
LAWIN Attorneys At Law
Niguliste 4
10130 Tallinn
Estonia
T: +37 2630 6460
F: +37 2630 6463
E: [email protected]
W:www.lawin.com
912
EUROPEAN UNION
Monika Kuschewsky
Covington & Burling LLP
Kunstlaan 44/Avenue des Arts 44
1040 Brussels
Belgium
T: +32 2 549 52 49
F: +32 2 549 10 49
E:[email protected]
W:www.cov.com
FRANCE
Raphaël Dana
Sarrut Avocats
47 avenue Hoche
75008 Paris
France
T: +33 1 47 63 45 63
F: +33 1 43 80 31 59
E:[email protected]
W:www.sarrut-avocats.com
GERMANY
Monika Kuschewsky
Covington & Burling LLP
Kunstlaan 44/Avenue des Arts 44
1040 Brussels
Belgium
T: +32 2 549 52 49
F: +32 2 549 10 49
E:[email protected]
W:www.cov.com
EUROPEAN LAWYER REFERENCE SERIES
Contact details
INDIA
JAPAN
Vijay Pal Dalmia
Vaish Associates Advocates
1st Floor, Mohan Dev Building
13 Tolstoy Marg
New Delhi-110001
India
T: +91 11 4249 2532
E:[email protected]
W:www.vaishlaw.com
Chie Kasahara
Atsumi & Sakai
Fukoku Seimei Building 2-2-2
Uchisaiwaicho, Chiyoda-ku, Tokyo
Japan
T: +81 5501 2111
F: +81 5501 2211
E:[email protected]
W:www.aplaw.jp/en
REPUBLIC OF IRELAND
LITHUANIA
Jeanne Kelly & Aoife Young
Mason Hayes & Curran
South Bank House
Barrow Street
Dublin 4
Ireland
T: +353 1 614 5000
F: +353 1 614 5001
E:[email protected]
[email protected]
W:www.mhc.ie
Dr Jaunius Gumbis & Julius Zaleskis
LAWIN Lideika, Petrauskas, Valiūnas
ir partneriai
Jogailos 9
LT-01116 Vilnius
Lithuania
T: +370 5268 1888
F: +370 5212 5591
E:[email protected]
W:www.lawin.lt
ISRAEL
Deepak Pillai
Haryati Deepak, Advocates &
Solicitors
Unit L-5-3A, Solaris Mont’ Kiara
No. 2 Jalan Solaris
50480 Kuala Lumpur
Malaysia
T: +603 6203 0760
F: +603 6203 0761
E:[email protected]
W:www.hdlaw.com.my
Yoheved Novogroder-Shoshan
Yigal Arnon & Co.
22 Joseph Rivlin
Jerusalem 9424018
Israel
T: +972 2 623 9200
F: +972 2 623 9236
E:[email protected]
W:www.arnon.co.il
ITALY
Gerolamo Pellicanò
& Giovanna Boschetti
CBA Studio Legale e Tributario
Galleria San Carlo, 6
20122 Milan
Italy
T: +39 02 778 061
F: +39 02 7600 7900
E:[email protected]
[email protected]
W:www.cbalex.com
EUROPEAN LAWYER REFERENCE SERIES
MALAYSIA
MALTA
Michael Zammit Maempel
GVTH Advocates
192, Old Bakery Street
Valletta VLT 1455
Malta
T: +356 2122 8888
F: +356 2122 8808
E:michael.zammitmaempel@
gvthlaw.com
W:www.gvthlaw.com
913
Contact details
MEXICO
POLAND
Cédric Laurant & Liliana Collada
Dumont Bergman Bider & Co., S.C.
Av. de los Insurgentes Sur 1898, piso 21
Col. Florida, Del. Álvaro Obregón
Mexico City 01030
Mexico
T: +52 55 5322 6230
F: +52 55 5661 3056
E:[email protected]
[email protected]
W:www.dumont.mx/es/
Agata Szeliga
Sołtysiński Kawecki & Szlęzak
ul. Jasna 26,
00-054 Warsaw
Poland
T: +48 2 2608 7006
F: +48 2 2608 7070
E:[email protected]
W:www.skslegal.pl
NETHERLANDS
Polo van der Putt
Vondst Advocaten N.V.
Jacob Obrechtstraat 56
Amsterdam 1071 KN
Netherlands
T: +31 20 504 2000
F: +31 20 504 2010
E:polo.vanderputt@vondst-law.
com
W:www.vondst-law.com
PHILIPPINES
Noel A. Laman & Dina D. Lucenario
Castillo Laman Tan Pantaleon
& San Jose
5th Floor, The Valero Tower, 122
Valero Street, Salcedo Village
Makati City 1227
Philippines
T: +632 817 6791 to 95
F: +632 819 2724 to 25
+632 817 5938
E:[email protected]
[email protected]
W:www.cltpsj.com.ph
914
PORTUGAL
Mónica Oliveira Costa
Coelho Ribeiro & Associados
Av. Eng. Duarte Pacheco
Empreendimento das Amoreiras
Torre II, 13 A
1099-042 Lisbon
Portugal
T: +351 21 383 90 60
F: +351 21 385 32 02
E:[email protected]
W:www.cralaw.com
ROMANIA
Roxana Ionescu & Ovidiu Balaceanu
Nestor Nestor Diculescu Kingston
Peterson
Bucharest Business Park
Entrance A, 4th Floor
1A, Bucuresti-Ploiesti National Road
1st District, 013681
Romania
T: +4 021 20 11 200
F: +4 021 20 11 210
E:[email protected]
[email protected]
W:www.nndkp.ro
EUROPEAN LAWYER REFERENCE SERIES
Contact details
SINGAPORE
SWEDEN
Lam Chung Nian
WongPartnership LLP
12 Marina Boulevard Level 28
Marina Bay Financial Centre Tower 3
018982 Singapore
T: +65 6416 8000
F: +65 6532 5711/5722
E:[email protected]
W:www.wongpartnership.com
Erica Wiking Häger & Anna Nidén
Mannheimer Swartling Advokatbyrå
Box 1711
SE-111 87 Stockholm
Sweden
T: +46 8 595 063 30
T: +46 8 595 064 06
F: +46 8 595 060 01
E:[email protected]
E:[email protected]
W:www.mannheimerswartling.se
SLOVAKIA
Richard Otevřel, Jaroslav Šuchman &
Vladimír Troják
Havel, Holásek & Partners
Mlynské Nivy 49
821 09 Bratislava
Slovakia
T: +42 12 2025 6790
F: +42 12 3211 3901
E:[email protected]
W:www.havelholasek.sk
SLOVENIA
David Premelč & Sandra Kajtazović
Rojs, Peljhan, Prelesnik & Partners
Tivolska cesta 48
1000 Ljubljana
Slovenia
T: +386 1 2306 750
F: +386 1 4325 123
E:[email protected]
[email protected]
W:www.rppp.si
SPAIN
Cecilia Alvarez Rigaudias
Uría Menéndez
Príncipe de Vergara, 187
Plaza de Rodrigo Uría
28002 Madrid
Spain
T: +34 915 860 131
F: +34 915 860 403/4
E:[email protected]
W:www.uria.com
EUROPEAN LAWYER REFERENCE SERIES
SWITZERLAND
Dr Lukas Morscher
& Christian Meisser
Lenz & Staehelin
Bleicherweg 58
CH-8027 Zürich
Switzerland
T: +41 58 450 80 00
F: +41 58 450 80 01
E: [email protected]
W:www.lenzstaehelin.com
TAIWAN
Ken-Ying Tseng & Rebecca Hsiao
Lee and Li, Attorneys At Law
7, 201 Tun Hua N. Road
Taipei, 10508
Taiwan (RoC)
T: +886 2 2715 3300
F: +886 2 2713 3966
E:[email protected]
W:www.leeandli.com
TURKEY
Gönenç Gürkaynak & İlay Yılmaz
ELIG, Attorneys-at-Law
Çitlenbik Sokak No. 12
Yıldız Mahallesi Beşiktaş
34349 Istanbul
Turkey
T: +90 212 327 17 24
F: +90 212 327 17 25
E:[email protected]
W:www.elig.com
915
Contact details
UNITED KINGDOM
Daniel Cooper
Covington & Burling LLP
265 Strand
London WC2R 1BH
UK
T: +44 20 7067 2000
F: +44 20 7067 2222
E:[email protected]
W:www.cov.com
UNITED STATES
Kurt Wimmer
Covington & Burling LLP
1201 Pennsylvania Avenue, NW
Washington, DC 20004-2401
US
T: +1 202 662 5278
F: +1 202 778 5278
E:[email protected]
W:www.cov.com
916
EUROPEAN LAWYER REFERENCE SERIES