On November 7, we discussed the challenges that Brazil faces regarding the regulation of personal data. The issue depends on how lawmakers will define what “personal data” actually means. Brazil’s existent legal framework and the bills around the use of personal data in the country have created data categories that help clarify what “sensitive personal data” is – and the implications it has on people’s lives.
The normative pyramid of how to classify data is formed in the following way:
On its base, we have a category simply called “information,” as defined in the 2011 Access to Information Act. That refers to data, processed or not, that can be used to produce and diffuse knowledge in any way. In other words, it refers to all data produced either in an automatized way or through human action. Examples range from a simple text file to a medical chart.
The next category is “personal data.” This concept is described in a 2016 presidential decree that created the Civil Rights Framework for the Internet. Based on a European directive, the Brazilian concept defines personal data as any data related to identified (or identifiable) persons – including ID numbers or electronic IDs, when they are related to a person. The concept is similar to a definition established in a bill (number 5,276/2016) that is currently being voted on by Congress.
On the top of the pyramid is what we call “sensitive personal data.” This category, meanwhile, has no definition previously established by the current legal framework, but is encompassed by the bills in Congress.
How do lawmakers want to define sensitive personal data?
Bill number 4,060/2012, presented by Congressman Milton Monti, defines sensitive personal data as “information related to someone’s social origin or ethnic aspects, to his/her genetic information, sexual orientation, political, religious and philosophical views.”
Another bill, number 5,276/2016 – which was proposed by the Executive branch of government but is also in the House – defines sensitive personal data as “information about someone’s ethnicity, race, religion, political views, participation in unions or religious, philosophical or political groups, his/her health, sexual habits and genetic or biometric data.”
Bill number 330/2013, which is being analyzed by the Senate, also brings its own definition: “any data relative to someone’s religious, political or sexual preferences, philosophical convictions, nationality, ethnicity, participation in social or political movements, health, genetic or biometric information.”
How other countries handle the issue
In Europe, the General Data Protection Regulation (GDPR) is very specific when dealing with sensitive personal data:
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
Countries like Canada, Singapore and Japan have opted not to define sensitive personal data in their legal framework – and this has not had any major impacts on their citizens’ right to privacy.
The United States has a wide range of definitions, and they depend on the sector. Usually, all data concerning someone’s finances, health, credit information, and children is considered “sensitive.” The American approach is a more pragmatic one, as it is based on effective risk to one’s privacy.
The U.S. Health Insurance Portability and Accountability Act (HIPAA) describes as “Protected Health Information”:
[any] information that relates to the:
- Past, present, or future physical or mental health or condition of an individual.
- Provision of health care to the individual by a covered entity (for example, hospital or doctor).
- Past, present, or future payment for the provision of health care to the individual.
Why does this matter?
The main goal of defining sensitive personal data is to protect citizens from situations that could lead to discrimination of any kind. This explains why the general rule is to forbid the treatment of such data. Sensitive personal data can only be treated in exceptional cases, as long as a series of requirements are met.
To better explain why certain cases are considered “exceptional,” I’ll divide sensitive personal data into the following categories:
- Origin: data pertaining to race or ethnicity;
- Beliefs: religious, political preferences, participation in unions or political, religious or philosophical organizations;
- Physical: health, genetic and biometric data;
- Sexual: sexual orientation and preferences.
We don’t need to explain why the data concerning someone’s origin or beliefs is labeled “sensitive.” It’s meant to protect people from racial profiling, as well as religious and political discrimination.
Physical data, however, presents us with a series of challenges, especially since new health-related technologies use this kind of data to help patients, predict epidemics, and assist doctors with diagnosis and treatment.
Companies like IBM and Microsoft, for example, have spent considerable time and energy developing systems based on Artificial Intelligence and machine learning to treat patients with cancer.
These kinds of systems have sensitive personal data as its main “fuel.” To learn how to treat cancer patients, for example, IBM’s Watson needs to access the medical charts of thousands, even millions, of patients. The more data Watson has access to, the better it can predict cancer and help doctors treat new patients.
Simply labeling certain information as “sensitive personal data”, without a serious discussion on how it might risk people’s rights to privacy, could create unnecessary hurdles for innovation.
Brazil should follow countries like Canada, Singapore, and Japan, which have opted to not strictly and specifically label sensitive personal data. Instead, these countries admit that how this data will be used is indeed more important than trying to overprotect people’s privacy.
Treating data according to the risk posed to people’s rights to privacy would be a more adequate approach. It manages to avoid abuses and, at the same time, doesn’t hamper innovation and technological progress. If lawmakers insist on defining what kinds of data should be classified as sensitive, they risk creating an environment unfriendly to new technologies – and without much gain for the public.