Facebook has found itself at the center of a scandal over revelations that the personal data of 50 million users was accessed and used for electoral purposes in 2016. Over this weekend, The New York Times and the UK’s The Guardian and Observer revealed how the controversial big data firm Cambridge Analytica surrepticiously gathered information for tens of millions of people.
Which begs the question: how does Brazil’s legislation treat the ways in which companies are allowed to treat and use personal data?
Three things are pivotal to fully understand the socioeconomic repercussions of a future law to protect personal data in Brazil: knowing what is encompassed by the law; the very concept of personal data; and the concept of the treatment of data. Such cases will only fall within the Brazilian justice system’s jurisdiction if a person or company treats personal data in Brazil, or if that data is collected within our borders.
In other articles, I talked about the concepts of personal data and of sensitive personal data. Now, I’ll discuss the treatment of data by looking at how the current legislation approaches the question versus how congressional bills do so.
The current legislation on treatment of personal data
There are a plethora of laws and norms dealing with the treatment of data, like the Consumer Defense Code, the law creating a Good Payers’ Database, the Access to Information Act, the Internet Legal Framework, and a decree regulating it.
The Consumer Defense Code states that citizens may have access to the information gathered about them – ranging from forms, to consumption information, to corporate databases – and their respective sources. In this case, we’re talking about collecting, sorting, using, and processing data.
The laws that created a Good Payers’ Database were passed to facilitate credit in Brazil. The idea underpinning the database is that once banks know exactly who pays their bills on time, general interest rates could lower. This database can only use information that is clear, objective, truthful, easy to understand, and relevant to assess one’s financial health.
The Access to Information Act is more specific, characterizing the treatment of data as a set of actions related to producing, receiving, sorting, using, reproducing, transporting, transmitting, storing, evaluating, and controlling information. While citizens are entitled to data from public offices and officials, individual privacy and rights must be preserved.
Meanwhile, the Internet Legal Framework talks about the treatment of data several times – yet without ever defining its concept. In actuality, the law is more of a guideline on how to use the Internet – but isn’t intended to be a general law on personal data protection.
A 2016 presidential decree regulating the Civil Rights Framework for the Internet, however, establishes personal data as any data related to identified (or identifiable) persons – including ID numbers or electronic IDs, when they are related to a person. The decree was apparently based on a European directive, which will soon be replaced.
In Europe, the recently approved General Data Protection Regulation (GDPR) has defined the treatment of data as:
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Today in Brazil, three bills related to the subject are under analysis.
Bill number 4,060/2012, sponsored by Rep. Milton Monti, defines treatment as any operation – with or without automated processes – for storing, ordering, conserving, updating, comparing, evaluating, organizing, selecting and extracting personal data.
On the other hand, bill number 5,276/2016 considers treatment of data as any operation with personal data.
In the Senate, bill number 330/2013, sponsored by Sen. Antônio Carlos Valadares, used to define treatment of data as any operation related to personal data. The project has been changed by the Senate’s Science and Technology Committee, which updated the concept by defining the treatment of data as any operation with data.
As you might have noticed, all of these concepts are extremely vague – which will have deep ramifications in Brazil’s economy and companies regardless of size.
The future law will obviously impact the major tech companies, like Google, Facebook, Apple, and Amazon. However, the catch is that it will also impact smaller businesses. Such a concept would encompass, for example, a gym that uses fingerprints to activate the entrance’s turnstiles. Fingerprints, of course, are sensitive personal data.
 Bill number 5,276/2016, article 3, states that the Brazilian legislation concerning personal data will also be enforced also if the data is used to provide services for people located in Brazil.
 Bill number 5,276/2016, article 5, item I, says that personal data relates to a natural person, identified or identifiable (including through numbers, geolocalizations, and electronic indicators).
 Bill number 5,276/2016, article 5, item II, states that the treatment of personal data refers to: collecting, producing, receiving, sorting, using, accessing, reproducing, transmitting, distributing, processing, filing, storage, elimination, evaluation, or information control.