Brazil’s list of good payers a data protection liability?

. Jul 13, 2019
data protection credit brazil

While Brazilians were focused on the debates around pension reform, one piece of news passed almost unnoticed: the law establishing the so-called “list of good payers“—that is, a database of individuals who pay off their debts on time. Until now, most databases listed only “bad payers,” as a means of protecting credit companies from lending money to high-risk customers. The list’s backers claim that providing lenders with more information about customers’ debt-paying ability is an effective way of pushing down Brazil’s interest rates. Estimates claim that roughly 22 million people could benefit from access to cheaper credit.

A question remains, however: does the list of good payers represent a possible conflict with Brazil’s Data Protection Law, set to come into force next year?

Quite possibly. Banking institutions do not need </span><a href=""><span style="font-weight: 400;">customer consent</span></a><span style="font-weight: 400;"> for inclusion into the database—and consent is precisely the core point of Brazil&#8217;s data protection framework approved by Congress in 2018.</span></p> <h2>Understanding the &#8220;list of good payers&#8221;</h2> <p><span style="font-weight: 400;">A database for good payers has existed in Brazil since 2011, but it had very limited uptake. Until now, one had to explicitly opt in to the list, which allows lenders to grade customers according to payment delays. Now, inclusion is automatic, without prior consent, though users will have the option to opt out. This kind of system is used in data protection laws in several countries, including in the U.S., where it is applied in the state of California.</span></p> <p><span style="font-weight: 400;">The new law also allows users to have a fuller understanding of what is factored in to their credit score, and creates a set of obligations for companies on how to deal with sensitive personal data.</span></p> <h2>How does the list fit with Brazil&#8217;s data protection framework?</h2> <p><span style="font-weight: 400;">Inspired by the European Union&#8217;s General Data Protection Regulation (GDPR), Brazil&#8217;s new rules put the best interests of data owners at the center of the discussion. At first glance, then, the law would conflict with the very idea of a ‘good payers list’.</span></p> <p><span style="font-weight: 400;">However, the legal basis for dealing with personal data is governed by an article that also establishes that data can be used &#8220;in cases related to credit protection,&#8221; when coded by specific legislation. The European GDPR, too, lifts the need for consent when concerning legislation of economic interest.</span></p> <p><span style="font-weight: 400;">From a legal standpoint, there is therefore no conflict between the two pieces of legislation. That, however, has not stopped consumer defense organizations from threatening to file lawsuits at superior courts, challenging the list of good payers on the grounds of data protection infringements. The contestation will almost certainly take years to be resolved.</span></p> <p><span style="font-weight: 400;">For now, we can at least confirm that until August 2020 at the earliest—</span><a href=""><span style="font-weight: 400;">when the Data Protection Law comes into effect</span></a><span style="font-weight: 400;">—the list of good payers will exist as established. If the claims made by the bill&#8217;s defenders are correct, it will be a welcome instrument in fostering investment, helping break Brazil&#8217;s recent economic vicious cycle.</span></p> <p><span style="font-weight: 400;">Skeptics, however, fear that the list will be used to further restrict credit to more vulnerable borrowers, without a significant fall in interest rates.

Alisson A. Possa

Alisson A. Possa is a Brasília-based lawyer and his firm, Possa Consultoria, focuses on data protection and compliance.

Our content is protected by copyright. Want to republish The Brazilian Report? Email us at