On November 7, we discussed the challenges that Brazil faces regarding the regulation of personal data. The issue depends on how lawmakers will define what “personal data” actually means. Brazil’s existent legal framework and the bills around the use of personal data in the country have created data categories that help clarify what “sensitive personal data” is – and the implications it has on people’s lives.
The normative pyramid of how to classify data is formed in the following way:
On its base, we have a category simply called “information,” as defined in the 2011 Access to Information Act. That refers to data, processed or not, that can be used to produce and diffuse knowledge in any way. In other words, it refers to all data produced either in an automatized way or through human action. Examples range from a simple text file to a medical chart.
The next category is “personal data.” This concept is described in a 2016 presidential decree that created the Civil Rights Framework for the Internet. Based on a European directive, the Brazilian concept defines personal data as any data related to identified (or identifiable) persons – including ID numbers or electronic IDs, when they are related to a person. The concept is similar to a definition established in a bill (number 5,276/2016) that is currently being voted on by Congress.
On the top of the pyramid is what we call “sensitive personal data.” This category, meanwhile, has no definition previously established by the current legal framework, but is encompassed by the bills in Congress.