Brazilian data protection law could boost health data market

. Dec 05, 2019
health data protection brazil Photo: Alexey Boldin

In Brazil, whenever visiting a pharmacy or drugstore, you will be quickly preyed upon by a shop attendant and taken to one side. First, they will hand you a small basket for your purchases, and then request your taxpayer ID, with the promise of a store discount for those who are “signed up” to that particular pharmacy chain. Registering your tax ID at these establishments does not cost money and comes with some small discounts—3 for 2 on suncream, anyone?—but consumers should be asking themselves: where does their data go?

</p> <p>As of August 2020, the data of all Brazilians will be protected by a specific legislation: the <a href="">General Law of Data Protection</a> (LGPD), sanctioned this year. As a result, the companies that collect and store this information will have numerous obligations regarding this material, whether it be online or offline.</p> <p>The collection, handling, storage and sharing of this material must be done according to the classifications given by the LGPD. For example, any and all data that contains personal information is considered sensitive. This means that the handling of this content must be done carefully by companies, with the establishment of barriers in order to avoid the possibility of finding out who is the &#8220;owner&#8221; of said information.&nbsp;</p> <p>One example of sensitive data is information related to health. Lawyer Lucas Paglia, a data protection expert, explains that this information has been classified as such because of the effects that any disclosure or leak could have. According to Mr. Paglia, details about patients&#8217; medical history can affect their professional life or even make it difficult to obtain certain health services.</p> <script src="" type="text/javascript" charset="utf-8"></script> <hr class="wp-block-separator"/> <p>Even with the protections in place, the LGPD regulates the possibility of <a href="">sharing and selling this information</a> among companies in the industry. This sale is permitted provided it is used exclusively for medical services or those related to healthcare activities.</p> <p>The exception, explains attorney Maria Cibele Crepaldi, involves the &#8220;treatment of health data for the practice of risk selection in the procurement of any type of product or service, for example, healthcare plans or life insurance.”</p> <p>Prior to the LGPD, the closest thing to regulating this sale was a Federal Medicine Board <a href="">resolution</a> that prohibits doctors from participating in advertisements for discount coupons, as the practice would result in the creation of a database &#8220;with clinical information and the subsequent stratification and qualification of healthy and diagnosed users according to risk [&#8230;] with eminently commercial objectives,&#8221; which is prohibited by the Code of Ethics for doctors.</p> <p>The offering of discount coupons is one of the most common methods for obtaining health data in Brazil. Generally, this information is used to improve the user&#8217;s shopping experience, but there are other purposes, such as sharing this information with other companies to increase the database.</p> <p>This sharing of data is commonplace with consultation applications, which obtain client subscriptions in exchange for making appointments with medical professionals of a wide range of specialties. A survey conducted in 2018 by the Brazilian Consumer Defense Institute showed that these platforms use this data to share information with third parties, created targeted advertisements, and profit from discount campaigns.</p> <p>Alexandre Atheniense, an attorney specializing in Digital Law, explains that the LGPD requires the express consent of the user for the collection of data, and that the purpose of providing this content to third parties is explicit in the terms and conditions. Outside these regulatory lines, the acquisition of data becomes unlawful and the company involved may be punished by the National Data Protection Authority—the government agency to oversee data privacy, yet to be created—or in court, by way of a suit for damages filed by the data owner.</p> <h2>Misconduct in handling data</h2> <p>The unauthorized use of information collected in exchange for discounts is being investigated by state prosecution services in Brazil. There are already probes underway in Minas Gerais and the Federal District, regarding the undue sale of information by pharmacies. In Minas Gerais, one of the companies under investigation <a href="">agreed to pay a BRL 7-million fine</a> to end the investigation and reimburse the damages caused by unlawful data collection.</p> <p>Situations like this are, in part, a result of the limited culture of data protection existing in Brazil, meaning that many Brazilians do not know their own rights. However, though still incipient, this knowledge is being shaped by the continuous leaks of information previously seen as confidential.&nbsp;</p> <p>A <a href="">survey</a> conducted by IBM shows that, of 11,000 respondents, 96 percent are suspicious of the security measures adopted by companies to protect clients&#8217; personal data. The survey also showed that for every ten Brazilians, six claim to have been victims or know someone directly affected by data leaks.&nbsp;</p> <p>An example of this mistrust involves one of the largest operators of private healthcare in Brazil: Unimed. A report on the website Olhar Digital showed that the company&#8217;s database has numerous security flaws, allowing unrestricted access to customer registration data, such as full names, taxpayer IDs, mother&#8217;s name, email address, data of dependents, exams, death certificates, and x-rays.</p> <p>Not even the government manages to escape from digital insecurity. In April of this year, one of the databases of the public health system was invaded by a hacker who gained access to the personal information of 2.4 million Brazilians. The person responsible for the invasion approached news portal UOL to report the security flaw, but the Ministry of Health denied any leak.</p> <h2>The health market</h2> <p>Despite taking baby steps in Brazil, many companies around the world are already keeping an eye on the financial potential of medical data. In the U.S., Google is already being put under the microscope due to one of its software development programs: the Nightingale Project, promoted in partnership with Ascension.&nbsp;</p> <p>According to an article in The Wall Street Journal, health information of U.S. citizens is being mapped in 21 states without anyone having been notified. The bill is anchored in a U.S. federal law that allows the use of this information to help companies and institutions “to perform their healthcare functions.&#8221;&nbsp;</p> <p>A similar situation in the UK was reported by the <em>Financial Times</em>. An <a href="">article</a> showed that British medical consultation sites stored information without the authorization of users. This data was used by Google, Amazon, Facebook, Microsoft, and AppNexus.</p> <p>And medical data is not only good for advertising drugs and prosthetics, there are already companies profiting from DNA mapping, such as 23andMe, which has signed a USD 300 million contract to help develop a new medication. There is also the possibility of using this information to monitor certain groups of people or &#8220;ensure the safety of a population.&#8221;</p> <p>This was the argument used by the Chinese government, when it collected DNA samples and retina scans of over 36 million people between 2016 and 2017. As a consequence, the &#8220;Physicals for All&#8221; project is being used to monitor the Muslim Uyghur population living in the autonomous region of Xinjiang.

Brenno Grillo

Correspondent in Brasília. Journalist since 2012, is especialized in cover Law and Justice. Worked in comunication agencies untill be choosen to be an intern in O Estado de S.Paulo. Also worked in Portal Brasil and political campaigns. His last job was in ConJur, website especialized in Justice news.

Our content is protected by copyright. Want to republish The Brazilian Report? Email us at