The Bill’s provisions on international data transfers are most relevant to foreign companies that do business in Brazil.
The Brazilian government has issued a Bill for the Protection of Personal Data (Bill) for public consultation. The Bill follows the European Union (EU) concept of “adequate data protection” in the receiving country and the provisions of the Brazilian Civil Rights Framework for the Internet (in Portuguese, Marco Civil da Internet, officially Law No 12.965), the law that governs Internet use in Brazil. Compared to the Marco Civil, the Bill is more specific and covers all forms of the processing of personal data—not only via the Internet. According to Article 28 of the Bill, a data transfer from Brazil to countries without adequate data protection (which likely includes the United States) is legal only if one of the following five exceptions applies:
I - when the transfer is necessary for international judicial cooperation between public intelligence and investigation agencies, according to the instruments of international law;
II - when the transfer is necessary for the protection of life or physical safety of the owner or a third party;
III - when the competent body authorizes the transfer pursuant to a regulation;
IV - when the transfer results from a compromise assumed under an international cooperation agreement;
V - when the transfer is necessary for the enforcement of public policy or legal authority of the public service, made public pursuant to paragraph 1 of article 6.
Compared to the EU Data Protection Directive 95/46/EC (EU Directive)that is the likely role model for this part of the Bill, the above exemptions are more narrowly designed. For instance, they would not cover data transfer for “the establishment, exercise or defense of legal claims,” e.g., for e-discovery purposes in the United States as Article 26 (1)(c) of the EU Directive allows under certain conditions. Article 26 (1)(b) of the EU Directive also authorizes a data transfer if it “is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject's request.” The Bill doesn’t mention this possibility. Instead, it relies heavily on prior authorizations of the international data transfers by the applicable data protection agency and alternatively onindividual consents:
I - general and specific rules of the legislation in force in the country of destination;
II - nature of the data;
III - compliance with the general principles of protection of personal data provided in the Brazilian Data Protection Law;
IV - adoption of security measures provided for in Regulation; and
V - other specific circumstances related to the transfer.
We also observe a provision on joint and several liability of the data exporter and the data importer under the law (Article 31 of the Bill)—“regardless of fault” that facilitates the law’s enforcement in Brazil and results in additional liability risks for data exporters and data importers.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
. The Bill mentions órgão competente, which can be translated (literally) as “competent agency.” No data protection agency has been created yet, and it is unclear if there will be a specific data protection agency or if existing government agencies will actually be granted such competence. This will likely be addressed in any regulations following the promulgation of the law.