April 25th, 2018

Legislative Newsletter - Edition 088

Protection of personal data: technical and political complexity

Regulating  the ownership of data produced in virtual environment.

Legislative Newsletter - Edition 088

If Property Right was more deeply regulated in the 19th Century and the Intellectual Property  in the 20th, the 21st Century is challenging  in relation to  regulating  the ownership of data produced in virtual environment induced by websites, applications or softwares  – also known as personal data. In other words, if Intellectual Property is aimed at protecting Scientific and Artistic creations resulted from someone action, Personal Data Protection is aimed at limiting information gathering of individuals in order to assure Fundamental Rights provided by the Brazilian Federal Constitution and the Human Rights Treaties signed by Brazil.

Recently, the scandal involving the use of personal data of Facebook users by the Cambridge Analytics Policy Consulting  indicates how this data use may impact in people’s future decisions. From the legal perspective, the United States do not have  a specific legislation towards personal data protection, but only towards protection of data related to children and consumers.  

By the other hand, the European Union has a specific Directive[1] about this subject since 1995 (45/46/EC), resulting from OECD recommendations declared in 1988 and focusing on individual guarantees. The Directive will be replaced by the General Regulations for Data Protection, which will enter in force on May 25th. This legislative disagreement lead both US and EU to the “Safe Harbour Privacy Principles” so that American companies would ensure in American floor the same level of data protection as those set out in Europe.

The Safe Harbour Agreement was cancelled in 2015 by the European Court of Justice on behalf of action delivered by an Austrian lawyer in 2013 in which he claimed that the data protection had been violated regarding the action of the National Security Agency (NSA), whose violations were exposed by Edward Snowden, a former NSA Agent. However, because of the economic importance that data protection represents in the current global economy, a new deal called “EU-US Privacy Shield” was signed in 2016.

The debate on clear rules for use and protection of personal data as an economic asset  has also motivated the proposal of a Law on this theme in Brazil. At this moment there are 3 Bills running on at the Congress, which are: The PL 4060/2012, which Author is the Representative Milton Monti (PR/SP); the PL 5276/2016, delivered by the Government; and the PLS 330/2013, which Author is the Senator Antonio Carlos Valadares (PSB/SE). These are the Bills that are leading the discussions until now. A Special Committee was appointed to analyze the Bill 4060/2012. Since both Bills are related to the same subject, the Bill 5276/2016 now runs together with the Bill 4060/2012 under discussions in the Special Committee. Meanwhile, in the Senate, the Bill PLS 330/2013, which incorporated the Bills PLS 131/2014 and PLS 181/2014. The Reports on these Bills have already been approved in the Science and Technology Committee (CST) and in the Environment, Consumer Protection and Supervision and Control Committee (CMA). At this moment, the Bill is under discussion in the Economic issues Committee (CAE), where Senator Ricardo Ferraço (PSDB/ES) was chosen as Rapporteur. After that, the Bill will be sent to the Constitution and Justice Committee and to the Plenary Floor. According to the Senate Internal Rules, the Bill 4060/2012, which run over the Bill 5276/2016, will have provenience over the PLS 330/2014 when the former goes from the House of Representative to the Senate.

Although praised and recognized as complementary to the Brazilian Civil Rights Framework for the Internet (Law nº 12,965/2014), the Bill 5276/2016 has been also criticized, especially for the absence of a specific authority to implement and supervise personal data protection, what is recommended by OECD. The government of President Temer seeks a way to propose the creation of this Authority, since the original Bill delivered during the last Government of President Rousseff does not propose it. This is a challenge to be overcome by President Temer in order to comply with this requirement of OECD to accept Brazil as an effective member.. The situation is challenging due to the named “Initiative Reserve”, which restricts to the Government the creation of bodies in the Executive branch in accordance with Article 61 §1º, II. “e” of the Brazilian Federal Constitution. This restriction blocks the government to deliver an Amendment introducing the Authority directly in the Bill PL 5276/2016 through an allied Representative, what would be a shortcut. A possible alternative would be the  proposal of a new Bill by the Government introducing the Authority, respecting the “Initiative Reserve”, and negotiating with the House Speaker to make Bill PL 5276/2016 and the new Bill to run together since they are on the same theme, what would speed up the process. . Apparently, the political chess for regulating personal data protection has been shown to be as complex as the technical content inherent to this theme.   


[1] A "directive" is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals. One example is the EU consumer rights directive, which strengthens rights for consumers across the EU, for example by eliminating hidden charges and costs on the internet, and extending the period under which consumers can withdraw from a sales contract.