Mariana Rielli, Project Coordinator, Data Privacy Brazil and Carolina Rossini, Director of Research and Partnerships, Datasphere Initiative
In 2018, the Brazilian General Data Protection Law (hereafter LGPD) was passed unanimously by both houses of Congress after almost 10 years of multistakeholder debates. As commented by Sérgio Gallindo in the Memory of LGPD docu-series: ‘’LGPD is a lesson on participatory democracy, but above all it is a lesson on compromise, on how to build quality public policy with antagonic parties that are ultimately motivated (…) by the best interest of Brazil’’. This new data regulation regime – including the constitutional level – has become an inspiration for the rest of Latin America. This blog shares key aspects of the regime and explains why it’s implementation will be important to watch in the future.
Building on the victories of the Marco Civil da Internet, as well as Brazil’s trajectory and protagonism on internet governance issues, the new data protection law is comprehensive and cross-cutting. It is strongly inspired by the European Union General Data Protection Regulation while also centered around core elements of the Brazilian legal system and tradition. Additionally, the LGPD was made possible by a combination of dialogue and collective expertise across different sectors, built throughout the many years before there was any prospect of passing a law, and a favorable political climate after the Cambridge Analytica scandal and other contextual elements, such as the government’s interest in entering the Organisation for Economic Cooperation and Development.
Prior to the LGPD, Brazil had already adopted other data protection regulations, but those were sector specific. Examples included a first wave of constitutionalization of the right to habeas data — after decades of a dictatorial regime –, followed the inclusion of data protection provisions in different pieces of legislation, such as the Access to Information Act, legislation regarding consumer and credit protection, health and financial regulations, among others.
The road to the constitutionalization of data protection right
Through a landmark ruling in 2020, the Brazilian Supreme Court qualified data protection as an autonomous fundamental right, a remarkable shift of how the Supreme Court has been analyzing privacy and data protection. More recently, in 2022, it was inscribed directly in the Brazilian Constitution.
While the road to constitutionalization of the data protection right has its origins in the aforementioned habeas data and other related rights, such as due process and specific protections for the development of an individual’s personality, the LGPD and, more specifically, the 2020 Supreme Court decision are the milestone for the consolidation of data protection as a separate and independent right from privacy, intimate life and confidentiality. This is relevant because not all personal data are private per se, much less confidential.
At the height of the COVID-19 pandemic, the Brazilian Supreme Court was presented with a case that became the most emblematic for data protection in the country, so far. In short, by a significant majority, 10 votes to 1, the Court halted the effectiveness of the Presidential Executive Order (MP 954/2020) that mandated telecom companies to share subscribers’ data (e.g., name, telephone number, address) of more than 200 hundred million individuals with the Brazilian Institute of Geography and Statistics (IBGE), the country’s agency responsible for performing census research.
The Supreme Court understood that the executive mandate did not include any actual demonstration of necessity and proportionality, nor any provisions about transparency and information security, and mentioning LGPD, which while passed almost two years prior had not yet come into force by the time of the judgment.
The Supreme Court decision asserted that, especially in this current age, there is no insignificant data and that the fact that the data requested limited itself to names, home addresses and phone numbers (which are not inherently sensitive) had no bearing on the decision. In other words, the Court understood that personal data deserves protection because of how it is used and not for specific characteristics of the data itself – if it’s public or classified, trivial or sensitive. The recognition by the Supreme Court of an autonomous fundamental right to data protection then paved the way for Congress to pass a constitutional amendment that included this provision in the Constitution itself, providing another normative layer of protection for citizens in Brazil.
From normatization to institutionalization: the Brazilian Data Protection Authority
To complete a strong framework of data protection, the LGPD had proposed an enforcement and oversight mechanism, that would also be responsible for harmonizing existing sectoral frameworks, supporting the Judicial system, and leading educational initiatives to inform both the public and institutions: the National Data Protection Authority (ANPD) – the Brazilian Data Protection Authority (DPA). However, the ANPD was stripped of its original independence and instead brought to life as a body subordinated to the Presidency, which has already created challenges from financial, functional and decision-making independence and sustainability.
However, due to the pressure of civil society, academia and parts of the private sector, a provision was secured by which such subordination to the Executive would be temporary, with the possibility of ANPD becoming an independent autarchy after 2 years of its formal installation.
We are now at the moment to design this crucial spin-off. For that, a Provisional Measure issued by the Executive (and yet to be confirmed by Congress, but strongly supported by various actors, including from the private sector) is proposing a model for this renewed and independent ANPD would adhere to. This is particularly relevant not only because formal DPA independence is a basic step towards effective enforcement and protection, but also as one of the ways to avoid political capture of the Authority, especially in an election year.
On top of that, correlated issues, such as the regulation of AI are also on the agenda and articulations with other countries in the Global South regarding common issues of datafication and democracy are taking front stage.
The moment, therefore, is as effervescent as it can be for those closely following these developments in Brazil!
For those who want to learn more, please join the Data Privacy Global Conference, a 2-day seminar organized by Data Privacy Brasil with the support of the Datasphere Initiative and other partners, which will take place in November 2022, in São Paulo, Brazil.