Data Protection Enforcement in Brazil

Administrative Remedies

None. There is no agency in Brazil specialized in verifying compliance with data protection rules. However, the new government may propose this year a bill of law that will deal specifically with data protection and its compliance in Brazil.

Civil Remedies

Individuals can bring claims for actual as well as moral damages. In case of violation of data protection rules established in the Internet Legal Framework, civil sanctions can vary from: (a) warnings, (b) fines in the amount of up to 10% of the economic group’s (to which the company that has violated the rule belongs to) revenues in Brazil in the last year, (c) temporary suspension of data collection activities or (d) prohibition of data collection activities. Please see below in general comments for more detailed information on the Internet Legal Framework. As such Law has been recently enacted, some provisions are yet to be regulated by the government. Besides, a violation of any data protection rule established in the Consumer Defense Code, as further explained below, can be penalized with fines up to R$ 6.000.000. Such penalties may be imposed by specialized agencies entitled to “defend” consumers’ rights broadly (“PROCONs”) or the Consumer District Attorney’s Office. Administrative procedures as such have been conducted by authorities, but in a confidential basis which prevent us from having further details about them.

Criminal Remedies

Potential criminal liability for unauthorized interceptions of electronic communications (subject to imprisonment from 2 to 4 years, plus fines) and other specific matters. In addition, depending on the nature of the data (e.g. banking, tax), unauthorized access or breaches also constitute a crime (subject to imprisonment from 1 to 4 years, plus fines). There is also criminal liability for accessing computer devices to obtain information without the computer owner’s authorization (subject to imprisonment from 3 months to 1 year, plus fines, and such penalty might be increased up to 1/3 if the breach caused economic damage). The penalty shall be increased if the information obtained consists of private electronic communications, confidential information or trade secrets (subject to imprisonment from 6 months to 2 years, plus a fine if no greater offence was committed). If a greater offence was committed, e.g. if confidential information is obtained by breaching a computer device and a fraud is committed by using such information, such individual shall be subject to imprisonment from 1 to 5 years, plus fine (which is the penalty applicable for fraud) instead of imprisonment from 6 months to 2 years, plus fine. Please note that, in this event, the penalty for fraud shall not complement the penalty for obtaining private electronic communications, confidential information or trade secrets by breaching computer devices, but will rather replace it.

Other Remedies

None

Selected Enforcement Actions / General Comments

Although there is no specific law governing only data protection or privacy in Brazil so far, there are some data protection rules established in different pieces of legislation. The recently enacted Internet Legal Framework is the Law which contains more specific provisions regarding data protection rules. This Law dedicates a chapter to the protection of logs, personal data and private communications made online. According to this Law, any collection, use, storage or processing of personal data requires the data subject’s express consent. Internet users shall give their express consent for the collection, use, storage, and processing of personal data, and such consent shall “stand out” from other contractual conditions, that is such consent should not be “hidden” amongst a website’s terms of use, where a “normal” user would not be able to easily identify it. Also, pursuant to the Internet Legal Framework, personal data may only be transferred to third parties upon the free, express and informed consent of the data subject and information stored by websites and the content of such private communications may only be disclosed upon a relevant court order. Moreover, an individual’s right to intimacy, privacy, honor and image is considered a fundamental right subject to protection by the Brazilian Federal Constitution, and so any use of personal data, including the collection, processing, storage, disclosure and transfer thereof must be made in a way that the rights of intimacy, privacy, honor and image of the data subject are not infringed, under penalty of payment of indemnification for material or moral damages arising from such infringement. Furthermore, the Brazilian Civil Code treats the right to privacy as a personality right, which cannot be waived or assigned as a matter of public policy. Additionally, the Brazilian Consumer Defense Code (“CDC”) provides for certain rules regarding the storage and use of consumer data. In the absence of a specific privacy law, the principles and concepts of the CDC may apply by analogy to other types of relationships. In general terms, the CDC requires suppliers of products or services to previously inform the consumer about the storage of personal information in databases, if the consumer did not request such storage. The CDC also provides that consumers should have the right to access any information about them stored in databases and if any inaccurate information is stored in such files consumers also have the right to require the correction of such information. Moreover, the CDC prohibits the data controller from storing undesirable information about a consumer that refers to an event which occurred more than five years ago. In view of the above, the conservative approach is to obtain the consent of Brazilian individuals prior to the collection, use, processing and transferring of any personal data whenever possible.