As soon as this week, the Brazilian Senate may vote on Brazilian Data Protection Bill (PLC 53/2018), which was approved by the Chamber of Deputies on May 29th following nearly a decade of debate on various draft bills. While aspects of the bill will no doubt need to be refined and evolve with time, overall, Mozilla believes this bill represents a strong baseline data protection framework for Brazil, and we urge Brazilian policymakers to pass it quickly.
Specifically, this bill:
- Is the outcome of an inclusive and open consultation process, following the example of the landmark Brazilian Civil Rights Framework for the Internet (‘Marco Civil’). The consultation has involved multiple stakeholders from government, private sector, civil society, and academia. The bill has also received public support from various organizations in the private sector and civil society.
- Applies with equal strength to private sector and the government. Creating broad exceptions for government use of data, as proposed in alternative bills, would dilute the effectiveness of the data protection law to safeguard user rights. The government is arguably the largest data collector in Brazil, and government data collection is often mandatory for access to services. As the Brazilian general election approaches, some are concerned that in the absence of a data protection law, personal data could be used to influence the election. This is especially salient given the recent debates and revelations around Cambridge Analytica.
- Introduces a well-resourced, independent, and empowered national regulator. A strong enforcement mechanism is critical for any data protection framework to be effective. This includes a high degree of independence from the government, since the regulator should have jurisdiction over claims against the government as well. We also welcome the introduction of a participatory multi-stakeholder body to issue guidelines, ensure transparency, and evaluate the implementation of the law.
- Puts in place a robust framework of user rights with meaningful user consent at its core, requiring data controllers and processors to abide by the principles of data minimisation, purpose limitation, collection limitation, and data security. In particular, it includes a high standard of free, informed, and unequivocal consent, putting users in control of their data and online experiences. It also emphasizes mechanisms for accountability, putting the onus on the agent to demonstrate both the adoption and effectiveness of data protection measures, and allows for the user to access and rectify data about themselves as well as withdraw consent for any reason.
- Defines categories of sensitive personal data; in particular, it’s good to see biometric data included in this list. A stricter regime for certain categories of sensitive data is useful in order to signal to data controllers that a higher level of protection and security will be required given the sensitivity of the information.
The lack of a comprehensive data protection law exposes Brazilian citizens to risks of misuse of their personal data by both government and private services. This is a timely and historic moment where Brazil has the opportunity to finally pass a baseline data protection law that will safeguard the rights of Brazilians for generations to come.