Privacy and Brazilian Law

The need for laws written expressly to protect the privacy of personal consumer data is a growing global phenomenon. It began primarily in more technologically advanced countries, where communication between individuals or companies via electronic means has overtaken more traditional means of communication. In addition, countries that place a high level of importance on democratic values also tend to prioritize protection of privacy, given that individual human rights and individual freedoms are typically important values in such societies. A third relevant factor related to a country's focus on protecting privacy is the level of participation a country's citizens have in the market. A country in which its citizens participate actively in the market has a greater need for the collection, storage, sorting, sharing, and other manipulation of consumer data. Therefore, such countries become a target for individuals or organizations wishing to economically tap such information.

The need for privacy protection arises from the tension created by third parties' desires to use individuals' personal data, usually for profit purposes, and an individual's right to have his or her personal data protected from being exploited.

Even though such a need for privacy protection was originally deemed a relevant issue in more technologically advanced countries, the prioritization of privacy protection today, though not yet fully evolved, is already rather strong in Brazil. As the need for personal data protection emerged as an important issue in nations around the world, international businesses began to import their respective privacy issues and concerns to several less-technologically-advanced countries where they conduct business, including Brazil.

As privacy became a priority for international business and international trade, the existence of an effective and safe way to transfer personal data from one country to another became of the utmost importance. To make this possible, several affected countries concurred on how to proceed: Each country should regulate its own respective privacy-related issues, but above all, there must be harmony among the various countries' legal parameters as they relate to privacy. Conflict between the different countries' legal systems could be an impairment of the international transfer of data and, consequently, compromise the effectiveness and efficiency of international trade and business.

In view of this timely, relevant subject, and in an attempt to balance much-needed technological development against the fundamental right of privacy as a type of individual freedom, the Brazilian Congress is analyzing and voting on a number of bills for specific regulation of privacy in Brazil. These bills are in addition to other prior pieces of privacy legislation already in force.

The two main instruments available under Brazilian laws for the protection of personal data are: 1) the claim called Habeas Data provided for by the Brazilian Federal Constitution ('Constitution') and by the Habeas Data Law (Law No. 9,507/1997), and 2) the provisions of the Brazilian Consumer Defense Code, which regulates the use of databases in consumer relationships.

Brazilian Federal Constitution/Habeas Data Law

Privacy legislation in Brazil has its base and structure within the framework of the Constitution, which sets forth general principles that protect the privacy and confidentiality of personal information and communication.

The Constitution (more specifically, its Title II named 'Fundamental Rights and Guarantees') specifies under Article 5, X that the intimacy, privacy, honor, and image of the people shall not be violated; the Constitution also guarantees the right of indemnification for any moral or material damages arising from such infringement of rights.

Furthermore, the Constitution provides under Article 5, XII that the confidentiality of correspondence and telegraphic communication, data, and telephone communication shall not be violated, except as a last resource and under a court order, in ways established by the law, for criminal investigation purposes, or for evidencing purposes in a criminal proceeding.

Also under Article 5, LXXII, the Constitution institutes the Habeas Data proceeding with the following purposes: 1) to ensure the knowledge of information related to the person who files the Habeas Data, present in registries or databases of governmental entities or 'public entities' (Habeas Data law No. 9,507/1997 regulates the Habeas Data proceeding and defines 'public entities' as every registry or database with information that is or that may be transmitted to third parties or that is not of private use by the office or entity that produces or holds the information), and 2) to allow the correction of data, when the person who files the Habeas Data does not prefer to have such correction made under a confidential proceeding, whether by judicial or administrative means.

Therefore, based on the Constitution: 1) privacy is a fundamental right, and the person whose privacy is violated has the right to indemnification for any moral or material damages arising from such infringement; and 2) the one who owns personal information should have knowledge of and access to his or her personal information present in databases that may be transmitted to third parties and should be given the possibility to correct such information.

Besides the general provisions above, the Brazilian Civil Code (Law No. 10,406/2002) follows the same principles of the Constitution, and even though the Code does not define privacy, it provides that the private life of an individual shall not be violated and that the judge shall take the necessary measures upon request of the interested party to stop or to impede any act contrary to this rule.

The concept of privacy and personal data is not established under Brazilian laws. However, some authors refer to personal data as the set of information about an individual that he or she may decide to keep under his or her exclusive control, or communicate, deciding to whom, when, where, and under which conditions.

The Brazilian Consumer Defense Code

Given that the Brazilian Consumer Defense Code should be interpreted in conjunction with the Constitution, if a company decides to collect and use personal data in a database, such collection and use must be made: 1) in a way that the rights to intimacy, privacy, honor, and image of the owner of the personal information are not infringed, under penalty of payment of indemnification for material or moral damages arising from such infringement, accor-ding to the Constitution, and 2) in accordance with the requirements be-low, set forth by the Brazilian Consumer Defense Code.

It is important to note that under the Brazilian Consumer Defense Code, a consumer is defined as 'any individual or legal entity that acquires or uses products or services as an end-user.' And a supplier is 'any individual or legal entity, public or private, regardless of nationality, that performs activities of production, assembling, creation, construction, transformation, importing, exporting, distribution or commercialization of products and services.' In view of such definitions, even a company or legal entity may be considered a consumer under Brazilian laws. However, the existence of a consumer relationship should be analyzed on a case-by-case basis.

According to the Brazilian Consumer Defense Code, the requirements for the collection and use of personal data in a database are as follows:

a) The consumer shall have access to any information about himself or herself existing on records, index cards, and registers and to any personal and consumer data filed about him or her, as well as the respective source of his or her personal information.

b) The opening of such records, index cards, registers, and any database with personal and consumer data must be communicated in writing to the consumer, when not required by him or her. Such communication must include a precise description of which information will be collected, used, stored, disclosed, and otherwise processed and for what purposes.

c) The consumer shall have the right to immediately correct any incorrect information about himself or herself existing in such records, and the party responsible for the database must communicate the possible recipients of such incorrect information about its correction within 5 business days.

d) The records and information about consumers must be clear, true, and in a language of easy comprehension, and negative financial information corresponding to a period of more than 5 years cannot be included in any database, according to Brazilian laws.

If a notice to the consumer regarding the collection of his or her personal information is not sent, and an agreement between the data collector and consumer is not reached, and if there is any damage caused by the violation of such consumer's privacy, the company collecting the personal data might be civilly and criminally (through its officers) liable for the material and moral damages suffered by its consumers, regardless of whether the personal data were collected by a third party.

With regard to the sharing of consumers' personal information, Brazil still does not have an appropriate level of personal data protection according to European standards given that there is no specific legislation on personal data protection in Brazil.

Currently, Brazilian law does not limit the ability of businesses to transfer personal data outside the jurisdiction. Intercompany transfer of such information is an acceptable practice, provided the use is made in accordance with the purposes for which the company had originally received authorization, and provided the requirements under the Brazilian Consumer Defense Code (such as prior consent of the consumer) and related regulations are met. This is due to the fact that the information collected, used, stored, disclosed, and otherwise processed belongs to Brazilian individuals and/or to foreigners residing in Brazil.

As to the penalties for breach of privacy law, the Brazilian Consumer Defense Code sets forth that, in consumer relations: 1) impeding access or making it difficult for the consumer to access the information about himself or herself in databases and records is a criminal infraction whose penalty is detention from 6 months to 1 year or payment of a fine, and 2) not correcting immediately information about consumer details in databases or records, which they know or should know to be incorrect, is also a criminal infraction whose penalty is detention from 1 to 6 months or payment of a fine.

If there is any damage caused by other privacy violations, the offending company might also be liable for the material and moral damages suffered by its customers.

Ordinance No. 5 and the Brazilian Civil Code

Even though Brazil does not have a definite position with respect to the adoption of a privacy legal regime similar to that of the United States or to the EU, the principles of the Constitution and Consumer Defense Code, in conjunction with Ordinance No. 5 of Aug. 27, 2002 of the Secretary of Economic Law of the Ministry of Justice, suggest that an opt-in system (used in Europe) could be adopted in Brazil in connection with consumer-related information.

According to the opt-in system, the collection and maintenance of individual information for purposes of creating databases shall happen only upon prior and express consent of the owner of the personal information.

Ordinance No. 5 specifies that a clause is abusive ' and thus null under the Brazilian Consumer Defense Code ' when it: 1) authorizes the sending of the name of the consumer and/or its guarantor to consumer databases and files, without previous notice; 2) imposes on the consumer in adhesion contracts the obligation of objecting (whether onerous or not) to the transfer of the consumer's personal data to third parties; and 3) authorizes the supplier to pry into the consumer's private life.

Furthermore, Ordinance No. 5 affects most on-line agreements, usually adhesion agreements that allow the assignment of the data in databases belonging to consumers to other companies of the same group and/or to companies interested in having access to such data. According to the Brazilian laws and regulations mentioned above, such assignment or the use of cookies without the previous consent of the consumer (if it is a consumer relationship) should not be made, considering that Brazilian laws and regulations reflect an opt-in tendency.

On the other hand, it is important to note that protection of privacy many times may go against the public interest. In business transactions, for instance, the information works as an instrument to protect credit, eg, it allows the risk evaluation by the parties to an agreement and the combination of the intentions and wills under an agreement. In other words, there are two main interests involved in a business transaction: 1) one is entirely private, focused on the individual's interests to have his or her financial background kept in secret, and 2) another one is entirely public, focused on the interests of all individuals who could possibly enter an agreement with an individual who has a dubious and unstable financial background and would potentially be a bad payer.

Under an agreement, one party gives something to the other party expecting and trusting to receive something in return. In this sense, the Constitution sets forth as a fundamental right, under its Article 5, XIV, that everyone has the right to information, and the confidentiality of the source is protected when it is necessary for the professional performance. Under Article 5, XXXIII, the Constitution provides that everyone has the right to receive from public entities any information of their private interest or of public or general interest.

The Brazilian Civil Code sets forth in Article 138 that business transactions may be deemed void when the statements of will arise from substantial error that could be realized by a person of normal diligence, considering the business circumstances. Substantial error is defined by the Brazilian Civil Code as the error that occurs when: 1) the error involves the nature of the business, the main purpose of the statement, or some of the qualifications that are essential to the business; or 2) the error relates to the essential identity or quality of the person to whom the statement of will refers, provided that it influences the statement of will in a relevant way.

Furthermore, Article 145 of the Brazilian Civil Code provides that business transactions may be deemed void due to intentional action/omission, when the intention leads to a business transaction. Finally, according to Article 147 of the Brazilian Civil Code, in bilateral business transactions, the intentional silence of one of the parties regarding a fact or quality of which the other party does not have knowledge constitutes intentional omission; without such intentional omission, the business transaction would not have been done.

By analyzing such provisions of the Brazilian Civil Code, one could infer that without essential information of one of the parties to a business transaction, such a transaction could be voidable. Moreover, there is no doubt that when entering a business transaction, the information about the financial background of one party is relevant information to be considered by the second party, and in case of omission of such information, the transaction could be deemed void.

In view of the above, there is a clear legitimate conflict of interests between the necessary convergence of both parties' interests under an agreement. On one side, there exists the private financial background information that is of general and public interest, and on the other, there is the right to privacy of the party whose financial background is being analyzed. From a broader perspective, such a legitimate conflict of interests between the protection of personal data and the right to information is clearly present (and must be) when analyzing any privacy legislation, particularly in the case of countries such as Brazil, where no such legislation currently exists.

Brazil continues to work toward developing clear legislation with regard to privacy in order to effectively manage the now common practice of handling personal data. As globalization proceeds, each country's participation in the global marketplace depends upon, and demands, the existence of rules harmonizing the principles and practices adopted by civilized nations. When adopting these rules, emerging market players such as Brazil need to take into account such principals as good faith, data quality, written communication or previous authorization, and the possibility of correction of data.

Esther Miriam Flesch is a partner at Trench Rossi e Watanabe Advogados, associated with Baker & McKenzie International, in Sao Paulo, Brazil. She heads the IP/IT-C Group there and holds firm leadership positions regionally and globally. Her practice areas include: information technology, e-commerce, intellectual property, and commercial law. She may be contacted at [email protected]. Camila Von Ancken practices in intellectual property with the same firm. She may be contacted at [email protected].

The need for laws written expressly to protect the privacy of personal consumer data is a growing global phenomenon. It began primarily in more technologically advanced countries, where communication between individuals or companies via electronic means has overtaken more traditional means of communication. In addition, countries that place a high level of importance on democratic values also tend to prioritize protection of privacy, given that individual human rights and individual freedoms are typically important values in such societies. A third relevant factor related to a country's focus on protecting privacy is the level of participation a country's citizens have in the market. A country in which its citizens participate actively in the market has a greater need for the collection, storage, sorting, sharing, and other manipulation of consumer data. Therefore, such countries become a target for individuals or organizations wishing to economically tap such information.

The need for privacy protection arises from the tension created by third parties' desires to use individuals' personal data, usually for profit purposes, and an individual's right to have his or her personal data protected from being exploited.

Even though such a need for privacy protection was originally deemed a relevant issue in more technologically advanced countries, the prioritization of privacy protection today, though not yet fully evolved, is already rather strong in Brazil. As the need for personal data protection emerged as an important issue in nations around the world, international businesses began to import their respective privacy issues and concerns to several less-technologically-advanced countries where they conduct business, including Brazil.

As privacy became a priority for international business and international trade, the existence of an effective and safe way to transfer personal data from one country to another became of the utmost importance. To make this possible, several affected countries concurred on how to proceed: Each country should regulate its own respective privacy-related issues, but above all, there must be harmony among the various countries' legal parameters as they relate to privacy. Conflict between the different countries' legal systems could be an impairment of the international transfer of data and, consequently, compromise the effectiveness and efficiency of international trade and business.

In view of this timely, relevant subject, and in an attempt to balance much-needed technological development against the fundamental right of privacy as a type of individual freedom, the Brazilian Congress is analyzing and voting on a number of bills for specific regulation of privacy in Brazil. These bills are in addition to other prior pieces of privacy legislation already in force.

The two main instruments available under Brazilian laws for the protection of personal data are: 1) the claim called Habeas Data provided for by the Brazilian Federal Constitution ('Constitution') and by the Habeas Data Law (Law No. 9,507/1997), and 2) the provisions of the Brazilian Consumer Defense Code, which regulates the use of databases in consumer relationships.

Brazilian Federal Constitution/Habeas Data Law

Privacy legislation in Brazil has its base and structure within the framework of the Constitution, which sets forth general principles that protect the privacy and confidentiality of personal information and communication.

The Constitution (more specifically, its Title II named 'Fundamental Rights and Guarantees') specifies under Article 5, X that the intimacy, privacy, honor, and image of the people shall not be violated; the Constitution also guarantees the right of indemnification for any moral or material damages arising from such infringement of rights.

Furthermore, the Constitution provides under Article 5, XII that the confidentiality of correspondence and telegraphic communication, data, and telephone communication shall not be violated, except as a last resource and under a court order, in ways established by the law, for criminal investigation purposes, or for evidencing purposes in a criminal proceeding.

Also under Article 5, LXXII, the Constitution institutes the Habeas Data proceeding with the following purposes: 1) to ensure the knowledge of information related to the person who files the Habeas Data, present in registries or databases of governmental entities or 'public entities' (Habeas Data law No. 9,507/1997 regulates the Habeas Data proceeding and defines 'public entities' as every registry or database with information that is or that may be transmitted to third parties or that is not of private use by the office or entity that produces or holds the information), and 2) to allow the correction of data, when the person who files the Habeas Data does not prefer to have such correction made under a confidential proceeding, whether by judicial or administrative means.

Therefore, based on the Constitution: 1) privacy is a fundamental right, and the person whose privacy is violated has the right to indemnification for any moral or material damages arising from such infringement; and 2) the one who owns personal information should have knowledge of and access to his or her personal information present in databases that may be transmitted to third parties and should be given the possibility to correct such information.

Besides the general provisions above, the Brazilian Civil Code (Law No. 10,406/2002) follows the same principles of the Constitution, and even though the Code does not define privacy, it provides that the private life of an individual shall not be violated and that the judge shall take the necessary measures upon request of the interested party to stop or to impede any act contrary to this rule.

The concept of privacy and personal data is not established under Brazilian laws. However, some authors refer to personal data as the set of information about an individual that he or she may decide to keep under his or her exclusive control, or communicate, deciding to whom, when, where, and under which conditions.

The Brazilian Consumer Defense Code

Given that the Brazilian Consumer Defense Code should be interpreted in conjunction with the Constitution, if a company decides to collect and use personal data in a database, such collection and use must be made: 1) in a way that the rights to intimacy, privacy, honor, and image of the owner of the personal information are not infringed, under penalty of payment of indemnification for material or moral damages arising from such infringement, accor-ding to the Constitution, and 2) in accordance with the requirements be-low, set forth by the Brazilian Consumer Defense Code.

It is important to note that under the Brazilian Consumer Defense Code, a consumer is defined as 'any individual or legal entity that acquires or uses products or services as an end-user.' And a supplier is 'any individual or legal entity, public or private, regardless of nationality, that performs activities of production, assembling, creation, construction, transformation, importing, exporting, distribution or commercialization of products and services.' In view of such definitions, even a company or legal entity may be considered a consumer under Brazilian laws. However, the existence of a consumer relationship should be analyzed on a case-by-case basis.

According to the Brazilian Consumer Defense Code, the requirements for the collection and use of personal data in a database are as follows:

a) The consumer shall have access to any information about himself or herself existing on records, index cards, and registers and to any personal and consumer data filed about him or her, as well as the respective source of his or her personal information.

b) The opening of such records, index cards, registers, and any database with personal and consumer data must be communicated in writing to the consumer, when not required by him or her. Such communication must include a precise description of which information will be collected, used, stored, disclosed, and otherwise processed and for what purposes.

c) The consumer shall have the right to immediately correct any incorrect information about himself or herself existing in such records, and the party responsible for the database must communicate the possible recipients of such incorrect information about its correction within 5 business days.

d) The records and information about consumers must be clear, true, and in a language of easy comprehension, and negative financial information corresponding to a period of more than 5 years cannot be included in any database, according to Brazilian laws.

If a notice to the consumer regarding the collection of his or her personal information is not sent, and an agreement between the data collector and consumer is not reached, and if there is any damage caused by the violation of such consumer's privacy, the company collecting the personal data might be civilly and criminally (through its officers) liable for the material and moral damages suffered by its consumers, regardless of whether the personal data were collected by a third party.

With regard to the sharing of consumers' personal information, Brazil still does not have an appropriate level of personal data protection according to European standards given that there is no specific legislation on personal data protection in Brazil.

Currently, Brazilian law does not limit the ability of businesses to transfer personal data outside the jurisdiction. Intercompany transfer of such information is an acceptable practice, provided the use is made in accordance with the purposes for which the company had originally received authorization, and provided the requirements under the Brazilian Consumer Defense Code (such as prior consent of the consumer) and related regulations are met. This is due to the fact that the information collected, used, stored, disclosed, and otherwise processed belongs to Brazilian individuals and/or to foreigners residing in Brazil.

As to the penalties for breach of privacy law, the Brazilian Consumer Defense Code sets forth that, in consumer relations: 1) impeding access or making it difficult for the consumer to access the information about himself or herself in databases and records is a criminal infraction whose penalty is detention from 6 months to 1 year or payment of a fine, and 2) not correcting immediately information about consumer details in databases or records, which they know or should know to be incorrect, is also a criminal infraction whose penalty is detention from 1 to 6 months or payment of a fine.

If there is any damage caused by other privacy violations, the offending company might also be liable for the material and moral damages suffered by its customers.

Ordinance No. 5 and the Brazilian Civil Code

Even though Brazil does not have a definite position with respect to the adoption of a privacy legal regime similar to that of the United States or to the EU, the principles of the Constitution and Consumer Defense Code, in conjunction with Ordinance No. 5 of Aug. 27, 2002 of the Secretary of Economic Law of the Ministry of Justice, suggest that an opt-in system (used in Europe) could be adopted in Brazil in connection with consumer-related information.

According to the opt-in system, the collection and maintenance of individual information for purposes of creating databases shall happen only upon prior and express consent of the owner of the personal information.

Ordinance No. 5 specifies that a clause is abusive ' and thus null under the Brazilian Consumer Defense Code ' when it: 1) authorizes the sending of the name of the consumer and/or its guarantor to consumer databases and files, without previous notice; 2) imposes on the consumer in adhesion contracts the obligation of objecting (whether onerous or not) to the transfer of the consumer's personal data to third parties; and 3) authorizes the supplier to pry into the consumer's private life.

Furthermore, Ordinance No. 5 affects most on-line agreements, usually adhesion agreements that allow the assignment of the data in databases belonging to consumers to other companies of the same group and/or to companies interested in having access to such data. According to the Brazilian laws and regulations mentioned above, such assignment or the use of cookies without the previous consent of the consumer (if it is a consumer relationship) should not be made, considering that Brazilian laws and regulations reflect an opt-in tendency.

On the other hand, it is important to note that protection of privacy many times may go against the public interest. In business transactions, for instance, the information works as an instrument to protect credit, eg, it allows the risk evaluation by the parties to an agreement and the combination of the intentions and wills under an agreement. In other words, there are two main interests involved in a business transaction: 1) one is entirely private, focused on the individual's interests to have his or her financial background kept in secret, and 2) another one is entirely public, focused on the interests of all individuals who could possibly enter an agreement with an individual who has a dubious and unstable financial background and would potentially be a bad payer.

Under an agreement, one party gives something to the other party expecting and trusting to receive something in return. In this sense, the Constitution sets forth as a fundamental right, under its Article 5, XIV, that everyone has the right to information, and the confidentiality of the source is protected when it is necessary for the professional performance. Under Article 5, XXXIII, the Constitution provides that everyone has the right to receive from public entities any information of their private interest or of public or general interest.

The Brazilian Civil Code sets forth in Article 138 that business transactions may be deemed void when the statements of will arise from substantial error that could be realized by a person of normal diligence, considering the business circumstances. Substantial error is defined by the Brazilian Civil Code as the error that occurs when: 1) the error involves the nature of the business, the main purpose of the statement, or some of the qualifications that are essential to the business; or 2) the error relates to the essential identity or quality of the person to whom the statement of will refers, provided that it influences the statement of will in a relevant way.

Furthermore, Article 145 of the Brazilian Civil Code provides that business transactions may be deemed void due to intentional action/omission, when the intention leads to a business transaction. Finally, according to Article 147 of the Brazilian Civil Code, in bilateral business transactions, the intentional silence of one of the parties regarding a fact or quality of which the other party does not have knowledge constitutes intentional omission; without such intentional omission, the business transaction would not have been done.

By analyzing such provisions of the Brazilian Civil Code, one could infer that without essential information of one of the parties to a business transaction, such a transaction could be voidable. Moreover, there is no doubt that when entering a business transaction, the information about the financial background of one party is relevant information to be considered by the second party, and in case of omission of such information, the transaction could be deemed void.

In view of the above, there is a clear legitimate conflict of interests between the necessary convergence of both parties' interests under an agreement. On one side, there exists the private financial background information that is of general and public interest, and on the other, there is the right to privacy of the party whose financial background is being analyzed. From a broader perspective, such a legitimate conflict of interests between the protection of personal data and the right to information is clearly present (and must be) when analyzing any privacy legislation, particularly in the case of countries such as Brazil, where no such legislation currently exists.

Brazil continues to work toward developing clear legislation with regard to privacy in order to effectively manage the now common practice of handling personal data. As globalization proceeds, each country's participation in the global marketplace depends upon, and demands, the existence of rules harmonizing the principles and practices adopted by civilized nations. When adopting these rules, emerging market players such as Brazil need to take into account such principals as good faith, data quality, written communication or previous authorization, and the possibility of correction of data.

Esther Miriam Flesch is a partner at Trench Rossi e Watanabe Advogados, associated with Baker & McKenzie International, in Sao Paulo, Brazil. She heads the IP/IT-C Group there and holds firm leadership positions regionally and globally. Her practice areas include: information technology, e-commerce, intellectual property, and commercial law. She may be contacted at [email protected]. Camila Von Ancken practices in intellectual property with the same firm. She may be contacted at [email protected].