The Constitutionalization of Data Protection Rights: The Case of Brazil

(Brazil) The Brazilian General Data Protection Law (LGPD), unanimously passed in 2018 by both houses of Congress after almost 10 years of multi-stakeholder debates, has become an inspiration for the rest of Latin America. 

As Sérgio Gallindo commented in the Memory of LGPD docu-series: “LGPD is a lesson on participatory democracy, but above all it is a lesson on compromise, on how to build quality public policy with antagonistic parties that are ultimately motivated (...) by the best interest of Brazil.” Here we will share key aspects of the data regulation regime and explain why its implementation is important to watch in the future. 

Building on the victories of the Marco Civil da Internet (Law 12.965/2014), as well as Brazil’s trajectory and leadership on internet governance issues, the new data protection law is comprehensive and cross-cutting. The law is strongly inspired by the European Union General Data Protection Regulation (GDPR) while also centered around core elements of the Brazilian legal system and tradition. 

Additionally, the LGPD was made possible by a combination of dialogue and collective expertise across different sectors, built over many years before any prospect of passing a law. It also resulted from a favorable political climate after the Cambridge Analytica scandal and other contextual elements, such as the government’s interest in entering the Organization for Economic Cooperation and Development.

Prior to this law, Brazil had adopted other data protection regulations that were sector specific. One was a first wave of constitutionalization of the right to habeas data after decades of a dictatorial regime. That was followed by the inclusion of data protection provisions in different pieces of legislation, including the Access to Information Act, consumer and credit protection legislation, and health and financial regulations.

Road to the Constitutionalization of Data Protection Rights

Through a landmark ruling in 2020, the Brazilian Supreme Court qualified data protection as an autonomous fundamental right, a remarkable shift in how the Supreme Court has been analyzing privacy and data protection. More recently, in 2022, it was inscribed directly in the Brazilian Constitution. 

The road to constitutionalization of data protection rights has its origins in the habeas data and other related rights, such as due process and specific protections for the development of an individual’s personality. However, the LGPD and the 2020 Supreme Court decision are the milestones that consolidated data protection as a separate and independent right from the right of privacy, intimate life and confidentiality. This is relevant because not all personal data is private, much less confidential. 

At the height of the COVID-19 pandemic, the Brazilian Supreme Court was presented with a case that became the most emblematic for data protection in the country so far. By a nearly unanimous 10 votes to 1, the Court halted the effectiveness of the Presidential Executive Order (MP[1] 954/2020) that mandated telecom companies to share data (name, telephone number, address) of more than 200 million subscribers with the Brazilian Institute of Geography and Statistics (IBGE), the country’s agency responsible for performing census research.

The Supreme Court understood that the executive mandate did not include any actual demonstration of necessity and proportionality, nor any provisions about transparency and information security. While LGPD had passed almost two years prior, the law had not yet been enforced by the time of the judgment. 

The Supreme Court decision asserted that, especially in this current age, there is no insignificant data, and the fact that the data requested limited itself to names, home addresses and phone numbers (which are not inherently sensitive) had no bearing on the decision. In other words, the Court understood that personal data deserves protection because of how it is used and not based on specific characteristics of the data itself – whether it is public or classified, trivial or sensitive. The Supreme Court recognizing an autonomous fundamental right to data protection then paved the way for Congress to pass a constitutional amendment including this provision in the Constitution itself, providing another normative layer of protection for citizens in Brazil.

It is yet to be seen how these rights will be properly enforced, as LGPD provides for a number of mechanisms, including monetary fines. For example, the maximum fine allowed by the Brazilian legislation is up to 2% of an entity’s annual revenue, or 50 million reais per infraction. By comparison, the limit is higher than its European counterpart, which is a maximum of 4% of a company’s annual revenue, with a cap of 20 million euros. The application of these parameters is pending as procedures and more concrete standards are still being defined by the oversight body. 

From Normatization to Institutionalization:  Brazilian Data Protection Authority 

To complete a strong framework of data protection, the LGPD proposed an enforcement and oversight mechanism that would also be responsible for harmonizing existing sectoral frameworks, supporting the judicial system, and leading educational initiatives to inform both the public and institutions – the National Data Protection Authority (ANPD) and the Brazilian Data Protection Authority (DPA). However, the ANPD was stripped of its original independence and became a body subordinated to the presidency. That has already created challenges with financial, functional and decision-making independence and sustainability. 

Due to the pressure of civil society, academia and parts of the private sector, a provision was secured indicating that such subordination to the executive would be temporary, with the possibility of ANPD becoming an independent autarchy after two years of its formal installation. 

We are now at the moment to design this crucial spin-off. For that, a provisional measure issued by the executive (yet to be confirmed by Congress, but strongly supported by parties including the private sector) proposes a model to which this renewed and independent ANPD would adhere. This measure is particularly relevant because formal DPA independence is a step towards effective enforcement and protection, and it is one way to avoid political capture of the authority, especially in an election year. 

On top of that, related issues, such as the regulation of AI, are on the agenda of other countries in the Global South (Latin America, Asia, Africa, and Oceania) where common issues of datafication and democracy are taking front stage. 

Therefore, this moment is as exciting as it can be for those closely following these developments in Brazil! 

For those who want to learn more, please join the Data Privacy Global Conference, a two-day seminar organized by Data Privacy Brasil with the support of the Datasphere Initiative and other partners, which will take place in November 2022, in São Paulo, Brazil.