By Leonardo Neri
Law No. 13,709/2018 provides for the processing of personal data. The law presents rules to regulate how individuals' personal data can be stored by other individuals or even companies.
The scope of the Act is to protect the fundamental rights of privacy and freedom, as well as the free development of the personality of a natural person.
Nowadays, the services offered by modern companies have as one of their characteristics the constant collection of users' personal data. As an example, we can mention databases with information recorded by social networks Facebook, Instagram, WhatsApp, among others. Thus, every online interaction usually involves some data collection.
The reason for such concern on the part of the legislator is that such data have high economic value, as they define consumption, political, behavioral and even religious trends, serving to direct strategic action by a given player in their respective market niche.
The occurrence in question became notorious to society when data from millions of Facebook users was leaked to the political marketing company. Cambridge Analytica, who worked on the election campaign of US President Donald Trump. In Brazil, data leaks were also detected, but on a smaller scale. It was in this context that Law No. 13,709/2018 was enacted nationwide, following the already enacted GDPR (in English) “General Data Protection Regulation”, which is legislation drafted by the European Union, which establishes rules on how companies and public bodies should handle personal data.
Initially, personal data processing should be understood as any “movement” made with said data. As an example, consider that a research company collects personal data from consumers present at a survey carried out at a certain commercial establishment. This company then trades this data to another marketing company. The marketing company then enters into a contract with another organization to filter, analyze and classify the same data. With these results, the marketing company sells the said information to an agent in the tourism industry. In the example given, all companies were involved in the processing of personal data.
Thus, the concept of personal data processing encompasses any and all operations carried out with personal data. This includes conduct carried out with such raw material, to the detriment of the protection specified by the law, named as grounds. Based on this premise, it is noted for better elucidation:
| PROCESSING OF PERSONAL DATA | ||
| Conducts | Main Personal Data | Fundamentals |
| Production | Name of a natural person | Respect for privacy |
| Collection, classification | ID number | Informational self-determination |
| Reception, access | CPF number | Freedom of expression |
| Use, reproduction | Profession | Inviolability of privacy |
| Distribution, transmission, processing | Marital status | Economic and technological development |
| Archiving, storage | Level of Education | Free enterprise |
| Elimination, evaluation and control | Curriculum vitae | Human rights |
| Modification, diffusion and extraction | Affiliation | Free competition |
| Communication and transfer | Nationality | Consumer protection |
This time, having gained an understanding of the scope of the concept that guides the standard and its main parameters involved, it is worth highlighting the conditions of applicability of the Law that will come into force in February 2020:
| APPLICABILITY OF THE LAW | |
| Applicable Law | Law Not Applicable |
| Any personal data processing operation regardless of the means, the country of its headquarters or the country where the data are located | Carried out by a natural person for exclusively private and non-economic purposes |
| Personal data must be collected in Brazil | Made for exclusively: a) journalistic and artistic purposes; or b) academics (only articles 7 and 11 of the Law apply) |
| The processing activity that has been carried out outside Brazil, but has the objective of offering or providing goods or services or processing data of individuals located in the national territory | Carried out for the exclusive purposes of: a) public security; b) national defense; c) state security; or d) activities of investigation and prosecution of criminal offences |
| Example: Registration on Facebook or other foreign websites, but which use this data to sell products here in Brazil | Originating from outside the national territory and which are not the object of communication, shared use of data with Brazilian processing agents or the object of international data transfer with a country other than the country of origin, provided that the country of origin provides a level of personal data protection appropriate to that provided for in this Law. |
In Brazil, the topic is currently addressed more directly in the Internet Civil Rights Framework, and even then not through direct rules, but through principles – an indirect way, so to speak, of regulating a given subject. The entry into force of the national law, due to the way in which the GDPR was established, will strengthen the country's interest in also becoming part of the Organization for Economic Cooperation and Development (OECD), an entry that requires Brazil to comply with digital security rules that will be provided by the New Data Law.
Therefore, in general terms, the new Law aims to maximize the control that data subjects have over their personal data, as well as to become effective through the application of sanctions that actually impact companies' budgets, as will be seen in the following articles. Furthermore, the rule presents the aforementioned concepts that must be followed by all private and public bodies that maintain, collect, store, sell or otherwise process personal data acquired within the national territory. The following text will discuss in detail the principles and requirements that underpin the processing of personal data.