When faced with a crisis which regulatory bodies must be notified and what is the relevant legislation?
- On discovering a data breach, which regulators or other government agencies should be notified?
Federal Law No. 13.709 of 2018 (the General Law for the Protection of Personal Data) will come into force in February 2020, to serve as the legal framework for data protection in Brazil, which is so far nonexistent.
Although this new law constitutes a step forward towards data protection, there are some criticisms regarding the presidential vetoes that were made. Among others, the vetoes of the provisions concerning the creation of a National Council for the Protection of Personal Data and Privacy and of a regulatory body – the National Protection Authority of Personal Data -, which would help to enforce the new law.
At this point in time, the Prosecutor Office for the Federal District and the Territories have created informally Commissions for Personal Data Protection. Among other functions, such commissions will be in charge of: (i) promoting and encouraging the protection of personal data, in accordance with the new legislation; (ii) suggesting guidelines for a national policy for the protection of personal data and privacy; (iii) promoting studies on national and international practices for the protection of personal data and privacy; (iv) receiving communications on the occurrence of any security incident that could lead to a risk or a material injury to data holders; (v) suggesting the adoption of binding corporate rules (BCRs) for the purpose of international data transfer; or (vi) suggesting the adoption of standard contractual clauses for international data transfer purposes.
In addition, other authorities will be directly involved in the regulation, supervision and investigation of cases of data breaches. Pursuant to Law No 9.472 of 1997 and Law Decree No. 8.711 of 2016, Agência Nacional de Telecomunicações – ANATEL (the National Telecommunications Agency), should communicate any occurrence involving data protection to the Public Prosecutor Office.
On the other hand, according to Law No. 8.078 of 1990, whenever there is a consumer relationship between the parties involved in a data breach, the Consumer Protection Officer – PROCON should be notified.
With regard to cyber crimes, the local police or the federal police can be notified whenever a violation of data protection occurs. Moreover, there is also a Brazilian civil association engaged in the prevention of cyber crimes, named Safety Brazil (www.safernet.org.br), which has signed cooperation agreements with local governmental institutions aiming at this purpose.
What legislation, relating to both criminal offences and civil wrongs, covers such a breach?
The main legislation in Brazil concerning criminal offenses and civil wrongs is as follows:
- The Federal Constitution (article 5, X and XII) – protects the rights related to privacy, prohibiting the invasion of domicile and the violation of correspondence.
- The Federal Constitution (article 5, item LXXII) –sets forth habeas data as a constitutional remedy to guarantee citizens’ access to personal data and information that are under the control of the Brazilian State or private entities.
- Law No. 8.078 of 1990 (the Consumer Protection Code) provides that the consumer will have access to the information contained in records and personal data, including the consumer data filed, as well as in their respective sources.
- Law No. 12.414 of 2011 establishes the limits that must be observed in the creation of information databases aiming to form an individual credit historic.
- Law No. 12.527 of 2011 (the Law on Access to Information) regulates the access to personal information.
- Law No. 12.965 of 2014 (the Internet Regulatory Act) regulates the issues related to privacy and data protection, albeit incomplete.
- Law 12.737 of 2012 (the Cyber Crimes Law) regulates the cyber crimes.
- Law No. 13.709 of 2018 (that will be effective on 2020) that will provide the new regulatory framework for the protection of personal data.
- What agencies have the power to conduct dawn raids on private sector companies? What legislation gives those agencies the power to undertake those inspections?
Pursuant to Decree No. 3.689 of 1941, as modified (the Brazilian Code of Criminal Procedure) “dawn” raids (“busca e apreensão”) on private sector companies are conducted by the Federal or the State Police and/or by members of the judicial authority, upon the issuance of an order by the competent judicial authority. Furthermore, according to the Brazilian Code of Criminal Procedure, the seizure of documents can only be done by the judicial authority or by the police in compliance with a judicial order.
On what bases, including privilege and / or confidentiality, may such company refuse to permit the seizure of documents?
Once a judicial order has been issued, the company involved cannot refuse to permit the seizure of documents. However, such being the case, the company may request the competent judicial authority to determine the confidentiality of the seized documents.
- What are the circumstances under which an employee is entitled to protection when reporting an alleged wrongdoing?
In all circumstances, the employee will be entitled to protection when reporting an alleged wrongdoing by the company or by another employee.
- What legislative protection does that employee enjoy?
There is no specific protection for the reporting employee in the current legislation. Law No. 12.846 of 2013, however, sets forth that a mechanism for reporting wrongdoing established by the companies will be considered to reduce the penalty to be imposed in case of corruption. Most of the companies have anonymous hotlines for this purpose.
Anti-bribery & Corruption
- What are the main anti-corruption laws and regulations in your jurisdiction?
Law number 12.846 of 2013.
Law number 13.303 of 2016.
- Does the legislation have extra-territorial effect?
Yes, the purpose of Law number 12.846 of 2013 is to establish the responsibility of any legal person – even foreign companies, which have their headquarters, branch or representation in the Brazilian territory, whether they are constituted in fact or under the law, even on a temporary basis – by the practice of acts against the public, national or foreign administration.
- What are the main enforcement bodies?
The main enforcement bodies are (i) the Federal Comptroller Office (“Controladoria Geral da União”), which is responsible for the defence of the public assets, for the prevention of white collar crime and corruption (administrative proceeding); and (ii) the Public Attorney Offices.
- Is there any duty to report the issue, for example to a regulator?
The disclosure of irregularities to a government authority shall occur whenever there is a provision for such purpose in the applicable legislation or in the company’s code of conduct.
What is the protection from disclosure for documents generated as part of the investigation (for example, privilege)?
The documents generated as part of the private investigation will be deemed confidential and intended only to be used by the directors and officers of the company.
- Is the advice given by an in-house lawyer in relation to the investigation privileged and / or confidential?
Yes. As a general policy under the rules of the Brazilian Bar Association lawyers are required to maintain professional secrecy about matters related to their clients at all times. The advice given by an in-house lawyer in relation to an investigation will be confidential and intended only to be used by the directors and officers of the company.
HOTLINE – contact details
Phone Number: 55-31-3116-1500
PINHEIRO, MOURÃO, RASO E ARAÚJO FILHO ADVOGADOS