On 10 February 2022, Brazil further declared its profound commitment to building a robust data protection framework by amending its Federal Constitution and including the right to data protection within a group of nearly eighty explicit fundamental rights and freedoms. Along with several other initiatives aiming to solidify its data protection framework, the constitutionalisation of the right to data protection brings Brazil closer to obtaining a favourable adequacy decision from the United Kingdom, in line with Article 45 of the UK GDPR.
Paving its Way to an Adequacy Decision
Moving steadily since the promulgation of the Federal Constitution in 1988 and more expeditiously in the last quadrennial, the country has been taking resolute steps to ensure that the Brazilian legal system in general and its data protection framework more specifically are capable of affording an adequate level of data protection to data subjects.
Constitutionalisation of the right to data protection
An explicit right to data protection, distinct from the right to privacy, was not included in the original text of the Federal Constitution. The recent constitutional amendment, building on a landmark decision given by the Brazilian Supreme Court in 2020 which recognised the implied existence of such fundamental right, enhances legal certainty and unambiguously ensures that the now explicit right to data protection is protected not only by the highly qualified majority which is required for the amendment of general constitutional provisions but by an additional constitutional layer that prohibits any deliberation attempting to abolish individual rights.
Enactment of Brazil’ first ever General Data Protection Law (Lei Geral the Proteção de Dados – LGPD)
Replacing scattered legislation, the LGPD obtained presidential sanction in August 2018 and became Brazil’s first comprehensive data protection law, progressively coming into force by August 2021. The law, which is comprised of 65 articles divided into ten chapters, adopts a broad range of concepts and principles that, whilst not entirely replicating those of the UK GDPR, are clearly consistent with its core.
Consciously departing from the UK GDPR in other aspects, the LGPD lays down 10 grounds under which processing of personal data shall be lawful, five of which are essentially identical to those found in Article 6 of the UK GDPR. Rather than raising concerns regarding whether the LGPD adopted such a permissive approach towards data processing as to essentially depart from a level of protection that can be considered equivalent to that of the UK GDPR, however, the additional grounds, when closely viewed, can suitably fit within the broad grounds of public task and legitimate interest and thus be regarded as adequate.
The LGPD also ensures a breadth of data subject rights overall similar to that established in the UK GDPR. However, despite its readiness in demanding controllers to comply with the right of access within a maximum of 15 days from the date of request, the LGPD left to future regulation, to this date not enacted, the stipulation of time limits for responding to requests pertaining to other rights. As an intrinsic part of any adequate legal framework, it remains to be seen whether these future time limits will provide a level of protection to data subjects essentially equivalent to that of the UK GDPR.
Everlasting attempt to improve the effectiveness of procedural mechanisms for judicial redress
Underpinned by several constitutional guarantees, which include assuring litigants in judicial proceedings an adversary system and a full defence with the means and recourses inherent therein as well as assuring the end of judicial proceedings within a reasonable time and the means to guarantee that they will be handled speedily, the protection of data subjects rights is ensured in the Brazilian legal system via the application of distinct procedural laws that afford effective mechanisms for both individual and collective redress. The country’s legal system also offers the constitutional writ of habeas data, a highly praised remedy in the adequacy decisions given to its neighbours Argentina and Uruguay.
Despite the many challenges and shortcomings that Brazil faces in terms of judicial celerity and effectiveness, the existing mechanisms for redress afforded by the developing country’s legal system, coupled with many the many recent initiatives conceived to expedite the delivery of justice (e.g., the massive national initiative to virtualise all judicial processes, the pre-trial emphasis on alternative means of conflict resolution such as conciliation etc.), seem broadly capable of providing an adequate level of protection to data subjects.
Restricting access of public authorities to personal data
Following the promulgation of the Federal Constitution in 1988, several federal laws were enacted granting to certain public bodies, for public security, defence, national security and criminal law purposes, access to personal data held by commercial companies with respect to their customers. In the early days, when these laws were challenged from a constitutional standpoint, the Brazilian Supreme Court was not adequately resourced to rule against them, in light of the inexistence of an autonomous right to data protection and of the very limited protection that the existing right to privacy offered against those laws.
Since the Court’s 2020 landmark ruling recognising an autonomous right to data protection, the scenario has substantially changed. A recent trend indicates that, in the balance between the right to data protection and interests of national importance (public security, defence, national security and criminal law), the latter will only prevail upon surviving a rigorous scrutiny in terms of necessity, adequacy and proportionality. In this regard, the limitations placed the access of public authorities to personal data seems to afford a more than adequate level of protection to data subjects.
Ensuring the existence of an independent supervisory authority?
The Brazilian National Supervisory Authority (Autoridade Nacional de Proteção de Dados – ANPD) was created as an entity of the federal public administration that is an integral part of the Presidency of the Republic. Even though the LGPD authorised the transformation of the ANPD into a public entity endowed with administrative and financial autonomy, this has not occurred to this date, which could raise concerns in regard to its true independent nature.
Nevertheless, a similar absence of administrative and financial autonomy was also present in their legal system at the time when both Argentina and Uruguay were assessed and subsequently awarded an adequacy decision. In the Brazilian case, additional guarantees were provided by the LGPD with the aim of minimising questions relating to lack of independence, which include guaranteeing the ANPD’s technical and decision-making autonomy, subjecting to the scrutiny of Federal Senate all presidential nominations to the ANPD’s Board of Directors and strictly limiting the circumstances in which members of the Board of Directors are allowed to be removed from Office. Unless the ANPD adopts, in the months and years to come, positions that call into question its true independence from the government, it appears unlikely that the statutory footing given to the national supervisory authority would jeopardise Brazil’s chances of obtaining a favourable adequacy decision.
Adhering to international commitments that cover data protection
Despite not adhering to the 1981 Convention 108 of the Council of Europe and, in that regard, divorcing itself from its neighbours Argentina and Uruguay, Brazil is a signatory to the 1948 Universal Declaration of Human Rights (UDHR) and to the International Covenant on Civil and Political Rights (ICCPR). At a continental level, in addition to being party to the 1969 American Convention of Human Rights (Pacto de San José da Costa Rica), Brazil has since 1998 accepted the jurisdiction of the Inter-American Court of Human Rights. These international commitments should further signal Brazil’s profound commitment to respecting the data protection rights of individuals.
Practical impact of an Adequacy Decision in the relationship between UK and Brazil
In light of all the initiatives shown in creating a robust data protection framework, Brazil will likely obtain a favourable adequacy decision from the United Kingdom, in line with Article 45 of the UK GDPR.
The United Kingdom and Brazil have a strong economic relationship, with total trades (including imports and exports as well as goods and services) standing at £6 billion and over 800 British companies operating in Brazil in 2020. It thus comes with no surprise that the UK Government considers Brazil one of the top priorities when it comes to the adequacy process.
An adequacy decision, if awarded to Brazil, could further bolster the economic relationship between the two countries by way of reducing bureaucracy, enhancing legal certainty using international data transfers to leverage modern day business and financial transactions. By allowing personal data to freely flow from the UK to Brazil, an adequacy decision would, in a practical sense, assimilate such transfers to internal transmissions of data, without any further requirement for adequate safeguards under Article 46 (e.g., Standard Contractual Clauses or Binding Corporal Rules) or specific derogations under Article 49 (e.g., express consent).