Privacy & Information Security Law Blog

Brazilian lawmakers, including José Eduardo Cardozo, the Minister of Justice of Brazil, and Ideli Salvatti, the Secretariat of Institutional Relations, held several consensus-building meetings with party leaders over the past two weeks to reach a voting agreement on the Marco Civil da Internet (“Marco Civil”), a draft bill introduced in the Brazilian Congress in 2011. The Marco Civil would establish Brazil’s first set of Internet regulations, including requirements regarding personal data protection and net neutrality.

As reported by Bloomberg BNA, the Marco Civil was delayed earlier this year over concerns about how the legislation should address revelations regarding the U.S. National Security Agency’s PRISM surveillance program. The government prioritized the bill and introduced new amendments, including a requirement that companies store any type of Brazilian data on servers physically located in Brazil. The new version of the bill also requires express consent for the collection and transfer of personal data and penalties for failure to comply of up to 10% of local revenue or suspension of data collection activities in the country. Several companies have voiced support for the legislation, calling the bill progressive and favorable to innovation. The proposed local server requirement, however, has generated controversy in Brazil, as well as in the international business community. On October 22, 2013, organizations representing a wide array of commercial interests from around the world sent a letter to the Brazilian National Congress to express opposition to the proposal, indicating that the data center requirement would have unintended economic consequences.

On November 7, 2013, Brazil and Germany presented a resolution to the United Nations General Assembly urging countries to extend privacy rights to all individuals and calling for an end to undue electronic spying.

In addition to the Marco Civil, a personal data protection bill also is in the works in Brazil and is expected to be addressed by the Brazilian Congress after the Marco Civil passes. As reported by Bloomberg BNA, the data protection bill is very similar to the EU Data Protection Directive 95/46/EC, with some additions derived from Canadian data protection law. Recent drafts of the bill include an EU-style adequacy standard that would prohibit data transfers outside of Brazil unless the recipient country ensures an adequate level of data protection.