The discussion about a General Data Protection Law in Brazil did not start recently. However, the conditions towards its approval have never been so favorable. The country is walking in a fast pace in such direction due to positive horizons of emerging discussions on this issue, which is opening a cleaner trail for this goal. After a chronological analysis of how the theme has been incubated and gradually gained space on the executive and legislative branches, this is a logical and almost inevitable conclusion.
Timeline of the Brazilian General Data Protection Law
n November 2010, the Brazilian Ministry of Justice, representing the executive branch, planted the seed of this discussion when it launched the first public consultation about the topic.
In 2015, the topic was resumed. A new version of the draft bill on personal data protection was released followed by a new public discussion. After almost six months of public consultation, with more the 1800 suggestions from all over the world, a new version of the draft bill was elaborated with significant changes in comparison to the previous one. This text was sent to the National Congress with few alterations and was received by the House of Deputies on May 12, together with a digital legal legacy left by President Dilma Rousseff before being suspended from office.
Rousseff’s legacy includes the Presidential Decree that further regulates the “Marco Civil da Internet”(Internet Bill of Rights), the National Open Data Policy of databases managed by the Federal Government and the Program “Intelligent Brazil”, aimed at expanding broadband access to the Internet in the country. And the object of our analysis, the former draft bill was transformed into the House of Deputies Bill 5276/2016. Now it competes with two other legislative initiatives, one in progress at the House of Deputies and another one at the federal Senate.
Since June 2012 Bill 4060/2012 about data privacy has been under discussion at the House of Deputies. This bill is deemed to provide a lower level of protection, and has received support from marketing companies and data brokers. Between requests for archiving and unarchiving in 2015, there was a public hearing to assist the Deputies to analyze the bill on the Science, Technology, Communication and Informatics Commission.
On May 4, the deputy-rapporteur presented a report for approval with substitutive amendments. Only in May of this year, the bill has been scheduled for analysis several times, but was always withdraw at the very last minute. The last one happened quite recently on May 24.
In April 2015, Senate Bills 330/2013, 181/2014 and 131/2014 were gathered under the Rapporteur Senate Aloysio Nunes. In October of the same year there was a public hearing to discuss all of them since they had the same object (data privacy). As expected, a single and substitutive project was presented to replace them. For the first time, the Senate has drafted a bill with the characteristics of a General Data Protection Law, very much similar to the 2010 version of the draft bill authored by the executive branch. This substitutive document was then approved by the Science and Technology Commission of the Senate and by the Environment, Consumer Defense, Control and Oversight Commission of the Senate on May 10. The bill now has been forward to the Economic Affairs Commission. If approved, its last stop before being submitted to the Plenary Session is the Justice and Constitution Commission.
This analytical chronological narrative clearly demonstrates that these three regulatory initiatives have substantially advanced – mainly over the last two weeks. As a consequence, personal data protection is definitely on the agenda of the Brazilian National Congress, despite the troubled political and economic scenario of the country.
However, these facts by themselves are not enough to affirm that Brazil is walking towards a General Data Protection Law – or even that there is a cheerful perspective related to it. A last ingredient must be added to seal the overall analysis that leads to those conclusions. A constitutional urgency regime has been attributed to Bill 5276/2016. This means that it will have a shortened legislative procedure, without some regular formalities. It needs to be put to a vote in five sessions of the House of Deputies and must be analyzed simultaneously by all the commissions of the House. In practical terms, the bill must be analyzed in 45 days starting from May 16. If the proposal is not voted on within such period, it will halt all voting procedures of the House until its final appreciation.
If the bill is approved at the House of Deputies, it will be forwarded to the Senate where it will receive the same dynamic procedural. It is important to mention that the current rapporteur of the Senate Bills publicly announced his support of such fast lane. He has asserted that the bill should be voted on shortly, otherwise it might get lost among other bills, which commonly takes place with other important and interesting projects.
In this scenario, Brazil might have its General Data Protection Law approved within the next three months if no surprises take place, such as comprehensive amendments or the constitutional urgency is not withdrawn by the provisional Presidency.
Therefore, after six years since the start of the discussions about a General Data Protection Law; its internalization by both houses of the National Congress through their own legislative initiatives; the revitalization of the debates throughout 2015; the constitutional urgency attributed to one of three initiatives; and the apolitical declarations in favor of the topic, it is possible to conclude without a doubt that Brazil walks in a never before seen pace to finally have a General Data Protection Law.
Authors: Bruno Bioni, Renato Leite Monteiro, CIPP/E, CIPM