Monday, August 27, 2018

Comparing informed consent in the Brazilian Data Protection Law and in the GDPR: What is The Status of Opt-Out in Brazil?

[To read this post in Portuguese, click here]

On August 14th 2018, the new Brazilian Data Protection Law was approved, and it seems very much inspired by the General Data Protection Regulation (GDPR). In this and in the following posts, I intend to analyse their similarities and differences - specially the practical consequences of their differences.

For those unfamiliar with the topic, the GDPR is the European Union's (EU) new legal framework for the protection of personal data. The GDPR brought significant changes to the old regime (which was regulated by the Directive 95/46/EC) and companies worldwide had to invest time and money to adapt to the new regime. In this blog you will find other posts about the GDPR. My PhD is in the field of ​​data privacy, and as my legal training was in Brazil, I found it important to compare both regimes.

In this post I would like to focus on the issue of informed consent, which is a central element for both legislations as hypothesis of lawful collection and processing of personal data. In Brazil, informed consent is the first possibility (out of ten) mentioned in Article 7 for the processing of personal data and in the EU it is also the first possibility (out of six) mentioned in Article 6, which deals with the hypotheses of lawful processing of personal data.

The definition of informed consent in the Brazilian law is similar to that of the EU, take a look below:

Brazilian law:
Art. 5 (XIV) consent: free, informed and unequivocal manifestation by which the holder agrees with the treatment of his personal data for a determined purpose;
GDPR:
Article 4 (11): ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
An immediate analysis highlights the absence of the terms "specific" and "by a clear statement or affirmative action" in the Brazilian definition. The GDPR already in the definition seems to make clear its preference for opt-in ("clear affirmative action"). In addition, the advisory board Article 29 Working Party (since May 2018 replaced by the EDPB) expressly mentioned in this opinion adopted on April 10th 2018 that:

"This means, a controller that seeks consent for various different purposes should provide a separate opt-in for each purpose, to allow users to give specific consent for specific purposes." (p.12) 
"Without prejudice to existing (national) contract law, consent can be obtained through a recorded oral statement, although due note must be taken of the information available to the data subject, prior to the indication of consent. The use of pre-ticked opt-in boxes is invalid under the GDPR. Silence or inactivity on the part of the data subject, as well as merely proceeding with a service cannot be regarded as an active indication of choice." (p.16)

Turning now to the Brazilian law, it brings another descriptive element of consent in its Article 8:

Article 8. The consent foreseen in the item I of the Art. 7 of this Law must be provided in writing or by other means that demonstrate the expression of will of the holder.
Even in writing, a pre-filled field on a form is able to demonstrate the individual's manifestation of will, since by clicking "ok" he is consenting. Therefore, the Brazilian law makes no specific mention of an active manifestation of the data subject, and to my knowledge there are no additional documents or advisory boards that have commented on the opt-in/opt-out issue.

My main question here is: in practice, is opt-out valid in Brazil? Many surveys today show the importance of defaults and how sticky they are (in the sense that the average user rarely changes the default settings in a device/application). Therefore, a default that is not privacy-protective, even if it has the opt-out function (i.e. the user is free to unclick the field that is already filled), will statistically tend to remain a non-protective configuration, as the user will probably not change it.

A discussion that may seem merely grammatical in the beginning, comparing the definitions of consent in both legislations, ends up bringing a much larger dimension that can directly affect the level of data protection received by data subjects in Brazil vs. in the EU.

These and other points of doubt in the new Brazilian law should be discussed as soon as possible so that the Brazilian data subject can benefit from a secure and privacy-protective online environment.

*

If you have any contribution to the topic, feel free to comment below.

Best,

Luiza Jarovsky
Lawyer and PhD Fellow Researching Data Privacy
about.me/luizajarovsky

Brazil and EU