Monday, August 27, 2018

Comparing informed consent in the Brazilian Data Protection Law and in the GDPR: What is The Status of Opt-Out in Brazil?

[To read this post in Portuguese, click here]

On August 14th 2018, the new Brazilian Data Protection Law was approved, and it seems very much inspired by the General Data Protection Regulation (GDPR). In this and in the following posts, I intend to analyse their similarities and differences - specially the practical consequences of their differences.

For those unfamiliar with the topic, the GDPR is the European Union's (EU) new legal framework for the protection of personal data. The GDPR brought significant changes to the old regime (which was regulated by the Directive 95/46/EC) and companies worldwide had to invest time and money to adapt to the new regime. In this blog you will find other posts about the GDPR. My PhD is in the field of ​​data privacy, and as my legal training was in Brazil, I found it important to compare both regimes.

In this post I would like to focus on the issue of informed consent, which is a central element for both legislations as hypothesis of lawful collection and processing of personal data. In Brazil, informed consent is the first possibility (out of ten) mentioned in Article 7 for the processing of personal data and in the EU it is also the first possibility (out of six) mentioned in Article 6, which deals with the hypotheses of lawful processing of personal data.

The definition of informed consent in the Brazilian law is similar to that of the EU, take a look below:

Brazilian law:
Art. 5 (XIV) consent: free, informed and unequivocal manifestation by which the holder agrees with the treatment of his personal data for a determined purpose;
Article 4 (11): ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
An immediate analysis highlights the absence of the terms "specific" and "by a clear statement or affirmative action" in the Brazilian definition. The GDPR already in the definition seems to make clear its preference for opt-in ("clear affirmative action"). In addition, the advisory board Article 29 Working Party (since May 2018 replaced by the EDPB) expressly mentioned in this opinion adopted on April 10th 2018 that:

"This means, a controller that seeks consent for various different purposes should provide a separate opt-in for each purpose, to allow users to give specific consent for specific purposes." (p.12) 
"Without prejudice to existing (national) contract law, consent can be obtained through a recorded oral statement, although due note must be taken of the information available to the data subject, prior to the indication of consent. The use of pre-ticked opt-in boxes is invalid under the GDPR. Silence or inactivity on the part of the data subject, as well as merely proceeding with a service cannot be regarded as an active indication of choice." (p.16)

Turning now to the Brazilian law, it brings another descriptive element of consent in its Article 8:

Article 8. The consent foreseen in the item I of the Art. 7 of this Law must be provided in writing or by other means that demonstrate the expression of will of the holder.
Even in writing, a pre-filled field on a form is able to demonstrate the individual's manifestation of will, since by clicking "ok" he is consenting. Therefore, the Brazilian law makes no specific mention of an active manifestation of the data subject, and to my knowledge there are no additional documents or advisory boards that have commented on the opt-in/opt-out issue.

My main question here is: in practice, is opt-out valid in Brazil? Many surveys today show the importance of defaults and how sticky they are (in the sense that the average user rarely changes the default settings in a device/application). Therefore, a default that is not privacy-protective, even if it has the opt-out function (i.e. the user is free to unclick the field that is already filled), will statistically tend to remain a non-protective configuration, as the user will probably not change it.

A discussion that may seem merely grammatical in the beginning, comparing the definitions of consent in both legislations, ends up bringing a much larger dimension that can directly affect the level of data protection received by data subjects in Brazil vs. in the EU.

These and other points of doubt in the new Brazilian law should be discussed as soon as possible so that the Brazilian data subject can benefit from a secure and privacy-protective online environment.


If you have any contribution to the topic, feel free to comment below.


Luiza Jarovsky
Lawyer and PhD Fellow Researching Data Privacy

Brazil and EU


  1. Great post i must say and thanks for the information. Education is definitely a sticky subject. However, is still among the leading topics of our time. I appreciate your post and look forward to more. tissage bresilien

  2. Accumulation of data additionally happens through Visa handling or other outsider applications got to through your site;

  3. It likewise goes about as a controller for the police power so they can work inside the law and avoid defilement inside the power. what to do after a slip and fall accident

  4. Notwithstanding when you have not acted illegal, you may need to realize the law so as to shield yourself from individuals who may abuse the offices of thomas nowland

  5. Your blog has piqued a lot of real interest. I can see why since you have done such a good job of making it interesting. I appreciate your efforts very much. Global Data Protection Management System (GDPMS)

  6. It is essentially outlandish for privateers to recognize a particular number when there are actually billions of potential mixes. anti piracy security

  7. This won't last all through the length of your fight in court, in any case, so you should discover a method for holding a criminal law lawyer of your own before your preliminary starts. link

  8. Since the circumstance emerged out of the carelessness of somebody, it just ends up proper that you require some pay for the harm caused. website

  9. More often than not, the costs of resolving a problem are far greater than the costs of preventing the problem. Prevention, as they say, is always better than cure. So hire a lawyer and hire a good one.

  10. Prevention of ward under the English Law and EC law: Under the customary English law, when the court winds up to be the more fitting discussion it might allow an enemy of suit order for example an order limiting a gathering from organizing or seeking after procedures in another court, which is by and large looked for by respondents in unfamiliar procedures asking that the issue be chosen in England where the justification for directive can include: unseemly conduct, finishes of equity and legally binding reasons for example mediation arrangement. Personal Injury Attorney

  11. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info. Lease review lawyer

  12. When it comes to divorce, there is not just one way to divorce. Parties can choose to each hire a lawyer to represent them during the divorce process David Karp

  13. I wanted to thank you for this great read!! I definitely enjoying every little bit of it I have you bookmarked to check out new stuff you post. Ottawa law firms

  14. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the enjoyment here keep up the good work Safe driving tips Bellevue WA

  15. This is such a great resource that you are providing and you give it away for free. I love seeing blog that understand the value of providing a quality resource for free. Bicycle accident lawyer

  16. Extremely useful information about data protection law which you have shared here.
    Employment attorney ohio

  17. Very informative post! There is a lot of information here that can help any business get started with a successful social networking campaign. custody lawyer phoenix

  18. I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. law tutor in london

  19. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the enjoyment here keep up the good work securities fraud attorneys

  20. I also hate to have to clean up a mess made by another lawyer. It is much easier to assist a client and avoid potential problems than it is to repair damage from choosing the wrong lawyer.