Professional Documents
Culture Documents
Personality Rights in Brazilian Data Protection Law: A Historical Perspective
Personality Rights in Brazilian Data Protection Law: A Historical Perspective
net/publication/365903483
CITATIONS READS
0 183
2 authors:
All content following this page was uploaded by Rafael A. F. Zanatta on 01 December 2022.
Marion Albers
Ingo Wolfgang Sarlet Editors
Personality and
Data Protection
Rights
on the Internet
Brazilian and German Approaches
Ius Gentium: Comparative Perspectives on Law
and Justice
Volume 96
Series Editors
Mortimer Sellers, University of Baltimore, Baltimore, MD, USA
James Maxeiner, University of Baltimore, Baltimore, MD, USA
Editorial Board
Myroslava Antonovych, Kyiv-Mohyla Academy, Kyiv, Ukraine
Nadia de Araújo, Pontifical Catholic University of Rio de Janeiro, Rio de Janeiro,
Brazil
Jasna Bakšic-Muftic, University of Sarajevo, Sarajevo, Bosnia and Herzegovina
David L. Carey Miller, University of Aberdeen, Aberdeen, UK
Loussia P. Musse Félix, University of Brasilia, Federal District, Brazil
Emanuel Gross, University of Haifa, Haifa, Israel
James E. Hickey Jr., Hofstra University, South Hempstead, NY, USA
Jan Klabbers, University of Helsinki, Helsinki, Finland
Cláudia Lima Marques, Federal University of Rio Grande do Sul, Porto Alegre,
Brazil
Aniceto Masferrer, University of Valencia, Valencia, Spain
Eric Millard, West Paris University, Nanterre Cedex, France
Gabriël A. Moens, Curtin University, Perth, Australia
Raul C. Pangalangan, University of the Philippines, Quezon City, Philippines
Ricardo Leite Pinto, Lusíada University of Lisbon, Lisboa, Portugal
Mizanur Rahman, University of Dhaka, Dhaka, Bangladesh
Keita Sato, Chuo University, Tokyo, Japan
Poonam Saxena, University of Delhi, New Delhi, India
Gerry Simpson, London School of Economics, London, UK
Eduard Somers, University of Ghent, Gent, Belgium
Xinqiang Sun, Shandong University, Shandong, China
Tadeusz Tomaszewski, Warsaw University, Warsaw, Poland
Jaap de Zwaan, Erasmus University Rotterdam, Rotterdam, The Netherlands
Ius Gentium is a book series which discusses the central questions of law and
justice from a comparative perspective. The books in this series collect the
contrasting and overlapping perspectives of lawyers, judges, philosophers and
scholars of law from the world’s many different jurisdictions for the purposes of
comparison, harmonisation, and the progressive development of law and legal
institutions. Each volume makes a new comparative study of an important area of
law. This book series continues the work of the well-known journal of the same
name and provides the basis for a better understanding of all areas of legal science.
The Ius Gentium series provides a valuable resource for lawyers, judges,
legislators, scholars, and both graduate students and researchers in globalisation,
comparative law, legal theory and legal practice. The series has a special focus on
the development of international legal standards and transnational legal
cooperation.
This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Personality Rights in Brazilian Data
Protection Law: A Historical Perspective
Abstract This chapter traces the influence of personality rights and European legal
thought in the development of data protection law in Brazil. We argue that the
Brazilian Data Protection Law enacted in 2018 is grounded on a solid legal tradition
of civil law. In order to demonstrate this argument we trace how Brazilian lawyers
took advantage of European legal thought in the 20st century and how the concept
of personality rights was intellectually constructed. We also argue that personality
rights had an important role in legal struggles during the Brazilian civil-military
dictatorship (1964–1985). The chapter also presents new data about the history of
data protection in Brazil.
1 Introduction
The enactment of the first Brazilian data protection legislation in August 2018 was
the culmination of a process dating back to 2010, when earlier versions of its text were
submitted to public comments on the Internet. First conducted by the federal govern-
ment and later by the Brazilian parliament, the development of the text received
reasonable feedback from society following a path already taken by another piece
of legislation, the Internet Civil Rights Framework (known as the Marco Civil da
Internet 1 ). Both these statutes form the backbone of the Brazilian legal framework
for the information society, together with other legislation regarding issues ranging
from access to information to intellectual property.
D. Doneda
Public Law Institute of Brasília (IDP), Brasília, Brazil
R. A. F. Zanatta (B)
University of São Paulo, São Paulo, Brazil
1 Law 12.965 of 2014.
The particular kind of collaborative process which resulted in the General Data
Protection Law (known as LGPD2 ) and the Marco Civil made both of them partic-
ularly sensitive to some demands from society, which contributed to their final text.
However, while the Marco Civil was a brand-new framework built almost from
scratch and from references to specific topics—there was no other law of this kind,
combining privacy, net neutrality, and intermediary liability—, LGPD had a previ-
ously existing set of legal frameworks to relate to. Data protection is currently a
well-established legal subject and field in several other legal systems—particularly
the continental European legal system, from which the Brazilian one derives—with
its own set of concepts and standards which are much easier and more rational to
adapt to than to contrast.
In this sense, the process that resulted in LGPD took into consideration not merely
the need to include data protection concepts and standards in Brazilian law but also
the dialogue with current Brazilian legislation and legal tradition. We argue that the
rationale of data protection, which is the protection of citizens regarding the possible
effects of the processing of their data, is coherent with the tradition of personality
rights, already well-established in Brazilian law.3 We therefore aim to identify the
significance of personality rights in the shaping of the new legislation, in histor-
ical perspective, and to stress the intersection points between LGPD provisions and
personality rights, recognizing that the strength of this relationship is very important
for a complete and necessary translation of the dogmatics of data protection (fairly
new to the country’s legal tradition) into the Brazilian legal framework.
Personality rights play a key role in the structuring and shaping of the Brazilian data
protection framework. This section explores aspects of the history of Brazilian private
law, the influence of European legal thinking on Brazilian legal scholarship during
the nineteenth and twentieth centuries, and the challenges of protecting individuals
during the civil-military government (1964–1985). We argue that the constitution of
1988 was influenced by previous struggles for the right to privacy and the doctrine
of personality rights.
It is difficult and tricky to compare legal systems.4 Despite their similarities, the task
of comparing the Brazilian and the European systems must also take into account that
there is no complete singularity and uniformity in European Union law. However, it
might be useful to bring back Rodolfo Sacco’s methodological approach of “legal
formants”5 to discuss “hidden similarities” and “metalegal formants” present in the
Brazilian legal system. As advocated by Sacco, comparative approaches to legal
studies should focus not only on written law and explicit legal rules, but should aim
at “highlighting structural regularities that would otherwise pass unobserved.”6
Instead of speaking of legal rules, according to Sacco, “we must talk instead
of the rules of constitutions, legislatures, courts, and, indeed, of the scholars who
formulate legal doctrine.”7 By applying this methodology to personality rights and
personal data protection, this means that we should move beyond a mere description
of rules and the topography of law. We must evaluate the consistency of what is in
the code compared to what the courts apply (law in books vs. law in action) and the
legal formants, that is the living law, which is, in a sense, underground and barely
seen, and consists of statutory rules, the formulations of scholars (and their main
intellectual inspirations), and the decisions of judges. As argued by Sacco, a merely
topographic analysis of law (e.g. the differences between Codes or positive law) does
not take into account the deep structures of legal thinking, like the role of scholarship
in decision-making and the interplay between the knowledge produced by Court in
the process of ruling a hard case and the positive law.
One important feature of the Brazilian legal system is the adoption of the civil
law tradition and the codification of private law that culminated in the first Brazilian
Civil Code of 1916, which was highly influenced by the European legal tradition and
the work conducted by French, German, and Italian legal elites. Nevertheless, the
role and meaning of civil codes changed substantially during the twentieth century.
Judith Martins-Costa, writing in 1998, claimed that the Civil Code does not have
as a paradigm the structure of a “perfect model designed by the wise” capable of
predicting all kinds of fattispecie (an ensemble of factual elements that are governed
by a certain legal norm) and following sets of beliefs of nineteenth-century jurists.
The inspiration for contemporary civil codes, according to Martins-Costa, is clearly
the “open models” of constitutions, with the adoption of open clauses (clausulas
gerais). In any case, if we consider the historical development of Brazilian private
law, the influence of the “codification movement” proves to be strong. Caio Mario da
Silva Pereira, one of the leading private-law jurists in the twentieth century, stresses
the importance of the open model and, after recognizing the importance of the codi-
fications in Prussia, France, and Austria in the late eighteenth and early nineteenth
centuries in his work “Instituições de Direito Civil,” observed that “the establishment
of codified principles”8 allows law to evolve through systematic reasoning and legal
interpretation.
The Brazilian legal system was strongly influenced by the colonial Portuguese
legal model and the regulation of public and private life through the Ordenações. Even
after the Declaration of Independence in 1822, legal and political elites sustained the
enforcement of the Ordenações Filipinas and began considering the enactment of a
Civil Code.9 However, according to Caio Mario da Silva Pereira, the turning point
was the decision of the imperial government in 1855 to consolidate Brazilian civil
law. Augusto Teixeira de Freitas worked on this project from 1859 to 1867 and
delivered his draft of the Civil Code, strongly influenced by concepts developed in
German legal theory.10 This Draft was divided into a general part and a special one.
Dogmatics began to play a new role with the theoretical work Consolidação das
Leis Civis written by Teixeira de Freitas. In this influential work of dogmatics and
private law, Teixeira de Freitas made a clear distinction between direitos reais (legal
relationships among a person and a thing) and direitos pessoais (legal relationships
among people). Even if his framework did not reach what we would later identify as
personality rights, whose conceptualization was still at a very early stage at that time,
the notion of an obligation of satisfaction or compensation if personal rights were
violated or offended was to become the general concept that would be associated
with several legal instruments aimed to protect the individual.
It is not our goal to provide a history of personality rights in Brazil. We would
like to stress, instead, that personality rights were influenced by this dual movement:
the codification that started with Teixeira de Freitas and culminated with the Civil
Code of 1916 and the role of “legal dogmatics”11 in civil law, highly influenced by
German legal theory in the beginning, and later by Italian and French civil law.12
These elements are part of the Brazilian “legal formants” and must be considered in
any comparative analysis.
According to Orlando Gomes, Brazilian jurists such as Rubens Limongi França,
author of Direitos da Personalidade, took up the concept of “personality rights” in
the form proposed by legal theorist Otto von Gierke, who firmly believed that the
Roman distinction between private and public law could not be sustained, considering
that “private law, though it cares foremost for individual interests, must serve the
scholarship, a type of knowledge about concepts and structures of law aimed at decision-making
actors. “Legal dogmatics” is also explained by MacCormick: “What may be called normativist
approaches to jurisprudence, most notable among them the Pure Theory of Law of Hans Kelsen,
provide a theory of knowledge for legal dogmatics in this traditional style. Such theories seek
to expound the presuppositions behind the kind of descriptive statements of law, or descriptively
normative statements, which black letter lawyers expound. They also try to work out and account
for the internal logical and conceptual structures which give legal dogmatics a rational form.”
MacCormick and Weinberger (2013), p. 2.
12 Gomes (1966), pp. 39–48.
Personality Rights in Brazilian Data Protection Law … 39
common goal,” and that “public law, though it looks first to the whole, must be just
toward individuals.”13 Gierke defended the notion that private law should preserve
the “inviolable sphere of the individual” but also promote community. The idea about
“the social role that private law should play” strongly influenced Orlando Gomes. In
1889, Gierke defended the idea that “private law must use the means at its disposal
first and foremost to guarantee and protect the personalities of individual people,
to both acknowledge and limit the rights of personality (rights of the individual)
in their general and equal manifestation, in their condition as being members of a
community, with their unique eccentricities, and in their individually acquired or
otherwise attained development, to use civil obligations next to criminal sanctions to
vindicate rights where they are harmed, and to secure compensation and redress.”14
In his classic essay Direitos da Personalidade, Gomes agrees with Gierke and
claims that “personality rights are absolute, extrapatrimonial, non-transferable, non-
prescriptable, vital and necessary.”15 However, to Gomes, they are more than the
rights to life and freedom. They are “subjective private rights” aimed at the “develop-
ment and expansion of the physical and spiritual individuality of the human person.”16
In his essay, Gomes calls for an agenda of dogmatic studies on personality rights,
claiming that his peers “continue to live in the past century” and that it is the task of
the young generation to “demonstrate sensitivity for these issues.”
Personality rights were first introduced in Brazilian law as a concept associated
with “an ensemble of attributes particular to the human condition,” as professor San
Tiago Dantas said in his lectures in the 1940s,17 or special human manifestations
whose protection is necessary for the normal development of persons. Brazilian legal
tradition on personality rights turned out to reflect a strong influence from Italian
legal doctrine, mainly from Adriano De Cupis, who in 1950 formulated a concept
of personality rights as a set of rights whose absence would make legal personality
void of any concrete value; this concept is still widely mentioned and used. In other
words, its absence would make all other subjective rights practically useless for the
individual; in broad terms, for De Cupis, personality rights could mean a set of
essential rights.18 While these rights began to be observed in case law, basically due
to the development of cases regarding damages to image, honor, or other personality
rights,19 the debate continued in Brazilian private law.
In 1979, Fabio Maria de Mattia returned to the issue in his article Direitos
da personalidade and claimed that the Brazilian debate was highly influenced
by late nineteenth-century German legal theory—which created concepts such as
Personalitätsrechte and Persönlichkeitsrechte—and the experience of the Italian and
Portuguese civil codes. Mattia, clearly influenced by Orlando Gomes and Rubens
13 Gierke (2016), p. 6.
14 Gierke (2016), p. 7.
15 Gomes (1966), p. 42.
16 Gomes (1966), p. 43.
17 Santiago Dantas (2001).
18 De Cupis (1950).
19 Santos (1997).
40 D. Doneda and R. A. F. Zanatta
Limongi França, claimed that “personality rights are an autonomous category within
the subjective rights, considering that this autonomy comes from the essential char-
acter that they present because of the special character of their object and the
singularity of its content.”20 For Mattia, postwar constitutions such as the German
Grundgesetz, approved in May 1949, conceptualized dignity, stating that human
dignity must not be violated and that is the role of the state to protect it. Matta
mentions Article 2 of the German Constitution: “every person shall have the right to
free development of his personality insofar as he does not violate the rights of others
or offend against the constitutional order or the moral law.”
European law played a substantial role in the theoretical development of person-
ality rights in Brazil. It becomes easier to understand the influence of European legal
theory if one accepts the role of dogmatics and civil codes as part of the Brazilian
“legal formant.”
In 1975, the military government presented the project of a Unified Biometric Iden-
tification System (Registro Nacional de Pessoas Naturais—RENAPE) for the whole
country. This happened during the peak of Brazilian state interventionism when
industrial policy focused on technology and the rising “information economy.” The
military had created public firms such as Serpro (Serviço Federal de Processa-
mento de Dados) and wanted to invest in public policy projects that would generate
demand for these firms. The idea was to unify many different databases—Registro
Geral, Cadastro de Pessoa Física, and Inscrição no Instituto Nacional de Seguridade
Social29 —into one database with biometric information about all citizens. Providing
the data would be mandatory for all citizens, feeding the database of the public firm.
A group of sociologists, engineers, and computer scientists resisted and published
texts and manifestos against the biometric system in specialized magazines and jour-
nals. Professionals of other technology firms such as IBM also protested and claimed
that a Unified Biometric System was unsafe and potentially harmful. In 1977, these
activists turned to the French Data Protection Law as a model for Brazil. A few months
after the proposal of the French legislation, Brazilian Congressman José Faria Lima
(a liberal politician from a wealthy family based in São Paulo and from the govern-
ment’s political party, Arena), proposed a draft bill for a General Data Protection
Law.30 The draft bill stated that data collection processes required consent from citi-
zens. The draft bill also adopted a set of principles for the processing of personal
data both by the private and the public sector. It also proposed the creation of a Data
Protection Authority, following the model of the French Commission Nationale de
l’Informatique et des Libertés (CNIL). At almost the same time, Senator Nelson
Carneiro, from MPB, proposed a draft bill to the Senate on the “protection of
computer information.”31 Both draft bills were rejected by the National Congress.
In 1977, the liberal newspaper Estado de São Paulo published a series of articles
against the Registro Nacional de Pessoas Naturais (RENAPE). President Geisel and
the military defended the project and had the support of the Ministry of Justice.
Intellectuals and professionals from the tech sector criticized the project and used
specialized journals such as Revista Dados to mobilize against it. As argued by Estado
de São Paulo, the project “represented not only a threat to the citizen, in his privacy
and liberty, but also a threat to capitalism itself.”32 In the article “Threat to Privacy, the
Greatest Criticism of the Project,” sociologist Maria Tereza de Oliveira argued that
29 Registro Geral could be translated as General Identifier. It is a document provided by the Secre-
tariat of Security. Cadastro de Pessoa Física could be translated as Individual Registration and it
is used for fiscal purposes. INSS could be translated as Social Security Number and it is used for
labor law benefits and pension system.
30 Draft Bill PL 4.365, proposed in 1977.
31 Senate Draft Bill 96 of 1977.
32 ‘Em estudos, identidade única’, Estado de São Paulo, 09 September 1977, p. 18.
Personality Rights in Brazilian Data Protection Law … 43
the right to privacy was protected by Article 12 of the Universal Declaration of Human
Rights33 and that this international standard should be followed in Brazil.34 Oliveira
also argued that many European countries such as Belgium, Italy, and Germany
had opposed national registration similar to that proposed in Brazil. She argued
that huge databases about citizens conflicted with democratic values and generated
incentives for a less active society because of the chilling effects of control and
constant monitoring.
Writing in 1979 for Estado de São Paulo, Ethevaldo Siqueira also criticized the
military project and argued that “privacy involves all the forms of protection of
the individual, the person, his home, his family, his ideas, his lifestyle, his right to
isolate himself and escape from external interference.” For Siqueira, “there is no
public interest that can justify the systematic violation of human privacy.”35
The same year, René Ariel Dotti gave a speech about the right to privacy in Brazil at
the annual meeting of the Brazilian Bar Association. Based on the French legislation
and the work of Alan Westin in the United States, Dotti argued that “the atmosphere
of oppression was taking over the country, making use of advanced technology”.
For Dotti, RENAPE was to be prohibited just like a similar database was in Portugal
because it was, just like in Portugal, a national database that violated the fundamental
right of privacy of citizens. In his speech about the “normative treatment of private
life,” Dotti argued that Brazil was to use informatics to benefit citizens and that the
“right to privacy should be guaranteed by the constitution.”36 Also, Portugal and
Spain were to be inspirations for Brazil.
Despite the failed attempt of a General Data Protection Law in 1977, the discussion
about the right to privacy was strengthened and RENAPE was defeated. Nonetheless,
initiatives aiming to draw up a data protection framework in Brazil continued: Repre-
sentative Cristina Tavares (PMDB) presented Draft Bill 4646 in 1984 on the Right
to Privacy and Personal Databases, and representative José Jorge (PDS) presented
Draft Bill 4766, also in 1984, on the Right to Privacy and Access to Databases.
In the following years, after the military government had abandoned the RENAPE
project, the Constituinte began working on a new set of rights such as habeas data
(the right to know information about yourself held by a public official or department).
From 1986 to 1988, members of the Constituinte discussed the fundamental rights
of Brazilians and approved a new constitution, which stated that the “right to inti-
macy and private life” was a fundamental right. It also included an article about the
fundamental right of access to information, guaranteed by the writ of habeas data.
33 Article 12. No one shall be subjected to arbitrary interference with his privacy, family, home
or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the
protection of the law against such interference or attacks.
34 We thank Jacqueline Abreu (University of São Paulo Faculty of Law) for gathering data and
kindly sharing her research on the right to privacy in Brazil. She searched the archives of Estado
de São Paulo and found many articles and news items critical of the Registro Nacional de Pessoas
Naturais.
35 Siqueira (1979), p. 24.
36 Dotti (1980), pp. 145–155.
44 D. Doneda and R. A. F. Zanatta
These legal innovations formed the bedrock of the Brazilian system of data protec-
tion. During the 1990s and 2000s, this system evolved into a “patchwork model” of
different rules on data protection.37 In the 2010s, the Brazilian Congress finally
harmonized the normative system into a coherent General Data Protection Law. The
next section explores this transformation.
In the previous section, we explored the evolution of Brazilian private law and the
struggles to establish constitutional protections for data privacy. In this section, we
show that the normative system of personal data protection benefited from a complex
process of unifying a fragmented set of legislation that was created over 20 years.
We also argue that personality rights are clearly present in the Brazilian General
Protection Law.
After the constitutional reform of 1988, Brazil initiated its economic opening to
international markets and the construction of a “regulatory state”38 based on the
experience of the United States of America and many European and Latin Amer-
ican countries.39 The governments of Fernando Collor (1990–1992), Itamar Franco
(1993), and Fernando Henrique Cardoso (1994–2002) were dedicated to the recon-
struction of the Brazilian state, the creation of a strong internal market with interna-
tional standards of consumer rights (guaranteed by the Code of Consumer Defense
of 1990), and the creation of regulatory agencies with normative power. These agen-
cies were designed to regulate specific markets, promote competition, correct market
failures, and protect consumers.
The first law that dealt with issues of personal data protection after the constitu-
tion of 1988 was the Code of Consumer Defense (Federal Law 8.078/1990), which
includes a specific chapter on databases and profiles of consumers. The law states
that private firms are free to create consumer reports, profiles, and methodologies to
assess risks. However, consumers have the basic right to access information about
themselves. There is a basic right to retrieve information about what kinds of data are
37 Brazilian legal scholarship since the mid-2000s has pointed to the limits of this patchwork,
defending a comprehensive approach to personal data protection. See Doneda (2006). See also
Limberger (2007).
38 Prado (2012), pp. 300–326.
39 Dubash and Morgan (2012), pp. 261–281.
Personality Rights in Brazilian Data Protection Law … 45
used in these profiles and databases. There is also a right to have incorrect information
corrected and to delete data about payments of bills after five years.
The Law of Bank Secrecy (Complementary Law 105/2001) also imposed a series
of obligations on banks and financial institutions that work with their clients’ personal
data.40 The law says that consumers must consent to data collection processes and
that private firms have the obligation not to reveal (or not to share with third parties)
the personal data they possess.
Sharing of financial data is also covered by the Code of Consumer Protection. An
important case involving HSBC bank and decided by the Superior Court of Justice
in 2017 addressed the relationship between consent and bank secrecy.41 According
to the court, when people sign a credit card services agreement, they have the right
to choose whether or not to authorize their personal data and financial information
being provided to other companies, even if they are partners of the company admin-
istrating the credit card services agreement. For this reason, the imposition of the
authorization in an adhesion contract is considered abusive and violates the principles
of transparency and trust in consumer relations. In deciding the case, Justice Luis
Felipe Salomão pointed out that, among basic consumer rights, protection against
unfair terms in the provision of products and services is one of the most important
provisions of the Consumer Protection Code (CDC).42 By breaching the principles
of transparency and trust in consumer relations, Luis Felipe Salomão considered
it abusive if the credit card service does not offer the customer the possibility of
rejecting the sharing of data. For the Justice, the transfer of information, in addition
to making the client vulnerable, is not essential for the execution of the contracted
service.
Sector-based regulatory norms also guaranteed the right of consent for personal
data collection and a series of obligations for those who process these data.43 The
Telecommunications Act (Law 9.476/1997), for example, stated that consumers of
telecommunication services must consent to data collection processes. Telecom-
munication operators must also handle their customers’ personal data with care.
There is a breach of law, enforced by the Agência Nacional de Telecomunicações
(Federal Agency of Telecommunications), if this information is shared with third
parties without the customers’ consent. The same rule applies to the sectors of
energy (Agência Nacional de Energia Elétrica—Federal Agency of Electricity) and
supplementary health (Agência Nacional de Saúde—Federal Agency of Health), for
example.
In 2010, the company Oi S.A. started to map Internet access habits of users of the
Velox service without their consent. Called a Navegador, the program used for data
collection traced consumer profiles, which were then marketed to conduct targeted
40 Roque (2001).
41 Superior Court of Justice, Recurso Especial 1,348,523, ruled in September 2017, Justice Luis
Felipe Salomão, accessible under http://www.stj.jus.br. Accessed 11 Jan. 2022.
42 Scocuglia (2017), accessible under https://www.jota.info/justica/bancos-nao-podem-compartil
During Lula’s government (2003–2010), there was a turn in the national agenda.
Instead of focusing on market incentives, competition, and consumer welfare—tradi-
tional models of economic regulation—, the Brazilian government decided to focus
on the transformation of society caused by the Internet and a renewed agenda for
citizenship online.45
Backed by a partnership with the Open Government Partnership, coordinated by
the United States of America, Brazil discussed and enacted a Freedom of Information
Act (Law 12.527/2011). This law defines basic concepts of “personal data” and a set
of rights for citizens wanting to know about the performance of public officials or
to access information about the government. The Brazilian Freedom of Information
Act also defined a principle of consent for data sharing by public officials.
Finally, the “principle of consent” for the use of personal data on the Internet was
clearly established by the Internet Civil Rights Framework.46 This law, which was
legally constructed by a bottom-up procedure and considerable online participation,
defined basic rights for the use of the Internet in the country and has an entire
chapter on “basic rights of Internet users.” It says, in Article 7, that Internet users
have the right to clear information about how personal data are collected by Internet
Service Providers (ISPs) and Internet Application Providers (IAPs). It also says
that data collection and data processing must be grounded in “free, expressed, and
informed consent.” In other words, Internet users must be autonomous and must
agree with data processing before it happens. As argued by Laura Schertel Mendes
and Danilo Doneda, Marco Civil da Internet clearly affirms a “fundamental right of
data protection”47 and establishes the principle of consent as a foundational principle
for the application of the legislation.
Up until now, together with the Code of Consumer Defense, Marco Civil da
Internet has provided the legal basis for class actions and administrative procedures
focused on the violation of personal data protection on the Internet. In 2016, for
instance, the Brazilian Institute of Consumer Defense published a report on the
violations of Marco Civil in the “WhatsApp case” (the new terms of use imposed
by Facebook Inc. and the collection of metadata without clear user consent). The
institute argued that there was a violation of Article 7, VII, of Law 12.965/2014
because personal data was shared with “third parties” without clear, informed, and
expressed consent.48
Another important case was the class action of the Ministério Público Federal
(Brazilian Federal Public Prosecutor) against Microsoft in 2018 because of opt-out
mechanisms for data collection set by default in the Windows 10 operating system.
According to the federal prosecutors, the product violated Brazilian law because “it
collected personal data without clear and expressed consent from users, sentencing
to death the constitutional principles of dignity of the human person, the inviolability
of intimacy and private life, honor and image.”49
Until the enactment of the General Data Protection Law (Law 13.709/2018), both
Marco Civil da Internet and the Code of Consumer Defense provided a strong legal
basis for injunctions and collective redress.
During the early period of Dilma Rousseff’s government (2011–2016), Brazil enacted
an important piece of legislation on credit reporting which was inspired by the Credit
Reporting Act of 1976 in the United States. Brazilian Law 12.414/2011 established
a legal framework for “positive credit reporting,” that is, a reporting system that
monitors the payment behavior of consumers, the use of financial products, and the
probability that a particular person will fulfill his or her financial obligations.50
The structure of this system, the Cadastro Positivo, rests on three pillars: (i)
the basic right of consent (credit bureaus can only open a positive credit report if
the consumer understands what is going on and agrees), (ii) the right of control
(the consumer must have control over his or her data, with a set of basic rights
of access, modification, deletion, etc.), and (iii) the right of transparency and non-
harmful discrimination (consumers who suffer the consequences of a purely auto-
mated decision must have the right to a human analysis in order to diminish harmful
discrimination).51
As argued by Danilo Doneda and Laura Schertel Mendes in 2014, the Brazilian
Credit Reporting Law advanced personal data protection, making it an “autonomous
field”52 and detaching it from consumer protection and constitutional law. With
this new set of rights—mostly designed to ensure control, transparency, and non-
harmful discrimination—the Brazilian legal system approximated the European one.
Indeed, European Directive 46/95 and the draft version of the General Data Protection
Regulation (GDPR) inspired the rights of access, control, and transparency in the
Brazilian Credit Reporting Law.
This set of rights created by Law 12.414/2011 inspired the Ministry of Justice
to work on a draft version of a General Data Protection Law during Dilma
Rousseff’s government. There were two public consultations in a period of five
years and hundreds of contributions from experts, industry representatives, and
non-governmental organizations (Boff and Fortes 2014).53
In the next section, we will explore how the General Data Protection Law used
the legal background of these diverse laws and built something new in normative
terms, taking advantage of an established tradition of personality rights within the
Brazilian legal community.
Brazil’s first General Data Protection Law (LGPD) was enacted on August 14, 2018.54
The approved text has its origins in a proposal prepared by the Ministry of Justice in
2010 that went through years of official Internet debates (promoted by the ministry
in 2010 and 2015) as well as discussions with the government and stakeholders.55
The dynamics and conditions of the process which gave birth to the LGPD differ
in some relevant ways from what happened in other Latin American countries when
approving their own data protection legislation. Indeed, none of the data protection
laws previously enacted in Latin America had a concrete impact on the timing and
mood of the debate on the matter in Brazil, which was basically internal. This was the
case even though countries as close to Brazil as Argentina or Uruguay, all of which
are members of the commercial block Mercosul, enacted their legislation and went
further in order to obtain adequacy status from the European Commission or, in the
case of Uruguay, become a signatory of Convention 108 of the Council of Europe.
One exception to this almost isolationist approach, however, was the participation
of Brazil in a working group in Mercosul (SGT13, the working sub-group on elec-
tronic commerce and digital certification). The group, after being encouraged by the
Republic of Argentina to elaborate a legal data protection framework for the coun-
tries of Mercosul (at that time Argentina, Brazil, Paraguay, and Uruguay), discussed
the proposal for five years until the four countries signed a data protection regula-
tion in 2010 which was meant to be evaluated by the executive branch of Mercosul
(Grupo Mercado Comum) at a later date. Even though the document ended up being
neither analyzed nor enacted as Mercosul legislation, this was the first (preparatory)
official document endorsed by Brazilian representatives pointing to the need to estab-
lish an internal data protection framework for Brazil (the Mercosul document would
ideally, if enacted, drive the member countries to approve their own data protection
regulations in compliance with the Mercosul standard).
In 2016, the Data Protection Bill prepared by the Ministry of Justice was sent by
the government to the National Congress, and in 2018, the final text of Law 13.709
was unanimously approved both by the Chamber of Deputies and the Federal Senate.
The President of Republic, however, vetoed some provisions, most importantly the
creation of an autonomous Data Protection Authority (DPA), on the basis of formal
objections to the way the DPA was created.
The veto of the DPA was followed by an intense debate about its desirable nature
and shape. In the last days of his term of office, and following his own statement that
the DPA would be created before he left office, President Michel Temer issued the
executive law Medida Provisoria MP 869 of 2019 creating the Autoridade Nacional
de Proteção de Dados, a DPA with no formal independence from the government
and linked to the Presidency of the Republic. However, Congress had to deliberate
its creation and several changes this executive law made to the LGPD.
The Brazilian data protection framework usually does not refer to a fundamental
right to data protection present in the Constitution, as the current jurisprudence of STF
(Brazilian highest Constitutional Court) does not yet recognize a constitutional right
referring to personal data. That differs from the GDPR, which is strongly grounded in
the conceptualization of data protection as a fundamental right as enshrined in Article
8 of the Charter of Fundamental Rights of the European Union56 and recognized by
Recital 1 of the GDPR.
The lack of a literal provision in the Brazilian Constitution, however, was followed
by several expressions of references to fundamental rights and personality rights in
the LGPD, both in the formal sense (as fundamental references) and in the structural
sense (the use of personality right techniques).
In this sense, the presence of personality rights as the driving force for the protec-
tion of citizens by means of a series of provisions on the use of their personal data is
made exceptionally clear in the first article of LGPD, which not only mentions the
law’s aim to protect the fundamental rights of freedom and privacy, but also the free
development of the personality of natural persons. The notion of the free develop-
ment of personality is strictly linked to the theory of rights of personality in Brazilian
private law,57 and its mention stresses the fact that this model was the main LGPD
reference for translating the rationale of the tradition of data protection to Brazilian
law. Indeed, the “free development of personality”58 is mentioned twice in LGPD.
First, in Article 1,59 which defines the scope of the law. Second, in Article 2,60 when
mentioning the basis of data protection, together with human rights, dignity and the
exercise of citizenship.61
Article 2 is also a central article regarding the issue of personality rights in the
LGPD for another reason: it clearly mentions that most of grounds upon which the
disciplina of data protection is based are related to personality rights: the right to
privacy (Article 2, I), the inviolate intimacy, honor, and image (Article 2, IV), the
aforementioned Article 2, VII, but also expressions of fundamental rights strongly
related to personality rights such as freedom of expression, communication, and
opinion (Article 2, III), as well as the presence of the concept of informational self-
determination (Article 2, II), directly quoting the Recht auf informationelle Selbstbe-
stimmung from the 1983 ruling by the German Constitutional Court.62
In several places, the body of the LGPD demonstrates that some of its instruments
were shaped so that in situations where personality rights demand a major level of
protection, these rights should be particularly and inevitably considered. That is
the case, for example, for the general rule of verifying the feasibility of legitimate
interest as the basis for personal data processing, which may occur only if the rights
and freedoms of the data owner prevail—thus creating a concrete limit on the use
of legitimate interest grounded in the protection of the data owner (Article 7, IX).
Another clear example of protection of personality is the concept of sensitive data,
which demands a higher level of protection because there is a higher potential for
damage to the data owner. The LGPD went even further when it strictly forbade all
communications of health data for economic purposes (Article 11, § 4).
Some processual provisions in LGPD also strongly resonate with tools which are
commonly used to assure personality rights, and perhaps the most important of them
is the possibility given by Article 22 to use the available processual instruments,
whether individual or collective, broadly.
means, by a natural person or a legal entity of public or private law, with the purpose of protecting
the fundamental rights of freedom and privacy and the free development of the personality of the
natural person”.
60 Article 2 reads: “The discipline of personal data protection is grounded on the following: (…)
VII—human rights, free development of personality, dignity and exercise of citizenship by natural
persons”.
61 Rouvroy and Poullet (2009), pp. 45–76.
62 As to this right, cf. Albers (2005).
Personality Rights in Brazilian Data Protection Law … 51
5 Conclusion
Brazil lagged behind even multiple Latin American countries in introducing a General
Data Protection Law, doing so only in 2018. One of the reasons for the long duration
of this process was the novelty and even the complexity of some of the key tools and
concepts in the new legislation, many of them not yet present in Brazilian law, but
necessary to achieve harmonization with international and transnational standards
on data protection. One of the clear signs of it was, indeed, the vacatio legis period
established until the LGPD entered into force, which was originally 18 months, but
later expanded to 24 months, by Medida Provisória 869 of 2018—an uncommonly
long period by Brazilian legal standards.63
For the LGPD to fulfill its mission to provide Brazil with modern data protection
legislation in order to protect the individual, it will be important to recognize the
strong link between the new legislation and the doctrine and tradition of the rights
of personality, for at least three reasons.
First, as mentioned, the fact that the recognition of data protection as a fundamental
right is still a work in progress in Brazilian jurisprudence makes it essential to ensure
that data protection is strongly linked with the tradition of personality rights, assuring
that the protection of individuals in the face of the information society can use the
set of tools provided by private law to assure the data owners’ position regarding the
processing of their data.
Second, the bridging between personal data protection and personality rights
can avoid excessive “technicization” of the field of personal data protection within
the legal community. This process of “technicization” could transform personal
data protection into something similar to, for instance, telecommunication regu-
lation, making it a “small field” for a highly specialized group of lawyers basi-
cally concerned with compliance and economic regulation. That is not the case with
personal data protection, which is not only about economic regulation but essentially
about fundamental rights and personality rights.
Third, the Brazilian legal community was able to take advantage of its long tradi-
tion of personality rights, as explained in Part 2 of this chapter. By reshaping person-
ality rights into personal data protection—making it clear that personal data protec-
tion is about the free development of personality, informational self-determination,
and risk regulation—, Brazilian lawyers and scholars can think more clearly about this
new field of rights and obligations without abandoning a well-established tradition
and its humanistic character.
We do not need to abandon legal thinking from the past. We can use the best
that this legal thinking produced in private law to think about contemporary prob-
lems caused by information technology and the digitalization of society. This is the
challenge for the application of the General Data Protection Law.
63The LGPD, except articles 52–54, finally entered into force on September 18, 2020; the rules on
sanctions in articles 52–54 came into effect on August 1, 2021.
52 D. Doneda and R. A. F. Zanatta
References
Rouvroy A, Poullet Y (2009) The right to informational self-determination and the value of self-
development: reassessing the importance of privacy for democracy. In: Gutwirth S, Poullet Y, De
Hert P (eds) Reinventing data protection? Springer, Dordrecht, pp 45–76
Sacco R (1991) Legal formants: a dynamic approach to comparative law (Installment I of II). Am
J Comp Law 39(1):1–34
Santiago Dantas F (2001) Programa de Direito Civil: teoria geral. Forense, Rio de Janeiro
Sarlet IW (2022) The protection of personality in the digital environment. An analysis in the light
of the so-called right to be forgotten in Brazil. In: Albers M, Sarlet IW (eds) Personality and data
protection rights on the internet. Springer, Dordrecht, Heidelberg, New York, London (in this
volume)
Schertel Mendes L (2014) Privacidade, proteção de dados e defesa do consumidor - Linhas gerais
de um novo direito fundamental. Saraiva, São Paulo
Tácito C (1959) O Abuso do poder administrativo no Brasil: conceito e remédios. Rev De Direito
Administrativo 56:1–28
Tepedino G (1999) A tutela da personalidade no ordenamento civil-constitucional brasileiro. In:
Temas de direito civil. Forense, Rio de Janeiro, pp 23–54
Trubek DM (1972) Toward a social theory of law: an essay on the study of law and development.
Yale Law J 82(1):1–50
Zanatta R (2016) Consentimento Forçado: uma avaliação sobre os novos termos de uso do WhatsApp
e as colisões com o Marco Civil da Internet. Instituto Brasileiro de Defesa do Consumidor, São
Paulo
Danilo Doneda Ph.D. in Civil Law (UERJ). Professor at IDP. Director at CEDIS/IDP (Center
of Studies in Internet and Society). Member of the advisory board of the United Nations Global
Pulse Privacy Group, the Project Children and Consumption (Instituto Alana) and Open Knowl-
edge Brasil. Previously served as General Coordinator at the Department of Consumer Protection
and Defence in the Ministry of Justice (Brazil). Visiting researcher at the Italian Data Protection
Authority (Rome, Italy), University of Camerino (Camerino, Italy) and at the Max Planck Institute
for Comparative and International Private Law (Hamburg, Germany). Part of his work is available
at www.doneda.net/.
Rafael A. F. Zanatta Director of the Research Association Data Privacy Brasil. PhD Candi-
date at the University of São Paulo. Main areas of research: Data Protection Rights, Collective
Rights, Data Commons, Legal Theory and Sociology of Law. Selected Publications: A Proteção
de Dados entre Leis, Códigos e Programação: os limites do Marco Civil da Internet, in: Newton
de Lucca/Adalberto Simão Filho/Cíntia Rosa Pereira (eds.) Direito e Internet III: Marco Civil
da Internet. São Paulo: Quartier Latin, 2015, pp. 447–470; Economias do Compartilhamento e o
Direito, Curitiba: Juruá, 2017; Dados, Vícios e Concorrência: repensando o jogo das economias
digitais, Revista Estudos Avançados, v. 33, n. 96, 2019, pp. 421–446 (with Ricardo Abramovay);
Proteção de dados pessoais e direito concorrencial: razões de aproximação e potencialidades de
pesquisa, Revista Fórum de Direito da Economia Digital, Belo Horizonte, v. 3, 2019, pp. 141–
170 (with Bruno Renzetti); Dados pessoais abertos: pilares dos novos mercados digitais, Direito
Público, v. 16, n. 90, 2019, pp. 155–178 (with Ricardo Abramovay).