Please also read:
Mandatory changes to Internet User Agreements in Brazil
I will proceed with some conversations I had just after the law came into force. A longer and more detailed article will follow.
Dear Adler,
I actually thought about you those days.
We are currently researching questions around data security of cloud services (i.p. e-mail, files) in Brazil for a Germany company who is planning to integrate a Brazilian subsidiary into their IT. We hope to get a project out of it, in which case we would probably also need some legal advise on the topic. E.g.
- regulations and data protection laws (compared to US/ Europe)
- privacy protection for data transferred to Brazil
- do other international companies use cloud services in Brazil, despite the security problems?
- etc.
Is that an area you are familiar with, so that we could come back to you?
Best regards,
---------------------------------
Dear Edith,
Your consultation comes at a very interesting time. Just yesterday a new law has come into force in Brazil, the Marco Civil da Internet (Internet Civil Regulation).
Is has basically changed the Brazilian data protection system completely. It has, for example, made Brazilian law mandatory in many cases.
Since this kind of conflict of law situation is my specialty, I'm currently providing consultancy to another foreign company in the matter.
That said, I would be honored to help you in this situation. Please tell me more details. I'm also open to a phone call, if you prefer.
May I post this conversation in my blog, without mentioning names? I'm currently writing a few articles on this subject, since the law is very recent and there is little material about it.
Regards,
Adler
--------------------------
Hi Adler,
as promised, here is some more background information:
- A Germany-headquarted international company has recently acquired two companies in São Paulo.
- Now the IT should be integrated, and it is evaluated whether cloud services can be used for email and files (Microsoft Office365).
- Technical support should be provided from support centers in the EU and/ or USA. For this purpose, personal data from Brazilian employees and customers, stored on servers in Brazil, would need to be accessed from Europe or the US.
- Sidenote: EU’s data protection laws restrict exporting personal data outside of the EU. Companies must sign detailed EU Standard Contractual Clauses (aka “Model Clauses”) with partners outside of the EU. For data exchange with US-companies, there is also a "Safe Harbour" framework, which e.g. Microsoft has signed.
So here are some questions that come to my mind:
- Do you know whether it is common for international companies to use cloud services in Brazil?
- What are the legal regulations and requirements w.r.t. data protection for using cloud services in Brazil, and exporting personal information to the exterior?
- I have read the new law. What will it mean in practice for a company using cloud services like Office365 in Brazil? Are there other laws and regulations besides the Marco Civil da Internet applicable for this case?
- Are there any standard regulations or contracts between Brazil and the EU or USA (like the "Safe Harbour")?
I am free to talk via phone or e-mail, whatever is more convenient for you. For phone please just let me know when there would be a good time to call you.
We should also think about a future collaboration, I hope that there will be a project and further advice needed.
Many thanks,
E. C.
---------------
Dear Adler,
just a quick heads up: I will have to finish my research on this topic today.
From what I found out so far, there is no restriction in Brazil for a company saving user data outside of the country. The only difference with the new law seems to be that Brazilian law applies. So that if a Brazilian authority requires the data it has to be available regardless the law of the country where the data is stored.
In case there is anything else you can advise to the topic in addition to that, I would be greatful for a hint.
Thanks for your time and effort!
E.C.
-------------------
Dear Edith,
You are correct. It is possible to save data abroad, but Brazilian law will apply. Not all of Brazilian law, but only some specific privacy provisions brought by the Marco Civil.
But I would add that it is not only the data that must be available, it must be clear to the government that the company has taken measures not to keep data from Brazilians for longer that the law allows (typically one year).
Since Brazil does not have jurisdiction abroad, lack of compliance will probably means that Internet providers in Brazil will be forbidden to grant access to the website. That is, your website or email server could be shut down.
Regards,
Adler
Nenhum comentário:
Postar um comentário
Do you have any doubts or suggestions? Leave your message (the comments shall not be considered as legal advice)