DATA PROTECTION IN THE FINANCIAL SECTOR

Size: px

Start display at page:

Download "DATA PROTECTION IN THE FINANCIAL SECTOR"

Benedict Booth
6 years ago
Views:

BAPTISTA LUZ ADVOGADOS R. Ramos Batista. 444. Vila Olímpia 04552-020. São Paulo SP baptistaluz.com.br DATA PROTECTION IN THE FINANCIAL SECTOR REGULATORY PERSPECTIVES / Pedro H.

1 BAPTISTA LUZ ADVOGADOS R. Ramos Batista Vila Olímpia São Paulo SP baptistaluz.com.br DATA PROTECTION IN THE FINANCIAL SECTOR REGULATORY PERSPECTIVES / Pedro H. Ramos / Ana Paula Collet Camargo / Laura Felicíssimo INTRODUCTION AND OVERVIEW Although data protection regulations have been enacted all over the world in the last few years, Brazil does not have a general data protection law yet. However, five general bills are being discussed. In relation to data protection in the Brazilian Financial Sector, the main document is the cyber security guideline published in August 2016 by ANBIMA, a Brazilian association for the financial and capital markets. The Guideline reflects the need for a proper data protection in the financial sector, since financial motives drive the majority (80%) of violations to data protection in Brazil. Further, the Brazilian Financial Sector is under obligation to meet law requirements that already affect data usage procedures at those institutions. See the list of relevant regulations, which will be discussed below: The Federal Constitution

Criminal Code (Law no. 2,848/1940) Public Limited Company (Law no. 6,404/1976) Securities Market (Law no. 6,385/1976) Consumer Code (Law no. 8,078/1990) Money laundering (Law no.

2 Criminal Code (Law no. 2,848/1940) Public Limited Company (Law no. 6,404/1976) Securities Market (Law no. 6,385/1976) Consumer Code (Law no. 8,078/1990) Money laundering (Law no. 9,613/1998 as updated in 2003 and 2012) Bank Secrecy (Complementary Law no. 105/2001) Civil Code (Law no. 10,406/2002) Database for Credit History (Law no. 12,414/2011) Access to information (Law no. 12,527/2011) Information Technology Crimes (Law no. 12,737/2012) Internet Bill of Rights ( Marco Civil da Internet ) (Law no. 12,965/2014) MANAGING PERSONAL AND FINANCIAL DATA The Brazilian Constitution (Article 5) protects intimacy, as well as mail confidentiality, except in case of a criminal investigation. In addition to such fundamental rights, there are rules set forth by Brazilian legislation, briefly discussed below. The Civil Code puts emphasis on the individual right to privacy and, for such a reason, courts may adopt all necessary remedies to stop activities that may affect individual's privacy. Nevertheless, the use of any personal data without the consent of the owner is not authorized, especially for commercial purposes. baptistaluz.com.br 2

3 The Consumer Code, Section VI, regulates consumers' registers and database, especially regarding credit history. Its article 43 provides that the consumer shall have access to the information related to them and available at registers and database. Detailed provisions are: (i) these registers must be very user-friendly and negative information cannot be included after five years. (ii) consumer must be aware of any register or database using their data. (iii) consumer can demand the immediate alteration of incorrect data. (iv) once the prescription of a consumer's debt applies, the Credit Protection Systems will not give any information that could prevent access to new credit. In accordance with the regulation above, the Database for Credit History Law disciplines the database creation and consultancy regarding client's due performance for credit history. This type of database can only maintain the data necessary to evaluate someone's economic situation; it cannot retain excessive (not related/unnecessary) or sensitive data. Moreover, the data subject must give his/her consent so that the register can be opened. However, the person who owns the data can ask for its cancellation, to have access to it or correct its uses at any time. Additionally, Marco Civil of Internet (Law no. 12,965, Article 7) defines that any type of organization collecting, using and treating data subjects' data must provide clear and detailed information about it. The data use must be justifiable and not prohibited by the current legislation. Some observations are also necessary regarding the Brazilian Criminal Code, which has a section dedicated to crimes against inviolability of secrecy. The invasion to a third party's electronic device, with unauthorized access and breach of baptistaluz.com.br 3

4 security systems to obtain or change data can result in a detention penalty of three months up to one year, including a payment of a fine. This penalty can increase if the invasion causes economic losses. Finally, it is important to highlight regulation of public institutions regarding the disclosure of data. Public institutions must also obtain the data subject's consent to access data considered personal. Moreover, Law no. 12,527/2011 allows public data secrecy only when a disclosure has the potential to jeopardize the financial or economic stability, among other situations, concerning sovereignty. MONEY LAUNDERING The Money Laundering Law specifies that the Financial Sector must: (i) identify its clients and maintain an update register about them. (ii) keep a record of all financial transactions that go beyond the permitted limit. (iii) answer properly to all requests made by COAF (The Brazilian Board for Financial Activities Control) or another proper regulator, so its board will be responsible to keep secrecy about the answers sent. (iv) pay special attention to any transaction that seriously indicates a crime, and as a result communicate such fact, in secrecy, to COAF within 24 hours. The institutions or people that do not comply with the requirements enlisted above may be subject to the following sanctions: warnings; fines; temporary inability to exercise management positions in financial institutions; inability to the exercise certain activity, operation or function. baptistaluz.com.br 4

5 Such Central Bank of Brazil issued the resolution nº that provides additional regulation about the risk prevention of hiring financial institutions in Brazil. According to resolution, all financial institutions must assure integrity, reliability, security and secrecy of all transactions, operations and services offered, identify the ultimate beneficial owner of every payment or transference, including in case of payment services involving institutions from different payment arrangements. BANKING SECRECY AND CONFIDENTIALITY RULES There is a specific law in Brazil demanding secrecy from financial institutions, Complementary Law no. 105, 2001, according to which only the following situations do not violate the secrecy obligation: information exchange between financial institutions for database purposes. information about defaulters required by credit protection entities. communication of illicit activities to proper regulators (e.g. CVM, COAF). information disclosure with the express consent of all the people involved. breach of confidentiality can also be required as part of legal investigation, especially for the following crimes: terrorism; drug or arms trafficking; extortion by kidnapping; against the national financial system; against public administration; against tax law and social security; money laundering; practices by criminal organizations. There are similarities between Money Laundering Law and Bank Secrecy Complementary Law concerning data protection. The bank secrecy compliance and the data protection compliance permit exchange of private data if requested by specific public baptistaluz.com.br 5

6 bodies associated with the financial sector or for legal investigation support. DATA BRENCH NOTIFICATION The Brazilian jurisdiction does not have any particular regulation to prescribe data breach notification. However, there are five general draft bills related to the use of personal data and all proposals offer instructions regarding data breach notifications valid for every Brazilian production sector. Article 24 of Bill no. 330/2013, proposed by the Federal Senate, determines some procedures in case of a security incident (Bill no. 4,060/2012 is more general in that matter). In summary, person responsible for the database should: (i) communicate the incident within reasonable time to the competent board. (ii) offer detailed information about the nature of the breached data, personal information involved, procedures used to protect that data, risks related with the incident, measures adopted to deal with it and reasons delaying communication of the fact to competent authorities. Depending on the damage caused, the competent regulatory body may ask for other measures, such as reporting the incident to the data holder, announcing the incident in media or undertaking more actions to redress the damage (Article 48 of Bill no. 5,276/2016). MARKETING, NEW MEDIA AND COMMUNICATIONS Marco Civil stipulates that media's relationship with its customers is a 'consumer relation', therefore is subject to the Consumers Code, which was already analyzed in paragraph 2. Further, there are no specific requirements regarding the use of data for marketing purposes. baptistaluz.com.br 6

7 All general draft bills mentioned above are oriented to regulate the use of data for commercial purposes, so they will apply, if adopted, to marketing proposes as well. All proposals require the consent of the data subject, who should understand very clearly the proposed use of his/her data for the consent to be valid. The Bill nº 4.060/2012 is more flexible than the others, only sensible data, that is information related with social or ethnic origin, and political, religious or philosophic convictions of the holder, need consent however, it is still necessary to wait the legislative procedures to see which definition will be adopted. WHISTLEBLOWING The relationship between professionals in the financial sector and data security is regulated in Brazil through the Criminal Code and also by specific rules included in sector-specific legislation. The Criminal Code, in section dedicated to crimes against the inviolability of secrecy, prescribes that the violation of professional secrecy can result in imprisonment of one month up to one year or payment of a fine. In addition, Public Limited Companies Law imposes duty of loyalty on managers of such companies. Managers cannot use to their benefit, even without prejudice to their company, commercial opportunities discovered because of their role. They cannot omit good business opportunities for the company either if this could bring benefits to them or someone else. It is also necessary to keep secrecy of information that was not yet disclosed outside the company, especially if it can influence the stock exchange. The managers must also make efforts, so that the employers or people under their supervision do not act against this rule. baptistaluz.com.br 7

8 If any person suffers a damage because of a fault in the loyalty of managers duty, such person has the right to be indemnified by the wrongdoer. The Securities Market Law considers it a crime against market to use relevant information yet not provided to the market. In such case, the penalty is bigger than the one provided for in the Criminal Code, and combines from one to up to five years of imprisonment together with fines of up to three times the amount of the benefit obtained. To reinforce the importance of this subject, the Securities Commission (CVM), authority responsible for regulating the securities market and its stakeholders in Brazil, issued Instruction This Instruction highlights the need to inform the whole market about information that can affect all investors of a company with shares on the stock market. In case the company prefers to keep some information in secrecy, such decision must be submitted to CVM and all managers and shareholders must respect such secrecy. The secrecy obligations above presented can only be ruled out in the context of a judicial procedure, provided that the whistleblower s hearing is previously justified and authorized by a judge. In such cases, upon proof that the whistleblower is being coerced or threatened for his/her deposition, Brazilian law presents a series of provisions for the protection of the whistleblower and his/her family. Such provisions include financial help, protection of identity, security, among other protective measures to be adopted by public authorities. CONCLUSION Even though Brazil is still developing specific legal requirements to protect personal data in relation to its commercial use, the financial sector itself is already very concerned about data protection and already has specific regulations and directives to protect important information related to the sector. It is very important to realize that, regardless of the duty to keep baptistaluz.com.br 8

9 personal matters private, the financial sector in Brazil has different rules to follow. 1. The general rule is that information must be available to the market. 2. But, in some cases a company can keep secrecy about a fact, if such fact does not affect the market operation, however, all the ones involved must keep the secrecy and should not take benefit out of it. Besides that, the continuous global discussion and national draft bills proposed support the need for detailed procedures to not only reinforce the right to intimacy, but also in fact guarantee protection to the great amount of data available virtually. baptistaluz.com.br 9

Bank Finance and Regulation Survey. BRAZIL Demarest e Almeida Advogados

Bank Finance and Regulation Survey BRAZIL Demarest e Almeida Advogados CONTACT INFORMATION António Manuel França Aires Demarest e Almeida Advogados Avenida Pedroso de Moraes, 1,201 - Centro Cultural Ohtake,