Protection of Personal Data in Singapore and Brazil — A General Comparison
Renato Leite Monteiro*
Data protection is current a trend topic on world politics, in both the media and society in general. The issue is far from new, but since Edward Snowden2 released information about a secret worldwide surveillance program performed by the United States of America National Security Agency on electronic communications over the Internet, news pops up almost every day revealing that not only common US and foreign citizens3, but also head-of-states4, have had their communications monitored.
These revelations by Mr Snowden exposed a surveillance program that included tapping the Brazilian President. Such an act led the head-of-state to address the situation in her opening speech at the United Nations General Assembly of 20135, highlighting that “tampering in such a manner in the affairs of other countries is a breach of international law and an affront to the principles that must guide relations among them”. It also led to cancelling an official visit to the United States, under the reasoning that “interception practices of communication and citizens’ data, companies and members of the Brazilian government are a grave fact, a threat to national sovereignty and individual rights, and incompatible with the democratic cooperation between friendly nations"6.
In a time when the amount of electronic data produced everyday surpasses the amount of regular data produced by the entire human civilization since its dawn7, several countries have yet to regulate how data which flows through its infrastructure should be processed and treated. Europe has been legislating about it for more than thirty years8. The United States has only sectorial laws9, regarding, e.g., health records or tax data. Although Brazil has statutory provisions in its constitution guaranteeing the right to privacy10, it still does not have a comprehensive protection to personal data. Rather, it only has a brief overview of the issue in its consumer code and also in specific regulations, such as medical records.11 Singapore has recently introduced the Personal Data Protection Act [PDPA] 12, which encompasses certain particularities when compared to similar provisions from other regions of the world.
As opposed to Brazil and the European signatory countries, Singapore does not provide to its citizens a statutory right to privacy, instead relying more on the tort remedy of breach of confidence to enforce such a claim.13 Confirming the theory that “privacy” and “data protection” are two different concepts14, the word “privacy” is absent from Singapore’s Data Protection Act.15 The Act focuses on information management; and the economic, commercial and competitive advantages of having clear rules on how the industry based in Singapore ought to process personal data.16 A culmination of years of discussion and comments17, Singapore’s act comprises a concept of personal data18, but does not differentiate it from sensitive data.19 Its main advantages are the rules on collection, use and disclosure of personal data, setting forth the need of actual or deemed consent from the individual to perform those acts.20 Consent can be withdraw at any moment21 and deemed consent is limited to situations when the individual voluntarily provides the personal data or there are reasons to believe that such data would be provided.22 Also, the individual must be informed as to the purpose his information is being collected23, and its use must be limited to such purpose.24 But there are exceptions to the need of consent, such as emergencies, legal services and newsworthiness.25 It created a Data Protection Authority (“DPA”)26, responsible for the enforcement of the act. In case of a violation, the authority can fix said offenders with penalties up to $1 million, amongst other measures.27
It is important to note that the PDPA left out major provisions present not only on the Brazilian Bill on the Protection of Personal Data, but in several other legislations. The PDPA does not provide, when dealing with trans-border transfers, the need for the foreign country to apply the same level of protection to personal data as Singapore. Rather, it only requires the same standard of protection.28 Also, it has not implemented a data breach notification system, setting pace on the opposite direction of countries with a very liberal approach to data protection.29 Another interesting provision that confirms that the approach of the act is to enhance Singapore’s economy, and not primarily protect the privacy of its citizens, is that data processed by government institutions do not need to follow the PDPA’s requirements30. Data breach obligations have been one of the most effective measures mandated by data protection legislations31, since data processors, data controllers and intermediaries are required to notify not only the DPAs, but also the individuals whose personal data have been breached. Up to this date publicizing data breaches has not been a regular practice of private organizations and governments, that fear liability and – more important – bad publicity that can lead to direct repercussions on businesses.32
As for Brazil, the country has been openly discussing Internet regulation33. Recently, a law was approved (“cybercrime bill”) amending its criminal code to include certain acts performed through electronic means and over the Internet34. Concurrently, a civil legislative framework is under debate.35 This bill will encompass questions such as Internet Service Providers’ (“ISP”) liability for third-party content, network neutrality and set time limits to ISPs’ storage of Internet users’ connection data. But this framework does not directly addresses the issue of protection of personal data. For this a different bill has been introduced.36 Due to the recent set of events involving privacy and data breaches of Brazilian citizens, both provisions that were on hold have been urgently brought into force.37
The Brazilian Bill38 on the Protection of Personal Data is based on the European Directives on Data Protection39 and on the Canadian Data Protection Act [PIPEDA].40 It guarantees a list of citizens’ basic rights regarding their personal data: the right to (i) access one’s data; (ii) correct inaccurate or wrong data; (iii) delete them; (iv) object to their processing; (v) not be subject to purely automated decisions; and (iv) be compensated for the misuse of one’s personal data.41
Similar to the European provisions, and different from the Singapore’s PDPA42, the bill sets forth that personal data can only be transferred to countries that guarantee the same level of protection.43 The DPA, the institution created to overview the enforcement of the act, will pronounce the acknowledgement of the same level of protection.44 It mandates a data breach notification regime;45 differentiates between personal data and sensitive data;46 and furthermore, it expands its application not only to private organizations, but also to governmental institutions of all levels.47 The bill even determines strict liability to data processors in case of data breaches.48
Therefore, both legislative provisions, Singaporean and Brazilian, aim on setting clear rules to the processing of personal data over electronic infrastructures in their territory. This is a clear reaction to digital era in which the world is currently inserted. But the laws are founded on different perspectives. Singapore’s PDPA is based on economic goals. Brazil’s bill is based on the country’s long lasting history of statutory recognition of the right to privacy.49 Which is more important depends on the different approaches given by interpreters. But it is important to bear in mind the current state of international politics due to the recent data breaches scandals.50 Nonetheless, both countries may end up achieving the same objective, which is to protect the personal data of its citizens.
[1] New York University LL.M. Candidate in Global Business Law, National University of Singapore LL.M. Candidate in Intellectual Property and Technology Law, Singapore Law Review Editor.
[2] The Guardian, The NSA Files, Edward Snowden, online: The Guardian Online <http://www.theguardian.com/world/edward-snowden>.
[3] Paul Owen, The NSA Files, 60m Spanish phone calls monitored’ as Merkel row continues – live coverage, online: The Guardian Online <http://www.theguardian.com/world/2013/oct/28/nsa-files-60m-spanish-phone-calls-monitored-as-merkel-row-continues-live-coverage> (last accessed on 29 Oct 2013).
[4] James Ball, NSA monitored calls of 35 world leaders after US official handed over contacts, online: The Guardian Online <http://www.theguardian.com/world/2013/oct/24/nsa-surveillance-world-leaders-calls>.
[5] H. E. Dilma Rousseff, Statement by President of the Federal Republic of Brazil, online: General Assembly of the United Nations
<http://gadebate.un.org/sites/default/files/gastatements/68/BR_en.pdf>.
[6] Literal translation of the oficial announcement: “as práticas ilegais de interceptação das comunicações e dados de cidadãos, empresas e membros do governo brasileiro constituem fato grave, atentatório à soberania nacional e aos direitos individuais, e incompatível com a convivência democrática entre países amigos.”
[7] A report from IBM informs that “every day we create 2.5 quintillion (1018) bytes of data – so much that 90 percent of the world’s data today has been created in the last two years alone. The increasing volume, variety and velocity of data available from new digital sources like social networks, in addition to traditional sources such as sales data and market research, tops the list of CMO challenges.” EdTech, How “Big” is Big Data?, online: EdTech Online <http://www.usinnovation.org/sites/default/files/ASTRA-EdTech-big-data.pdf>.
[8] Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data online: <http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm>; The European Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, online: <http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML>.
[9] For a list of federal regulation involving data protection in the US, see: Bureau of Consumer Protection, Privacy and Security, online: BCP Business Centre <http://business.ftc.gov/privacy-and-security>.
[10] Brazil Federal Constitution, 1988, Art 5, X.
[11] For more information about protection of personal data in Brazil, see <http://culturadigital.br/dadospessoais>.
[12] Personal Data Protection Act 2012 (No. 26 of 2012).
[13] X Pte Ltd and another v CDE [1992] 2 SLR 996. For more, see Mohammed Reza, Azri Tan, “Old Fashioned” Breach of Confidence: The Singapore Approach to Privacy Law, [2013] LSS 26.
[14] Cf Karen McCullagh, Protecting ‘privacy’ through control of ‘personal’ data processing: A flawed approach, (2009) International Review of Law, Computers & Technology, 23:1-2, 13-24, DOI: 10.1080/13600860902742562.
[15] Simon Chesterman, After privacy: the rise of Facebook, the fall of Wikileaks, and Singapore’s Personal Data Protection Act 2012, [2012] SJLS at 403.
[16] Ibid at 402.
[17] Ibid at 403.
[18] PDPA, supra note 12, s 2(1).
[19] Supra note 15 at 405.
[20] PDPA, supra note 12, s 13.
[21] Ibid, s 16.
[22] Ibid, s 15(1).
[23] Ibid, s 14(1).
[24] Ibid, s 25(b).
[25] Ibid, s 17.
[26] Ibid, s 5.
[27] Ibid, s 29.
[28] Ibid, s 26(1).
[29] 46 US states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have implemented data breach notification requirements, even though there is no federal statute with such provision. For more information, see: NCSL, State Security Breach Notification Laws, online: National Conference of State Legislatures <http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx>.
[30] Supra note 15 at 408.
[31] European Network and Information Security Agency, Trust services: A key to increase citizens confidence in the online world, online: ENISA Online <http://www.enisa.europa.eu/act/it/eid>.
[32] Ibid at 21.
[33] To have access to the public discussions, access http://culturadigital.br/marcocivil/ (in Portuguese).
[34] Law 12.737/12, from November 2012 (available, in Portuguese, at http://www.planalto.gov.br/ccivil_03/_ato2011-2014/2012/lei/l12737.htm).
[35] Supra note 33.
[36] To have access to the open discussions about the Brazilian Data Protection Bill, access: http://culturadigital.br/dadospessoais/tag/legislacao/ (last accessed in 28 Oct 2013).
[37] T. A. Ridout, Marco Civil: Brazil’s Push to Govern the Internet, online: Huffington Post <http://www.huffingtonpost.com/t-a-ridout/brazils-push-to-govern-the-internet_b_4133811.html>.
[38] To have access to the full text of the bill, http://www.acessoainformacao.gov.br/acessoainformacaogov/publicacoes/anteprojeto-lei-protecao-dados-pessoais.pdf (in Portuguese).
[39] Supra note 8.
[40] Personal Information Protection and Electronic Documents Act, online: <http://laws-lois.justice.gc.ca/eng/acts/P-8.6/>.
[41] Supra note 38, art. 15.
[42] Supra note 29.
[43] Supra note 38, art. 35.
[44] Ibid, art. 38.
[45] Renato Monteiro; Cedric Laurant, New Brazilian data protection bill adopts data breach notification regime, online: Information Security Breaches & The Law <http://blog.security-breaches.com/2011/05/09/new_brazilian_data_protection_bill_adopts_data_breach_notification_regime/>.
[46] Spra note 38, art. 21.
[47] Ibid, art. 32.
[48] Ibid, art. 6.
[49] Luis Roberto Barroso, Ana Paula Barcellos. O começo da história. A nova interpretação constitucional e o papel dos princípios no direito brasileiro, Revista de Direito Processual, Rio de Janeiro (57), 2003.
[50] Supra note 2.