.By Liav Shapira, Adv. & Eduardo Ludmer, Adv
Relations between Brazil and Israel have never been so good. From trade treaties to technology investment, tourism to unconditional political support, the land of milk and honey found in the new rightist Brazil led by President Bolsonaro a staunch ally
Not only in the political field Brazil has been undergoing a dramatic change. In his first year as President, Bolsonaro has not only continued but also ignited many important legal reforms, including the Pension Reform and the Economic Freedom Law.
The privacy issue was also not left untouched. Following the passing of Law No. 13,709/2018 (The LGPD – "Lei Geral de Proteção de Dados" , or “Brazilian Data Protection Law”) during President Temer´s tenure, this year, Brazil has passed Law No. 13,853/19, seeking, inter alia, to tackle some controversial issues of the original bill and confirming the creation of the National Data Protection Authority (“Brazilian Data Protection Authority”).
The Brazilian Data Protection Law is slated to come into force in August 2020. Whilst many companies are already undergoing the required painstaking changes and making the necessary investment to adapt to such law, other remains skeptical.
A similar situation has occurred in Israel only recently, as new data security regulations came into force in 2018 – such that have initially raised many concerns and difficulties, but in the end (today) – created a much higher level of awareness and protection for Israel's citizens' privacy.
In Israel, Article 7 of 'Fundamental Law: Human Dignity and Liberty' establishes a principal constitutional right to privacy, and the Protection of Privacy Law (1981) (“PPL”) includes a thorough privacy regime addressing invasion of privacy and a personal data protection; the use of databases containing personal data – either by database owners, holders/processors and managers.
Various regulations promulgated under the PPL have set out rules and procedures for (amongst others): data security, retaining and safeguarding personal data; granting data subjects right to access and amend personal information; cross-border transfer of personal data.
The new data security regulations constitute a landmark piece of legislation due to their scope, level of detail and legal effect, and in addition to the newly added industry-wide data breach notification requirement, the regulations’ provisions codify best practices for data security standards that apply to all sectors, including: establishing and documenting internal policies and procedures for data security; requirement to conduct a thorough data mapping and managing use of all vendors and vendor contracting; documenting, retaining logs and reporting security incidents; and – for high risk databases – performing periodic risk analysis and penetration testing. Moreover, it regards training employees; carefully managing access and authentication controls and procedures; encryption of data in traffic; restricting access to connected devices and networks; initiating regular audits; and more.
Israeli law also includes a number of sectoral legislations on privacy and data protection matters (e.g. health, banking, genetic information, communication data and etc.). In addition to the penalties under the PPL, the Israeli Registrar of Databases (the “Registrar”), heading the Protection of Privacy Authority (the “PPA”) and acting as the regulatory authority under the PPL, occasionally releases guidelines on data protection and privacy.
While these guidelines are not officially legally binding, they do however represent the Registrar’s interpretation of the PPL and also serve as guiding principles for the Registrar’s policy regarding its enforcement powers.
The Registrar has both investigative and audit powers and the Registrar inspectors are authorized to conduct announced or unannounced audits at premises where databases are administered; collect evidence and seize computers/devices; impose administrative sanctions in several forms: public declarations of fault; fines; and suspension or revocation of database registration.
Hitherto however, despite extensive regulatory inspections and supervisions within many sectors in Israel, the Registrar has so far restrained its authority to apply large fines (although rather limited compared to the ones under the GDPR ) or to impose harsh penalties in Israel. That may reflect: (i) how super cautious the Registrar has been acting; (ii) the lack of resources and manpower required to supervise and enforce the privacy laws; (iii) a high level of compliance with the privacy laws by companies acting within the Israeli territory. In such regard, it may also be the case that, since Israel counts with major cybersecurity players, it should be easier for companies within its territory to make the technological adaptions in order to be in compliance with the new privacy regulations.
We also note that no “run to courts” with the filing of massive lawsuits by empowered individuals over possible privacy violations by the companies has occurred. This may be so because, conversely to the situation in Brazil, in order to have access to the Israeli courts Israeli law requires the payment of court fees (including before the Small Claims Courts where such fee is 1% of the sum of the claim). However, class action lawsuits are becoming more popular, due to lack of enforcement by the regulator.
Israel’s extensive privacy regime was deemed adequate under European data protection law, by the European Union, as early as in 2011 (to this day only 12 additional countries have been recognized as such under different settlements). Since then, Israel’s main progress in this field has been under the expanding focus and law implementation by the PPA, and by the latest Data Security regulations which came into full effect in May 2018 – coincidentally at the same time as the European GDPR.
The privacy laws of Israel and the new Brazilian Data Protection Law have many principles and provisions in common. It seems that Israel has been relatively successful in striking the balance between the protection (and the construction of a culture) of privacy whilst not suffocating innovation by applying unbalanced heavy penalties. The privacy regulations and the European GDPR also have helped some Israeli companies to shape a new data protection software industry.
The heavy penalty imposed against Facebook by the Ministry of Justice, just last week, for data breach still linked to the Cambridge Analytica scandal and the rumors that the Brazilian Federal Government expects to collect more than BRL 20 billion (approx. USS 5 billion) in fines only in the first year of application of the Brazilian Data Protection Law, as well as the risk of a flood of lawsuits by unrestrained consumers have all stroke fear that the application and enforcement of the new privacy law in Brazil may come at great cost to domestic and foreign companies doing business in Brazil, especially small businesses.
In such regard, it seems that the new best friend from the Middle East may shed light on how to become a privacy observant country, adequately balancing law and technology, whilst allowing big companies and startups to survive and thrive in this new Era of Privacy.
