A service that plans to charge companies to check customers' identity using publicly held biometric data could violate citizens' rights, lawyers familiar with Brazil's data protection laws have said.
A São Paulo state decree issued on 21 March aims to give public bodies access to a newly created database of citizens' biometric data. One public body, the state gazette IMESP, announced plans the same day to launch an identity confirmation service that will use the data.
Under the plan, private companies can pay IMESP to confirm the identity of their customers. But Mundie e Advogadospartner Elinor Cotait says the plan could violate citizens' rights if IMESP fails to obtain their consent.
"Data subjects provide their biometric data to public bodies based on the belief that their data will only be processed for specific public needs," she says, adding that several sector-specific laws state that consent is needed before personal data can be processed.
To avoid falling afoul of the law, IMESP would need to obtain specific consent from citizens to use their data as part of its identification confirmation service – a process that Thiago Sombra at Mattos Filho, Veiga Filho, Marrey Jr e Quiroga Advogados says could be "difficult".
"What IMESP is proposing is using data for a different purpose to what it was collected for," he says. "This means it would have to inform and seek consent at a time they use the data for a different purpose."
Trench Rossi e Watanabe partner Flavia Rebello Pereira says the biometric data of most of São Paulo's 45 million citizens will be a "very big target for a cyberattack".
Brazil still lacks general federal regulation of data protection, and relies on sector-specific legislation like the Brazilian Civil Rights Framework for the Internet to regulate the collection, storage and processing of personal data.
According to Paulo Brancher of Azevedo Sette Advogados, the questions raised by IMESP's plan to use personal data for commercial purposes highlights the need for a general framework. "The state decree does not set minimum standards for data transfers between public entities nor does it clarify whether private entities can have access to that data, so there is a lack of clarity there," he says.
"There are provisions in the internet law about obtaining consent, but that only applies to internet application services," said Pinheiro Neto Advogados' Raphael de Cunto. "The latest decree does not provide clear data protection safeguards. For instance, it does not say how individuals will be informed about the use of their data."
Brazil's Congress is currently debating two bills that would introduce general data protection laws, and is expected to pass at least one this year or in 2019.
This story was written for Global Data Review, a new service by Latin Lawyer's publisher, Law Business Research. Find out more about GDR here.