Personal data: responsibility for the data processing

Article 35 of the personal data protection draft bill establishes that all agents involved in the data processing process and that through this treatment, cause material or moral damage to someone will be obliged to compensate this damage. In other words, the article sets out the liability of those who conduct data processing:

Art. 35. Anyone who, through the processing of personal data, cause to another material or moral, individual or collective damage, is obliged to reimburse it.

A contribution placed on the platform seems to disagree, at least in part, with what was laid down in that article. The participant Roberto Taufick indicates the need to clarify the exception of the case of ISP (internet service providers) or, in the language employed in the Marco Civil da Internet, the connection providers:

“It is necessary to clarify that no one can be held responsible for the content due to the mere exercise of ISP activity (which has the characteristic of “carrier”, where there is no liability for uploaded content). The responsibility of the intermediary (“intermediary liability”) has the undesired effect of instigating lockout policies, or discrimination of the content of content providers (‘edge providers’), opposite to the desired result with the Marco Civil da Internet (which, by welcoming net neutrality, welcomes the principles of ‘no blocking, no throttling, no paid prioritization’).”

Apparently, this comment refers to Article 18 of the Civil Marco Internet (Law 12965/14), which reads as follows:

Art. 18. The Internet connection provider shall not be held civilly liable for damages arising from content generated by third parties.

At first glance, it may seem that the standards set in the two articles would conflict should the draft bill be approved. But is there really a conflict? Is the rule of non-liability of connection providers referred to in the Marco Civil to be seen as an exception to the liability due to data processing?

The answer is no. It is quite true that the Marco Civil da Internet and the Data Protection Draft Bill in many ways address the same issues, but this is not what occurs in this case.

The two mentioned articles in fact deal with different things. While Article 35 of the draft bill aims to restrain and remedy the misuse of personal data (data related to an identified or identifiable natural person), Article 18 of the Civil Marco aims to exempt liability of providers for the activity of users on the network (comments, videos and photos published, for example). They are different solutions for different regulatory problems.

Basically, the distinction lies in the fact that “content generated by third parties” and “personal data” are not the same. While in the first case the idea is to remove the possibility of control by Internet platforms of user-generated content – which would protect the freedom of speech, in the second case the aim is to strengthen the security of the processing of personal data held by the citizen – which would protect their privacy and intimacy.