«

Is the Brazilian Data Protection Framework marching to a bleak future?

By: Thiago Moraes and José Renato Laranjeira de Pereira

This article provides an overview of Brazil’s data protection landscape and questions whether recent developments may cause harm both to citizen rights and to the Brazilian economy. 

At first, Brazil seemed to be aligned with the international trend of data protection laws, which have been promulgated in more than 130 jurisdictions. However, some recent developments threaten to undermine this framework and isolate the Brazilian digital market from the economic movement that has been evolving globally. Therefore, it is important for Brazil’s privacy stakeholders and its society as a whole to give more attention to the strengthening of its data protection regime.

A brief history of data protection in the Brazilian democracy

Cornerstones of the rights to privacy and data protection have been present in Brazil since the beginning of its young democracy, officially starting with its 1988 Constitution. However, due to the lack of societal awareness – in particular awareness of data protection – Brazilians have always struggled to assert the full spectrum of their rights.

The Brazilian Constitution guarantees fundamental rights of particular relevance for data protection. Article 5º, X to XII, protects both relational privacy (i.e. the possibility of a person to engage with others and to develop relationships in an intimate way, as well as to have privacy of communications, such as (e)mails and telephones) and locational privacy (i.e. boundaries for the intrusion into homes and other private environments such as the workplace). In turn, art. 5º, LXXII, regulates habeas data, which provides citizens with the right to access and to rectify information on public registries about one’s own data.

Despite the enactment of such legislation, Brazilian citizens are barely concerned with the relevance of privacy and data protection issues. Recent data breach cases involving public entities, such as the National Traffic Department and State of São Paulo’s Public Registry exposed the personal data of millions of citizens.

A second important norm in the early days of the Brazilian democracy was the 1990 Consumers Protection Code (Código de Defesa do Consumidor). The legislation provides groundmark rules for the right to information (art. 6º, III) and to access personal data, when stored on private databases (art. 43).

After the Constitution, Brazil drove inchmeal to the protection of digital rights, mostly through the efforts of experts, but also motivated by events with international repercussions. Throughout the 1990s, the biggest phenomenon related to data protection was definitely the widespread adoption of the Internet in citizen’s homes. In 1995, a multistakeholder initiative brought into force the Brazilian Internet Steering Committee (Comitê Gestor da Internet no Brasil – CGI.br), composed of representatives from the government, private sector, civil society and the academic community. This group has been an important milestone in the promotion of Digital Rights.

Following that initiative, attempts have been made to bring more robustness to the right to privacy and data protection. Some of these efforts were almost unknown, even among Brazilian privacy experts. One good example is a 1996 Senate Bill on the structuring and use of records and databases on data about individuals (a rough version of personal data). The Bill, however, never came into force and was archived three years after its proposal.

In 2014, Brazil approved its Internet Bill of Rights (Marco Civil da Internet – MCI) after a procedure in which CGI.br was a major player. Four years later, the Brazilian Data Protection Legislation (Lei Geral de Proteção de Dados – LGPD) came into force as a landmark in the assurance of data protection. The approval of these two legal acts were mainly influenced by external factors: the MCI was influenced by Snowden’s revelations on the US NSA Espionage on other national governments, whereas the LGPD was influenced by the Cambridge Analytica scandal and the European General Data Protection Regulation (GDPR).

Despite the enactment of such legislation, Brazilian citizens are barely concerned with the relevance of privacy and data protection issues. Recent data breach cases involving public entities, such as the National Traffic Department and State of São Paulo’s Public Registry exposed the personal data of millions of citizens. Despite wide coverage in the media, these incidents were mainly overlooked by the public, and there was no reaction from the Brazilian population on the matter.

This lack of awareness and concern might explain why the most recent milestone for the rights to privacy and data protection in Brazil, the LGPD, is being continuously targeted for alterations which may be, little by little, undermine its full effectiveness.

Leashing the Brazilian watchdog 

Since the approval of the LGPD, at least one major modification was enacted, with deep consequences to the Brazilian data protection framework. The Brazilian Data Protection Authority (DPA), Autoridade Nacional de Proteção de Dados – ANPD, once fully independent, with budgetary and administrative autonomy, was subordinated under the Presidency of the Republic.

The loss of independence of the Brazilian DPA is a paramount blow to the authority’s ability to exercise its full powers, since its role may sometimes not be aligned with the Executive branch agenda, especially in cases regarding intelligence and law enforcement agencies’ processing of personal data. Even though the LGPD does not apply to these scenarios, in a similar way to the GDPR (which is complemented by Directive EU 2016/680), there is a provision stating that they will be covered in future legislation, and ANPD will definitely be important for this future regulation.

The loss of independence of the Brazilian DPA is a paramount blow to the authority’s ability to exercise its full powers, since its role may sometimes not be aligned with the Executive branch agenda, especially in cases regarding intelligence and law enforcement agencies’ processing of personal data.

Furthermore, the disconnection with the global trend is visible: many international cooperations require the independence of regulators to be able to fully participate in the discussions and recommendations being drafted. One such example is the International Conference of Data Protection and Privacy Commissioners (ICDPPC), in which currently Brazil can only take part as a mere observer.

Besides these alterations, the recent approval of two presidential decrees has darkened even more of the landscape. On the next paragraphs, we will assess why this new infra-legislation is worrying from a data protection perspective.

Meet Dr. Evil and “Mini” me: the Brazilian public mega databases.

The last setbacks put forth against the LGPD happened on October 10th, when the Brazilian government enacted two Presidential Decrees: (i) 10,046/2019, which establishes norms and directives for data sharing between entities of the Brazilian federal administration, and; (ii) 10,047/2019, which provides for the governance of the National Registry of Social Information and establishes the Observatory of Social Security and Information.

The intention of these decrees are mainly to simplify the provision of public services by creating a unified data record for each citizen, which shall be shared by every entity in the public federal administration. Indeed, the Brazilian public bodies currently lack any data sharing standardization. The legal instruments ignored the LGPD when it relates to data subjects right of free access to information collected and principles such as purpose limitation, data minimization, storage limitation and transparency.

LGPD’s definitions such as personal data or sensitive data are not present in the Decrees. On the contrary, they use the term “registration data” (dados cadastrais), which covers both non-personal data, such as the name of a company, and (sensitive) personal data, such as the taxpayer registration number, electoral identification number, and biometric data collected by public institutions. In this sense, the norms give rise to legal uncertainty not only by creating ambiguity under the registration data/personal data dichotomy but also because they ignore the special attention that should be given to sensitive personal data.

Besides, the Decrees do not specify rules for further processing of personal data, which may lead to function creep. For example, it is not clear why electoral authorities should share the electoral identification number, which is only related to their processing purposes, with law enforcement authorities.

The legal instruments ignored the LGPD when it relates to data subjects right of free access to information collected and principles such as purpose limitation, data minimization, storage limitation and transparency.

Furthermore, to enhance the effectiveness of data sharing in public administration, the Decrees institute two unified databases, the Citizen’s Base Registry (Cadastro Base do Cidadão) and the National Registry of Social Information (Cnis). These mega databases, although created on good will to provide efficiency, may naively give room for the development of creepy surveillance systems such as the controversial Chinese citizen score. The lack of accountability measures in the Decrees quickly raises concerns regarding transparency, data retention and data security.

To make things worse, oversight is compromised: the Decrees institute the Central Committee for Data Governance, composed solely of government representatives, to monitor the unified databases and to resolve disputes. Why has this power not be extended to the ANPD? The creation of a second “watchdog” only brings conflicts of competence, which will impair the efficiency of the proposed solutions and leave citizens defenseless against abuses.

Unfortunately, the lack of awareness about the relevance of privacy and data protection issues to both economic and social matters is also present in the Brazilian congress: Bill nº 3.443/2019 intends to implement a digital government framework, to provide efficiency for the public sector. However, similar to what happens with the decrees mentioned above, few safeguards are present in the current version of the Bill.

Is there still hope?

Although the current developments seem bleak, some of the dire changes to the Brazilian data protection framework may still be addressed by the Brazilian DPA. However, this will only be possible if the Board of Directors, which will lead the ANPD, is open to a multistakeholder debate, as many digital governance initiatives throughout the world (and in Brazil) have been so far.

A strong regulation is also important for international trade. One of the strategic areas in the ongoing EU-Mercosur Trade Agreement, in which Brazil plays a leading role, is digital economy. Soon enough, the compatibility between the Brazilian LGPD and the European GDPR may prove fundamental to the success of this deal.

The key might be in figuring out how to make Brazilian society more active on the debate, which has been so far a matter of concern only to expert stakeholders from public and private sectors. Only through a continuous and widespread effort, a ray of light may illuminate this bleak scenario.

In September of this year, organizations representing the private sector, civil society and the technical community published a Manifesto demanding multistakeholder and technical expertise among the members who are yet to compose the first generation of the Board, in accordance to the LGDP. If the request is accepted, this might be a first step for the Brazilian data protection framework to go back on its original track: one of a robust system which is able to protect individuals’ rights and freedoms while supporting the development of a safe and transparent digital economy, connected to the global trend.

These economic concerns may become the trigger to restore the status of the ANPD as an independent regulatory agency. In fact, LGPD provides that the current regulatory model of the agency shall be re-discussed within two years.

Nevertheless, privacy stakeholders and citizens still have an important role to play in order to promote change. In Brazil, a coalition of digital rights organizations, Coalizão Direitos na Rede (CDR), has been continuously promoting the protection of the rights to privacy and data protection, among other human rights. They often struggle, but small victories have always to be celebrated, such as postponing the voting of the above mentioned Bill nº 3.443/2019 in order to proceed to a deeper assessment, hopefully with public hearings and expert assistance.

The efforts of CDR and similar groups are commendable, but these organizations are not enough to cover all the topics that should be discussed. The key might be in figuring out how to make Brazilian society more active on the debate, which has been so far a matter of concern only to expert stakeholders from public and private sectors. Only through a continuous and widespread effort, a ray of light may illuminate this bleak scenario.

——————————————————————–

Thiago Moraes is a specialist in technology regulation and data protection (LLM Law & Technology, Tilburg University) and founding member of the Laboratory of Public Policy and Internet at the University of Brasilia (LAPIN / UnB). Currently, he is a Blue Book Trainee in the European Data Protection Supervisor (EDPS).

José Renato Laranjeira de Pereira holds a Bachelor of Law from the University of Brasilia and is a member researcher of the Laboratory of Public Policy and Internet (LAPIN / UnB). Currently, he is a visiting researcher at the Brazilian Ministry of Science, Technology, Innovations and Communications (MCTIC).