Article 5 of
the 1988 Constitution of Brazil provides that "the privacy, private life,
honor and image of people are inviolable, and the right to compensation for
property or moral damages resulting from their violation is ensured." The Constitution also holds the home as
"inviolable," and "no one may enter therein without the consent
of the dweller, except in the event of flagrante
delicto or disaster, or to give help, or, during the day, by court
order." Correspondence and electronic communication are
also protected, except by court order "for purposes of criminal
investigation or criminal procedural finding of facts." "Access to information is ensured to
everyone and the confidentiality of the source shall be safeguarded, whenever
necessary to the professional activity." Finally, the Constitution provides for habeas data, which guarantees the
rights: a) to ensure the knowledge of information related to the person of the
petitioner, contained in records or databanks of government agencies or of
agencies of a public character; and, b) for the correction of data, when the
petitioner does not prefer to do so through a confidential process, either
judicial or administrative.
These
constitutional guarantees to privacy and data protection have since been
augmented with additional statutory protections. In 1990, Brazilian law
provided protection for the privacy of children, outlawing the total or partial
unauthorized divulgence of a child or adolescent's name, or their police, agency
or judicial documents. This law has been amended in November 2003, expressly including the Internet as a way of
perpetrating the crime of publishing or disclosing pornography involving
children or teenagers.
Broad
consumer rights in data were created under the 1990 Consumer Protection Law, which provides that consumers have access to
personal data, consumer files and other information stored in files, and
databases about themselves, as well as about the sources of this data. The law
further requires that consumer files and data be objective, clear, true, easily
comprehensible, and shall not contain derogatory information regarding periods
prior to five years ago. In addition, the opening of a consumer file, archive,
registry, or database should be communicated in writing to the consumer, if not
opened at the behest of the consumer. Also, whenever consumers find that data
and files about them are incorrect, they can demand immediate correction, and
the archivist shall communicate the due corrections within five days. Finally,
once the consumer has settled his/her debts, Credit Protection Services shall
not provide any information that may prevent or hinder further access to credit
for that consumer.
The
Telecommunications Act of 1997 states as one of its operating principles that
users of telecommunications services have the right to have their privacy
respected in the usage of their personal data.
The scope of
the constitutional right to habeas data
was clarified with the passage of additional procedures and definitions in
1997. Under the Habeas Data Law, an individual has a
right to petition for rectification of incorrect data. However, if the maintaining organization
disputes or chooses not to make the correction, the petitioner only has the right
to annotate the data with an explanation, rather than force a correction.
The
Brazilian Civil Code, effective since January of 2003, provides further
protection by declaring, "the private life of an individual is natural and
inviolable" and evinces that the judiciary, at the request of an
individual, must adopt measures to protect against actions to the contrary.
The
Financial Institutions Secrecy Law provides that "financial institutions
will preserve secrecy in their active and passive operations and
services." However, broad exemptions to this secrecy
exist, including information exchanged between financial institutions, reporting of information requested by the Secretaria da Receita Federal (Federal
Revenue and Customs Secretariat), or to report illegal activity to the
appropriate authorities. In addition, confidentiality can be breached
when necessary to confirm suspicion of any illegal activity in any phase of an
inquiry or action at law.
In addition
to the enacted legislation, there are several proposed laws under consideration
that will affect individual privacy interests. A bill promoting the privacy of
personal data in conformance with the OECD Guidelines on the Protection of
Privacy and Transborder Flows of Personal Data, to affect both public and
private sector databases, was originally proposed in the Senate in 1996. The
bill provides that: "No personal data nor information shall be disclosed,
communicated, or transmitted for purposes different than those that led to
structuring such data registry or database, without express authorization of
the owner, except in case of a court order, and for purposes of a criminal
investigation or legal proceedings. . . . It is forbidden to gather, register,
archive, process, and transmit personal data referring to: ethnic origin,
political or religious beliefs, physical or mental health, sexual life, police
or penal records, family issues, except family relationship, civil status, and
marriage system. . . . Every citizen is entitled to, without any charge, access
to his/her personal data, stored in data registries or databases, and correct,
supplement, or eliminate such data, and be informed by data registry or
database managers of the existence of data regarding his/her person."
Since then,
proposed laws have been introduced both protecting and infringing upon
individual privacy. In 2000 and 2001, a trio of bills were introduced in the Senate and House
requiring ISPs to maintain personally identifiable information such as name, ID
number, and address along with all of an individual's Internet connections,
including IP address, login and logout time. Divulgence of the information
could be made only in accordance with the law, with a penalty for unauthorized
indulgence. These three bills have since been appended onto another, which is
still pending in committee.
A general
law was proposed in 1999 delineating information crimes, including
restrictions on the collection, processing and distribution of information. In
addition, it would outlaw computer crimes such as unauthorized access to or
alteration of data or computer programs. After its approval at the House of
Representatives, the Bill has been sent to the Senate for further discussions.
Finally, in
2000, evincing a concern with data profiling practices, a law was proposed to restrict collection of personal
data and data residing on an individual's computer. The proposal states that
such data can only be collected with prior notice, under the express permission
of the subject, and used only for the purpose for which it was collected, under
penalty of a statutory fine. In April
2003, a specific Internet privacy law was proposed, to establish criminal sanctions referring to
the unauthorized disclosure of protected information and harvesting of personal
information.
Anti-spam
legislation has been introduced in several separate bills, none of which has yet reached a final vote.
Another bill, proposed in 2002, would create criminal penalties for
disseminating or selling personal data without the data subject's permission. Brazil Anti-Spam Group (a Committee composed of the main marketing,
software and advertising trade groups) issued in November 2003 an "Anti-Spam
Code of Ethics and Best Practices for the Use of Electronic Messages." This market-oriented
self-regulation initiative legitimizes the sending of "commercially
ethical" e-mails in which e-mail advertisers commit to provide accurate
information about themselves to recipients, to observe truth-in-advertising
norms, and to let recipients opt-out of future mailings, thus aiming at
promoting consumer confidence in the use of e-mails. However, the effectiveness of the Anti-Spam Code of Ethics has been
questioned as long as there are no proposed sanctions for the breach of its
terms other than the listing of the spammers on the Brazil Anti-Spam Group's
website, and that the Code of Ethics allows the sending of unsolicited e-mails
as long as some conditions have been met.
In 2003,
three separate bills were introduced to regulate the telemarketing activities – mainly, a reflection of the US
"do-not-call list." In general, the intent is to create such lists
under the control of either telemarketing companies or the Brazilian Ministry
of Communications.
In addition
to laws specifically addressing individual privacy rights and data protection,
Brazil has apparently unrelated laws and treaties that have privacy
implications. The Brazilian national policy on access to government information grants individuals the right to receive
information of general or individual concern. However, the right is
self-limited by individual privacy: "the inviolable intimacy, private
life, and honor and image of people."
In 1996, a
law regulating wiretapping was enacted. Official wiretaps are permitted for 15 days,
renewable on a judge's order for another 15 days, and can only be resorted to
in cases where police suspect serious crimes punishable by imprisonment, such
as drug smuggling, corruption, contraband smuggling, murder and kidnapping. The
granting of judicial eavesdropping permits by judges was previously an ad hoc process without any legal basis. Illegal wiretapping by police and intelligence
agencies is still common. In 1992, amid a scandal that toppled President
Fernando Collor de Mello, it was discovered that Vice President Itamar Franco's
phones at his official residence in Brasilia and in a Rio de Janeiro hotel room
had been tapped. Several ministers resigned in 1998 after tapes
of wiretapped conversation involving the Brazilian Development Bank were
disclosed in what was called the "Telegate scandal." The Brazilian
Information Agency ("Agência
Brasileira de Informações – ABIN") was suspected of wiretapping
President Cardoso after tapes of his conversations were leaked to the press in
May 1999. In 2000, a news magazine released information
obtained through wiretaps, implicating a powerful former presidential aide, a
member of the economic cabinet, a senator and several congressional deputies in
an illegal patronage and influence-trafficking network. In June 2004, President
Luis Inácio Lula da Silva nominated Mauro Marcelo Lima e Silva as the head of
ABIN. Lima e Silva, a former Police Chief, is known
for his expertise in the investigation of cybercrimes and his academic
experience at the Federal Bureau of Investigation in the United States.
The Federal
Penal Code was altered in 2000 to criminalize certain information crimes. The insertion of false data into an information
system is punished by a prison sentence of two to 12 years. Unauthorized alteration of an information
system is punishable by detention from three months to two years. Federal Penal Code and Federal Procedural Penal
Code were also altered on July 2003 in order to strengthen sanctions corresponding
to the violation of copyrights, and to criminalize the unauthorized
distribution of copyrighted works through cable, fiber optics, satellite, waves
or any other means. Changes in Federal Procedural Penal Code facilitated search
and seizure procedures, thereby minimizing the defendant's rights. As a
consequence, criminal actions have been initiated by the Brazilian Association
of Record Producers (ABPD) against suspects of online music distribution.
According to the ABPD's website, they have been monitoring the Brazilian
Internet since 1999 – even before the alterations to Federal Penal Code were
enacted – and such practices could represent potential privacy violations,
since the intercept of Internet communications is allowed only with a judge's
order.
In the
beginning of 2003, São Paulo State Attorney's General Office (Ministério Público do Estado de São Paulo) investigated and questioned the data collection
and processing practices of a major supermarket chain (CBD) that tracked its
customers' purchases thanks to a loyalty card marketing scheme. As a consequence, on June 2003, São Paulo State
Attorney's General Office and CBD executed an Undertaking of Performance (Termo de Ajustamento de Conduta) in which CBD committed itself to clearly inform
its clients about the scope and intended use of the data it collected from
customers, as well as to obtain their express consent before any future data
collection. CBD further promised to delete customers' names from its current
database if they did not expressly authorize the processing of their data.
On December
2003, the Brazilian Supreme Court issued a decision mitigating the scope of
privacy rights. According to such decision, the seizure of
e-mails stored in computers upon a court order is an issue referring to privacy
rights instead of the protection of electronic communications. The Brazilian
Supreme Court recognized that such privacy rights are not absolute, and may
therefore be mitigated in view of social and public interests, as well as in
view of the interest of justice.
A decision issued
by the Brazilian 9th Regional Labor Court determined that auditing or monitoring an
employee's computer is illegal as it is considered to be a violation of the
principle of secrecy of electronic communications. Any employer's labor
agreement allowing such monitoring practices is therefore considered illegal.
Any monitoring shall be authorized only upon a prior court order.
Due to security concerns, the number of surveillance cameras
in public and private places has increased significantly in Brazil. Some
regulations have been implemented in this regard. The City of São Paulo, for
instance, passed a Municipal Law determining the
installation of signs informing the public of the existence of surveillance
cameras, both in public and private areas. Recorded images are meant to be
confidential and protected under law. Failure to comply with the installation
of warning signs may subject infringers to statutory fines.
On January 9, 2004, the City of São Paulo regulated the activity of
computer games in "Lan Houses," by mandating those
establishments to register patrons under 18 years old, or to face civil
penalties of up to BRL 6,000 and business license revocations.
The social
relationship network called "Orkut," affiliated with Google, recently
became a craze in Brazil. As of June 2004, Brazil surpassed the United States
in the number of active users. Brazilians represent more than one-third of
Orkut's members.
Potential
negative privacy impacts concerning the disclosure of personal information and
preferences within such services have been mostly neglected by Brazilians in
general.
It is worth
mentioning that there is currently neither a public data agency in Brazil nor
private entities acting specifically in the defense of privacy rights.
Brazil signed the American
Convention on Human Rights on September 25, 1992. The Convention provides that every
person has "the right to have his honor respected and his dignity
recognized." Additionally, "no one may be the object of arbitrary or
abusive interference with his private life, his family, his home, or his
correspondence, or of unlawful attacks on his honor or reputation. And everyone
has the right to the protection of the law against such interference or
attacks."
