Article 5 of the 1988 Constitution of Brazil[721] provides that "the privacy, private life, honor and image of persons are inviolable, and the right to compensation for property or moral damages resulting from their violation is ensured."[722] The Constitution also holds the home as "inviolable," and "no one may enter therein without the consent of the dweller, except in the event of flagrante delicto or disaster, or to give help, or, during the day, by court order."[723] Correspondence and electronic communication are also protected, except by court order "for purposes of criminal investigation or criminal procedural finding of facts."[724] "Access to information is ensured to everyone and the confidentiality of the source shall be safeguarded, whenever necessary to the professional activity."[725] Finally, the Constitution provides for habeas data, which guarantees the rights: a) to ensure the knowledge of information related to the person of the petitioner, contained in records or databanks of government agencies or of agencies of a public character; and, b) for the correction of data, when the petitioner does not prefer to do so through a confidential process, either judicial or administrative.[726]
These constitutional guarantees to privacy and data protection have since been augmented with additional statutory protections. In 1990, Brazilian law provided protection for the privacy of children, outlawing the total or partial unauthorized divulgence of a child or adolescent's name, or their police, agency or judicial documents.[727] Soon after, broad consumer rights in data were created under the 1990 Consumer Protection Law,[728] which provides that consumers have access to personal data, consumer files and other information stored in files, and databases about themselves, as well as about the sources of this data. The law further requires that consumer files and data be objective, clear, true, easily comprehensible, and shall not contain derogatory information regarding periods prior to five years ago. In addition, the opening of a consumer file, archive, registry, or database should be communicated in writing to the consumer, if not opened at the behest of the consumer. Also, whenever consumers find that data and files about them are incorrect, they can demand immediate correction, and the archivist shall communicate the due corrections within five days. Finally, once the consumer has settled his/her debts, Credit Protection Services shall not provide any information that may prevent or hinder further access to credit for that consumer.
The Telecommunications Act 1997 states as one of its operating principles that users of telecommunications services have the right to have their privacy respected in the usage of their personal data.[729]
The scope of the constitutional right to habeas data was clarified with the passage of additional procedures and definitions in 1997.[730] Under the Habeas Data Law, an individual has a right to petition for rectification of incorrect data.[731] However, if the maintaining organization disputes or chooses not to make the correction, the petitioner only has the right to annotate the data with an explanation, rather than force a correction.[732]
The Brazilian Civil Code, effective since January of 2003, provides further protection by declaring, "the private life of an individual is natural and inviolable" and evinces that the judiciary, at the request of an individual, must adopt measures to protect against actions to the contrary.[733]
The Financial Institutions Secrecy Law provides that "financial institutions will preserve secrecy in their active and passive operations and services."[734] However, broad exemptions to this secrecy exist, including information exchanged between financial institutions,[735] reporting of information requested by the Secretaria da Receita Federal (Federal Revenue and Customs Secretariat),[736] or to report illegal activity to the appropriate authorities.[737] In addition, confidentiality can be breached when necessary to confirm suspicion of any illegal activity in any phase of an inquiry or action at law.[738]
In addition to the enacted legislation, there are several proposed laws under consideration that will affect individual privacy interests. A bill promoting the privacy of personal data in conformance with the OECD guidelines, to affect both public and private sector databases, was originally proposed in the Senate in 1996. The bill provides that: "No personal data nor information shall be disclosed, communicated, or transmitted for purposes different than those that led to structuring such data registry or database, without express authorization of the owner, except in case of a court order, and for purposes of a criminal investigation or legal proceedings...It is forbidden to gather, register, archive, process, and transmit personal data referring to: ethnic origin, political or religious beliefs, physical or mental health, sexual life, police or penal records, family issues, except family relationship, civil status, and marriage system...Every citizen is entitled to, without any charge, access to his/her personal data, stored in data registries or databases, and correct, supplement, or eliminate such data, and be informed by data registry or database managers of the existence of data regarding his/her person."[739]
Since then, proposed laws have been introduced both protecting and infringing upon individual privacy. In 2000 and 2001, a trio of bills[740] were introduced in the Senate and House requiring ISP's to maintain personally identifiable information such as name, ID #, and address along with all of an individual's Internet connections, including IP address, login & logout time. Divulgence of the information could be made only in accordance with the law, with a penalty for unauthorized indulgence. These three bills have since been appended onto another, which is still pending in committee.[741]
A general law was proposed in 1999[742] delineating information crimes, including restrictions on the collection, processing and distribution of information. In addition, it would outlaw computer crimes such as unauthorized access to or alteration of data or computer programs.
Finally, in 2000, evincing a concern with data profiling practices, a law[743] was proposed to restrict collection of personal data and data residing on an individual's computer. The proposal states that such data can only be collected with prior notice, under the express permission of the subject, and used only for the purpose for which it was collected, under penalty of a statutory fine.
Anti-spam legislation has been introduced in several separate bills,[744] none of which has yet reached a final vote. Proposed Law 7,093, for instance, puts forward an opt-out plan, with the sender of the unsolicited e-mail subject to sanctions.[745] Another bill, proposed in 2002, would create criminal penalties for disseminating or selling personal data without the data subject's permission.[746]
In addition to laws specifically addressing individual privacy rights and data protection, Brazil has apparently unrelated laws and treaties that have privacy implications. The Brazilian national policy on access to government information[747] grants individuals the right to receive information of general or individual concern. However, the right is self-limited by individual privacy: "the inviolable intimacy, private life, and honor and image of people."[748]
Brazil signed the American Convention on Human Rights[749] on September 25, 1992. The Convention provides that every person has "the right to have his honor respected and his dignity recognized." Additionally, "no one may be the object of arbitrary or abusive interference with his private life, his family, his home, or his correspondence, or of unlawful attacks on his honor or reputation. And, everyone has the right to the protection of the law against such interference or attacks."
In 1996, a law regulating wiretapping was enacted.[750] Official wiretaps are permitted for 15 days, renewable on a judge's order for another 15 days, and can only be resorted to in cases where police suspect serious crimes punishable by imprisonment, such as drug smuggling, corruption, contraband smuggling, murder and kidnapping. The granting of judicial eavesdropping permits by judges was previously an ad hoc process without any legal basis.[751] Illegal wiretapping by police and intelligence agencies is still common. In 1992, amid a scandal that toppled President Fernando Collor de Mello, it was discovered that Vice President Itamar Franco's phones at his official residence in Brasilia and in a Rio de Janeiro hotel room had been tapped.[752] Several ministers resigned in 1998 after tapes of wiretapped conversation involving the Brazilian Development Bank were disclosed in what was called the "Telegate scandal." The Agencies Brasileira de Informacoes (Abin) was suspected of wiretapping President Cardoso after tapes of his conversations were leaked to the press in May 1999.[753] A newsmagazine released wiretaps in 2000 implicating a powerful former presidential aide, a member of the economic cabinet, a senator and several congressional deputies in an illegal patronage and influence-trafficking network.[754]
The Federal Penal Code was altered in 2000 to criminalize certain information crimes.[755] The insertion of false data into an information system is punished by a prison sentence of 2 to 12 years.[756] Unauthorized alteration of an information system is punishable by detention from 3 months to 2 years.[757]