State of Privacy Brazil

A study of privacy and surveillance issues in Brazil. The State of Privacy project was last updated on January 2019, unless otherwise provided on specific pages.

State of Privacy
Brazil

Table of contents

Introduction

Acknowledgement

The State of Privacy in Brazil is the result of an ongoing collaboration by Privacy International and Coding Rights.

Between 2014-2017, Privacy LatAm contributed to previous versions of this briefing.
 

Key privacy facts

1. Constitutional privacy protection: The constitution contains an explicit protection of the right to privacy.

2. Data protection law: In 2018, Brazil approved a new General Data Protection Law.

3. Data protection agency:  Whilst Brazil's newly adopted Data Protection Law did not have a Data Protection Agency, President Michel Temer issued an executive decree creating such agency, right before leaving office. This is conditioned to the assessment of the National Congress within a period of 120 days.

4. Recent scandals: In 2018 general elections, the extended use of whatsapp groups, using data extracted from several sources, gave way to disinformation and targeted messaging.

5. ID regime: In 2017, the Identificação Civil Nacional was established to develop a national ID card system using biometrics.

Right to Privacy

The constitution

The general principles and provisions on data protection and privacy in Brazil can be derived from the Constitution, the Brazilian Civil Code and statues and regulations that address particular types of public and private relationships, different sectors (for example, financial institutions, the health industry, and the telecommunications industry), and the treatment and access to documents and information handled by governmental entities and bodies. Among these statutes, the most important are the Consumer Code (Law 8078/90) and Marco Civil da Internet (Law 12965/2014).

In general terms, the Brazilian Federal Constitution of October 1988 protects the right to privacy, including the secrecy of correspondence, telegraphic, telephone and data communications.

There are also legal mechanisms that enable access to information. In response to social demands after the end of the military dictatorship, the Constitution also granted access to personal information gathered by governmental bodies. This access was enabled through the writ of Habeas Data which was introduced in 1988 Constitution and regulated by Law No. 9.507 of 1997 (the Habeas Data Law). The writ has influenced other Latin American countries who have implemented similar data protection instruments.

The Habeas Data writ, as a constitutional remedy, can be used to grant access to information related to the individual that is stored in governmental or public databases, to correct or update data, or to proceed with annotations or clarifications on public databases concerning pending litigation. A Habeas Data writ can be addressed to any database which collects information that is or may be transmitted to third parties as well as information that is not exclusively used by the governmental agency or legal entity that generated or managed that information. However, the Habeas Data writ is a costly and slow remedy because a petition must be presented by a lawyer after an unsuccessful data request from the defendant. The writ is not regarded as a modern data protection tool nor did it develop into such. Instead, other instruments were developed in Brazilian law to address the increasing use of electronic data processing. These instruments include the Credit Information Law and the Access to Information Law.

The Federal Constitution also refers directly to consumer protection, both in Article 5 XXXII, which considers consumer protection as a fundamental right, and Article 170 V, which establishes consumer protection as a principle of the national economic order, as well in Article 48 of its Temporary Provisions which creates an obligation to enact a Consumer Protection Code. That Code provides for a multifaceted framework to address consumer protection issues and balance the information and power asymmetries between consumers and business enterprises. It entails a variety of principle-based norms, which are broad enough to offer solutions to new conflicts related to information technology and the protection of privacy rights. Indeed, while the country does not have a comprehensive data protection bill in force, the Brazilian National Consumer Protection Secretariat (Senacon), which operates under the Ministry of Justice, has been the main public entity that acts as watchdog regarding the protection of privacy rights. In one famous case, a fine of R$3.5 million (around 1 million USD) was levied on the telecommunication provider Oi, which developed a software called "Navegador" with the British company Phorm, which collected data traffic to create profiles of individuals' browsing patterns. Oi was accused of selling these profiles to companies seeking data for advertising or customizing content.

Regional and international conventions

Brazil has ratified a number of international instruments with privacy implications, including:

  • The International Covenant on Civil and Political Rights (ICCPR). Article 17 provides that "no one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation". The Human Rights Committee has noted that states party to the ICCPR have a positive obligation to "adopt legislative and other measures to give effect to the prohibition against such interferences and attacks as well as to the protection of this right [privacy]."
  • The American Convention on Human Rights or "Pact of San José de Costa Rica" (the "American Convention"). Brazil has been a signatory to the convention since 25 September 1992 but has not yet accepted the compulsory jurisdiction of the Inter-American Court of Human Rights.

Brazil has also been at the forefront of many of the advances made at the UN on the right to privacy. It was one of the co-sponsors of the UN Resolution 68/167 on the right to privacy in the digital age, which was adopted by the General Assembly on 18 December 2013.

Communication Surveillance

Introduction

Brazil's government reacted strongly to the revelations from the files revealed by Edward Snowden revelations that the communications of Brazilian president Dilma Roussef and other major officials had been tapped. President Roussef delivered an important statement at the UN General Assembly in which she stressed that "in the absence of the right to privacy, there can be no true freedom of expression and opinion, and therefore no effective democracy.” She also highlighted that “the right to safety of citizens of one country can never be guaranteed by violating fundamental human rights of citizens of another country” and that “in the absence of the respect for sovereignty, there is no basis for the relationship among nations". 

Following that speech, the Brazilian government took a series of actions to raise the issue of surveillance in the different UN fora, from Unesco to a resolution about "Privacy in the digital age" aproved by the General Assembly, which, after a few editions, ultimately lead to the creation of a mandate for a special rapporteur on the right to privacy. Trying to address challenges of trust in internet governance, the country also held NetMundial, a global diplomatic meeting on the future of internet governance.

Internally, the Brazilian Federal Police also opened an investigation into the spying during which it called on the presidents of Yahoo, Microsoft, Google, Facebook and Apple to testify. The Brazilian Senate also installed a Parliamentary Commission for Inquiry, entitled “CPI da Espionagem”. Representatives of ICT companies and the journalist Glenn Greenwald (who received the Snowden files and lives in Brazil) were among those who were called to testify. The final report pointed out that the country was vulnerable and stressed the need for improving Brazilian systems for security and counterinteligence. It also proposed a draft bill to regulate data transfer from Brazilian citizens or companies to international organizations. 

The draft bill for the Civil Rights Framework for Internet in Brazil, the so-called Marco Civil, was also significantly changed to contain several privacy provisions. After some strong debates resulted in the removal of a provision establishing the need for nationalization of data centers, it was finally enacted into law after almost six years of debate. Nevertheless, the final version of Marco Civil included mandatory data retention for connection and service providers.

The country has also gradually expanded its legal institutional framework for surveillance capacities, and has acquired new surveillance technologies, a process that was accelerated as Brazil prepared to host several international large-scale events, such as Rio+20, the World Cup and the Olympics.

Surveillance laws

Interception of communications

Interception of communications in Brazil is regulated by Law 9.296/96. This law allows for interception on both telephone and information technology systems for the purpose of instructing criminal procedures or investigations. The requirements for setting up an interception are a court order, which can be issued directly by a court or requested by police authorities or the Office of the Public Attorney. The request must be founded with a reasonable suspicion that the person whose communications are requested has committed a crime, and that there was no other way to obtain evidence of such crime.

Safeguards are present in the law, but there are concerns as to their implementation. For example, Article 5 of the law notes that the period for surveillance may not exceed 15 days, but it can be renewed for an equivalent period time once the indispensability of the evidence is proven. Therefore, this legislation leaves a margin for interpretation regarding its time limit, which leaves leeway for abuse.

Trying to address these issues, in 2013, the Brazilian Supreme Court considered the lack of clarity about the successive renewal of interception authorizations without a time limit as an issue subjected for general repercussion (meaning that a decision on the case shall be extended to all). The final understanding of the case was that renewal would be lawful if determined by court as the necessary and only means of proof to investigate a criminal fact.

While it seems an important restriction, nevertheless, data from the National Council of Justice obtained by a Freedom of Information request submitted by Internet Lab shows a substantial increase in the judicial approval of requests for communications interception. In June 2009, a total of 13965 phones and 282 electronic addresses were monitored, while in August 2013, right after World Cup protests, the total increased to 21925 phones and 1563 electronic addresses. Further, the answers received to the FOI request did not allow researchers to establish the total number of requests for interception, nor the number of rejections. As for the format of the response, it is not possible to make a direct assessment about how many of these requests led to a criminal investigation.

Blanket Data Retention

Resolutions 426/05, 477/07 and 614/13 of Anatel, the agency responsible for regulating the telecommunications industry and overseeing the provision of related telecommunication services, require service providers to retain metadata pertaining to landline and mobile telephone services.

Article 22 of Resolution No. 426/05 requires landline service providers to retain data for at least 5 years and does not include details on the type of data, use limitations or purpose specifications. Article 10, XX, of Resolution No. 477/07 disposes that mobile service providers must retain user account information and billing documents containing data on incoming and outbound calls, dates, time, duration, and price for a minimum of 5 years. Article 53 of Resolution No. 614/13 requires internet connection providers to retain data for at least 1 year.

Article 17 of the Law no. 12.850/13 about organized crime requires landline and mobile telephone companies to retain "identification logs of numbers of origin and destination of telephone connection terminals" for 5 years.

Law 12.965/14, also known as the Marco Civil, requires internet connection providers to retain Internet connection logs for 1 year under Article 13. For-profit application service providers are required to store logs of access to applications for a period of 6 months under Article 15. Paragraph 2 of both articles allow for the extension of retention periods in certain circumstances but there is no maximum time limit on the extension, which may be theoretically unlimited.

Such blanket data retention policies pose a significant interference with the right to privacy of users, as it was made clear in Digital Rights Ireland v Minister for Communications and Others. The Grand Chamber of the Court of Justice of the European Union (CJEU) concluded that the 2006 Data Retention Directive, which required communications service providers to retain customer data for up to two years for the purpose of preventing and detecting serious crime breached the rights to privacy and data protection. The CJEU observed that the scope of the data retention "entails an interference with the fundamental rights of practically the entire European population". The CJEU went on to note the Directive was flawed for not requiring any relationship between the data whose retention was provided for and a threat to public security, and concluded that the Directive amounted to a "wide-ranging and particularly serious interference" with the rights to privacy and data protection "without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary."

Access to Stored Data

In case of investigations about money laundering (Law 9.613/98) and organized crime (Law 12.850/13), police authorities and the Public Attorney's Office can request directly that service providers provide access to users' subscription data, which comprises their name, affiliation and address. Similarly, under Article 38 of ANATEL Resolution 596/12, the agency may directly request access to account information and call records of users from service providers.

In a similar way, paragraph 3 from article 10 of Law 12.965/14 provides that subscription data (name, affiliation and address) from connection and service providers can be access without court order by administrative authorities with legitimate competence. Paragraph 1 from article 10 of the same legislation also establishes that law enforcement authorities must require a court order to access both connection logs from service and connection providers, as well as for accessing the content of private communications. Unlike access to logs and the content of digital communications, access to subscription data does not require a court order.

While access to subscription data without a court order is still problematic, the request for a court order for connection logs could, if effectively implemented, provide some safeguard against unlawful interference with privacy. Nevertheless, the application of such provisions has led to court orders blocking some of the most popular modern digital communications applications.

Infiltration on Social Networks

Furthermore, while the number of interceptions of communications is increasing, there is another trend of law enforcement agencies interfering with privacy even without having to go through the legal procedures for approving an interception: political monitoring and infiltration on social networks.

As a blog from a police chief asserts: "the online data monitoring of the internet for the purpose of criminal evidence is not something exactly 'new'. It is already common that the police gathers information on user profiles or communities in social networks to contradict witness statements or information provided by victims and investigated. However, the scope of the sites that the police, lawyers and judges can go for information has expanded rapidly, and many more are being added daily to the list of those already existing."

So far, there is no single piece of legislation that sets boundaries for monitoring and data gathering on social media. Even so, law enforcement agencies have gone beyond web searching to compile this kind of information and have adopted practices of infiltration on digital platforms. According to Ponte Jornalismo and El País, an Army official of the Brazilian Armed Forces used, among other things, the Tinder application in order to meet women from social movements and activist groups and monitor their movements. This led to the arrest of members of one of these groups right before a planned political protest, where they were confronted by a huge operation with helicopters and lots of police officers. The group were released after a few hours with no charges. Infiltration by police agents is regulated by session III of Law 12850 of 2013, which deals with organized crime, which has no particular provision on infiltration on digital platforms, but sets a series of requirements to authorize such practice. Those requirements are: a) it can only happen under an investigation represented by the police chief or requested by the public atorney; b) a court order setting its limits must be obtained; c) there must be indication of a crime and the proof must not be able to be produced by other means; d) infiltration can be authorized for the maximum of 6 months, which can be renewed in case there is the necessary motivation.

Malware

Currently, there is no regulation concerning the use of malware for lawful surveillance practices. Nevertheless, leaks from the Hacking Team have show that the Brazilian Federal Police had a court order favorable to use their software during 15 days (starting from the day of the infection) in 17 targeted phones. The equipment was also exempted from competitive bidding, as it was considered "sensitive equipment and necessary for police investigation" under Law 13097.

Blockage of cell phone signals to "Guarantee Law and Order"

At the beginning of 2016, attending a demand from CCOMGEX, the National Agency of Telecommunications (Anatel) approved Act 50,265 authorizing the armed forces in Brazil to use equipment to block radio signals during the Olympic and Paralympic Games, as well as for the purpose of any operation assigned as "Law and Order Guarantee" (GLO). GLO operations are regulated by article 142 of the Constitution and Law 97/1999 and Decree 3897/2001, which allow for the military to act with police power during operations for "Law and Order" until "normality" is restablished. Such operations are determined by express order of the Presidency when "the traditional forces of public security are exhausted". The Olympics and the World Cup were considered to be such situations.

Some have considered that the announced blockage would target cellphones, while the autorities have ensured that the measure was focused on drones. In April 2014, a company called IACIT won the bidding process and sold to the Army eight SCE blockers, model SCE 0100-D, for R$ 448.228,50. According to the IACIT website, the product is called a "jammer" and is described as capable to "block Drones controlled by radio. However, the SCE 0100 can be configured to block RCIED and/or Cellular communication as well."

Surveillance actors

Surveillance capabilities

As the host country of a series of mega events from Rio+20 to the World Cup and the Olympics, Brazil and particularly Rio de Janeiro have become one of the main target markets for surveillance technologies. But a comprehensive picture of the whole expenditure on security for these event, particularly on surveillance technologies, is hard to draw. The report "Security as a Commodity: Mega Events and Public Security in Brazil" published by Heinrich-Böll-Stiftung demonstrates that estimating the total costs of these events is challenging, with the investments in security spread across many different potentially overlapping bodies. For the World Cup, the cost for security and defense has been estimated at approximately R$ 2.8 billion Brazilian Reais (700 million Euros), most of this spent on technology. However, this cost is difficult to estimate as it is spread between Ministry of Defense and the Armed Forces, the Ministry of Justice, and state security offices.

Translating all these numbers to concrete surveillance capacities is tricky. It was declared that an investment of R$108 million was spent to build Rio's Centro Integrado de Comando e Controle (CICC), inaugurated in 2013. Integrating several public databases, the Center acts as a base for monitoring the city, hosting workers from several agencies of the State, such as military, civil and highway police, fire and emergency departments and the traffic engineering company. But tracking exactly how all the figures on security for the mega-events were invested in surveillance technologies is even more difficult and mostly dependent on declarations from public agents or sellers of surveillance technologies to the press, leaks and, eventually, some freedom of information requests.

News articles show that the equipments and technology acquired by the different bodies of government and police include drones, facial recognition in airports and public transportation, mobile CICC station vehicles (equipped with movable cameras and audio capture), high-quality video surveillance balloons (with 13 cameras each), among others. Recently an investigation by VICE News discovered that a division of the Army (CCOMGEX, the Army Command for Communications and Electronic War) has a cell-site simulator (also known as an IMSI catcher) from US-headquartered Harris Corporation. It is not clear if it was purchased for the Olympics. Finally, Hacking Team leaks have shown that the Federal Police had contracted the services of the intrusion malware company for at least 3 months with a court warrent.

Drones

Currently, anyone in Brazil who wishes to operate a UAV (which excludes small equipment used for recreational purposes) needs an express authorization from the National Agency for Civil Aviation (ANAC) or an Experimental Flight Authorization Certificate (CAVE), and the equipment must be registered at ANATEL. Also, since early December 2015, the Department of Airspace Control (Decea) from the Air Force has determined that UAV flying over 120 meters will only get off the ground with authorization granted upon a request of at least two days' notice. It also establishes guidelines for speed according to vehicle weight. Enforcement of any of these provisions is guaranteed in the penal sphere by a broad interpretation of article 15 of Decree 3.688/1941, which establishes that flying outside the permitted area is considered a crime punishable by imprisonment or fine.

But, as many other countries, Brazil is further regulating the usage of commercial UAVs, particularly to allow some operations without the express permission of the ANAC, as currently there are many of these vehicles operating illegaly. ANAC is the body in charge of establishing the core guidelines for such regulation. Following a public consultation, new rules regulating the civilian use of drones were established in May 2017. Sporadic provisions have also emerged from time to time. During the Olympics, for instance, this equipment was completely prohibited, unless outside restricted areas and only to those with a permits from ANAC, DECEA with equipment registered at ANATEL.

Nevertheless, ANAC only further regulates the operation of civilian equipment; military use of these technologies is outside the scope of actions from the Agency and there is no prospect for regulating this kind of usage. In 2014, an agent from the Federal Police stated that the Federal Police had used a drone to investigate a chief drug dealer at Complexo da Maré. In 2015, drones to control protesters were presented to law enforcement agencies in Brazil during LAAD (an international fair for surveillance technologies). In August 2016, Elbit Systems, an Israeli company ranked as one of the main manufacturers of military drones, bought military communication businesses of Mectron Engenharia, a defense company from the group Odebrecht.

Surveillance oversight, checks and balances

Surveillance case law

In 2009, Brazil was found guilty by the Inter-American Court of Human Rights (IACHR) of having unlawfully intercepted communications from a farming cooperative associated with the Movimento Sem-Terra, a peasants' rights movement, in the State of Paraná in 1999. It was revealed that the surveillance operations were undertaken for a period of 39 days and the request for it was submitted by an authority which did not have powers to make such a request (the Military Police, which does not have investigatory powers). It failed to meet the tests of reasonable suspicion as the interceptions were not undertaken within a criminal investigation procedure.

Examples of surveillance

As digital technologies become integrated in the communications practices of social movements, these practices for monitoring and surveillance also evolve. The Brazilian State is still in this transition and the most recent unlawful surveillance scandals were related to wiretapping and infiltration. Examples of surveillance include:

  • In 2013, leaders from Xingu Vivo NGO met to discuss their campaign against the construction of a power plant in indigenous land and were spied upon by a man posing as a community member, who recorded conversations with a pen. After being discovered, he declared that he was supposed to send the recordings to the government's intelligence agency (Abin). The indigenous group is part of the movement against the construction of a Belo Monte Dam in the Xingu river.
  • Also in 2013, a document released by the newspaper Estado de São Paulo proved that the Institutional Security Cabinet of the Presidency had ordered the National Inteligence Agency to monitor Unions opposed to Provisory Measure 595, particularly those at Porto do Suape, in the State of Pernambuco. The goal was to track mobilization. During the operation, agents travelled across several states using for the first time an Israeli camera with high resolution streaming capabilities to capture activities in the ports. The case has cause tension among different agencies from the Sisbin system. Some have called it a "consequence of the militarization of Abin," refering to the recruitment of military personal for the agency.
  • In 2014, during the World Cup protests, an agent from Força Nacional (an elite federal public security body that assists the states and the Union when needed) was allocated in Rio to investigate the consumption of freebase cocaine in so-called "crackland". Later, this officer had another mission: to become an "observer of protests" and infiltrate groups by pretending to do media streaming of the events. The officer was successful in the infiltration, and ultimately was included in a group of the protesters on the messaging app Telegram, which enabled him to know were every act would take place. After leaving his disguise behind, the agent served as a key witness for the indictment of 23 activists.

Data Protection

Data protection laws

The Civil Code applies to private relationships involving individuals and legal entities. Data protection acts in Brazil used to be sectoral in character and regulate specific issues (consumer protection, telecommunication, the internet, etc.), being only applicable to the particular sector. There was a general data protection provision applies only with regard to access to personal information and its eventual rectification.

On August 2018, a General Data Protection Law (LGPD) was issued, and will enter into force in early 2020. It creates a legal framework personal data protection in Brazil, with general application, including public and private sectors, and replacing or extending existing sectoral laws.

The LGPD covers a number of issues such as a strong set of principles, rules for extraterritorial application, sound security provisions, regulation of cross-border data transfers, obligations to appoint data protection officers and to perform data protection impact assessments, among other positive features that are the fruit of years of public engagement and an active civil society intervening in the process. These provisions uniform and complement the existing data protection framework, solving issues such as the extraterritorial application of Data Protection Laws, which was a common shortcoming before the approval of the LGPD.

The previous framework was a patch of different sectoral laws, such as the Consumer law, that can be applied to enforce consumer privacy in the case of any relationship involving a consumer and a supplier, a Credit Information Law that applies to database-related issues concerning financial data.

Another Law that deals with personal data protection is the Law 12.965 of 2014, the 'Marco Civil' or Brazilian Internet Civil Rights Framework, that applies to internet users in general, internet connection providers (which promote the transmission of data packages among terminals over the Internet), on the assignment or authentication of an IP address, and Internet application providers (which provide a set of features that be accessed by a terminal connected to the Internet). The Act establishes that any treatment of personal data that is processed in Brazil, even if partially or merely collected by means of a terminal located inside the territory, must comply with Brazilian legislation

Accountability mechanisms

On top of the LGPD, general data protection principles can be identified in essentially all specific acts of relevant sector legislation. The biggest shortcoming of the LGPD was the lack of an enforcement agency, but on the 27th of December of 2018, President Michel Temer issued executive order Nº869, establishing a DPA and extending the grace period for compliance to August 2020, all conditioned to the assessment of the National Congress within a period of 120 days.

The principle of access is probably the one with the most robust formulation in Brazilian Law, as it is clearly based on the Brazilian constitution, or more precisely, on the Habeas Data writ, as already mentioned. There is no law establishing general data quality obligations. However, both the Consumer Protection Code and the Credit Information Law impose requirements that data must be objective, clear, truthful and easily understandable (Article 43 of CPC and Article 3, par. 2 of Consumer Information Law). In the Consumer Protection Code, some privacy principles are contained in Article 43, which grants the consumer’s right to access his/her data. Consumers’ files must be objective, clear, truthful, easily understood, and cannot contain the same negative information (regarding unpaid duties, for example) for more than five years. With respect to this negative information, the consumer must be explicitly informed that such data was recorded. Moreover, a right to rectification of inaccurate or incomplete data is granted (Article 43 CPC). Credit information protection is addressed more extensively under the Credit Information Law (Law 12.414 of 2011).

Finally, Article 7 of the Internet Civil Rights Framework contains a number of guarantees for internet users:

  • Inviolability of intimacy and private life, safeguarding the right for protection and compensation for material or moral damages resulting from their breach;
  • Inviolability and secrecy of the flow of user’s communications through the Internet, except by court order, as provided by law;
  • Inviolability and secrecy of user’s stored private communications, except upon a court order;
  • Non-suspension of the Internet connection, except if due to a debt resulting directly from its use;
  • Maintenance of the quality of Internet connection contracted before the provider;
  • Clear and full information entailed in the agreements of service, setting forth the details concerning the protection of connection records and records of access to internet applications, as well as on traffic management practices that may affect the quality of the service provided;
  • Non-disclosure to third parties of users’ personal data, including connection records and records of access to internet applications, unless with express, free and informed consent or in accordance with the cases provided by law; 
  • Clear and complete information on the collection, use, storage, processing and protection of users’ personal data, which may only be used if it: justifies its collection; is not prohibited by law; and is specified in the agreements of services or in the terms of use of the internet application.
  • The expressed consent for the collection, use, storage and processing of personal data, which shall be specified in a separate contractual clause;
  • The definitive elimination of the personal data provided to a certain internet application, at the request of the users, at the end of the relationship between the parties, except in the cases of mandatory log retention, as set forth in the Law;
  • The publicity and clarity of any terms of use of the internet connection providers and internet applications providers;
  • Accessibility, considering the physical, motor, perceptive, sensorial, intellectual and mental abilities of the user, as prescribed by law; and
  • Application of consumer protection rules in the consumer interactions that take place on the Internet.

Data breaches: case law

Before the entering into force of the LGPD, which contains specific provisions on this topic, in the light of liability rules and good faith standards, data processors in Brazil are required to take reasonable technical, physical and organizational measures to protect the security of personal data.

The Civil Rights Framework for the Internet also  establishes provisions regarding the security of personal data. It requires that security and confidentiality measures and procedures in the storage and processing of personal data be informed in a clear manner by the party responsible for the provision of the services.

Case law has established the obligation of service providers and networks to establish and maintain access records (such as IP addresses, and logins) in order to identify users who might commit crimes or acts of infringement. If such records are not kept for a reasonable period of time, the service provider or network may be held jointly liable for an act of infringement. The data security standards must be relayed to the internet user and comply with standards (yet to be defined in a regulation) which will be produced by the Federal Government.

Examples of data breaches

There have been several examples of data breaches of State and private databases in Brazil. The following cases occurred in 2016:

  • In July 2016, due to security failures, a database of the Municipality of São Paulo was published exposing personal data of an estimated 650 thousand patients and public agents from the public health system (SUS). Data included address, phone number and even medical information. Details from pregnancy stages and cases of abortion were also exposed. The spreedsheets were quickly removed from the municipalitysite and an investigation was opened to investigate who was responsible. According to a regulation from the Ministry of Health, patients from the SUS have the right to confidentiality of their medical records, even after death. Among possible consequences, the individuals whose names are on the exposed list could also suffer from practices of price differentiation in health insurance companies, or become victims of identity theft.
  • Banks and financial institutions have also been able to acces information from a database of workers that have applied for retirement. The breach was discovered because the companies offered workers credit as retirees, even before they were notified by the National Institute for Social Security (INSS) about the aproval of their retirement request. The Federal Public Atorney in Sao Paulo had investigated the origin of the breach and in late September proposed a lawsuit against INSS and Tifim Recuperadora de Crédito e Cobranças Ltda. The lawsuit draws on the privacy protections of the Constitution, Civil Code and Consumer legislation.
  • A hacker group entitled Asor Hacking Team the group also claimed to have achieved in late August an exposed attack of a database from Grupo Claro, publishing data from its CEO and other high members of the company. The group declared that the motivation for the hack was the companies' position in favour of blocking the internet once users reach a data cap. The issues have been debated in national Congress.
  • Besides governmental failures and hacks, Brazilian companies have also not payed proper attetion to security flaws. A recent example is Bematech, a Brazilian company that provides solution for comercial automation, which includes hardware, software and services. Last October, the website Tecmundo discovered a security breach that allows anyone to access a list of all the partner companies and resellers and using this list, as well as company number and address, but not only, the breach also allowed for anyone to easily access revenue information from every company, and to even make requests and send the bill to another company.

These are just a few examples of the more then even very common episodes of data breaches, most of them without legal consequences. Please send any additional tips or information to: research@privacyinternational.org and contact@codingrights.org .

Identification Schemes

ID cards and databases

In 2017 the Law 13444/2017 was enacted. The law established the National Civil Identification (Identificação Civil Nacional, or ICN). The ICN aims at building a national ID which will profit from the biometric database currently held by TSE (the Electoral Court which, in Brazil, is also an executive organ responsible for organizing elections)

Voter registration

Voting is mandatory for literate citizens older than 18 years and younger than 70, and is optional for citizens between 16 and 18 years and over 70 years of age. Citizens whose vote is mandatory and who fail to do so are prevented from requesting a passport, getting loans from financial institutions and assuming public office (or, if they are already in public service, receiving their salaries).

The Electoral Code of 1932 makes voting a legal requirement. Nowadays, voter registration is also regulated by the Electoral Code of 1965 and Law nº 6.236/1975. Furthermore, the vote is also electronic, aspects of which are regulated by Law nº 6.996/1982 and Law nº 7.444/1985, in addition to a number of resolutions from the Superior Electoral Court.

According to the Superior Electoral Court, as of September 2014 there are an estimated 142,822,046 registered voters in Brazil.

SIM card registration

Under Article 42 and 58 of the Regulation 477/07 of Anatel, users must provide a minimum set of personal data to be able to subscribe to a mobile telephone service. This information includes name, identity card number, and taxpayer number.

Specific regulation exists for foreigners who wish to buy a Brazilian SIM card -- they are required to present their passport.

Policies and Sectoral Initiatives

Cybersecurity policy

There is currently a discussion on the proect of a National Policy on Information Security (Política Nacional de Segurança da Informação) by the Institutional Security Cabinet (Gabinete de Segurança Institucional), which aims to integrate and coordinate the area.

Cybercrime

Cybercrime has been discussed by the National Congress on several occasions since 2008. Even the initiative to develop the Brazilian Civil Rights Framework for the Internet was the result of a counter action to a draft bill on cybercrime entitled as AI5 digital. AI5 was a short for "Institutional Act number 5", one of the seventeen decrees that established the military dictatorship.

In the digital realm, the bill proposed by Senator Azeredo in 2009, was broadly considered as negative due to several disproportionate restrictions it would place on daily Internet usage, mostly the surveillance role it created for internet service providers, who are required to monitor and retain user data.

After coordinated online and offline civil society protests, a campaign that could be comparable protests against the SOPA and PIPA proposals in the United States, debate of that particular bill was temporarily suspended. It was held up particularly by the perspective that first we should establish civil rights for the online environment then only later that discuss criminal law, such as cybercrime provisions.

Nevertheless, public debate over the bill resumed once naked pictures of a famous actress were hacked and leaked. On that occasion, a reduced version of the bill from Senator Azeredo, with only 6 of the 23 original provisions, was approved in 2012, becoming Law 12735/2012.

After the Marco Civil was approved, in 2014, the National Congress has been proposing several draft bills that jeopardize the current status of protection. Many of these proposals have emerged from the Parliamentary Commission on Cybercrime. Proposals vary from provisions on blocking applications; changing conditions for access to users' connection and application logs, location and subscription data (some of the proposals require access points and service providers to collect this data; another proposal mandates photo identification for SIM card purchases). Most of the proposals are being compiled in a database developed by Coding Rights to track legislative procedures pertaining to digital rights: codingrights.org/pls.

Encryption

There is no prohibition or ban on encryption under Brazilian law, even if between 2015 and 2016, several court orders have demanded temporarily blockage of messaging service WhatsApp over disputes over access to encrypted data - three of them actually resulting in the application blockage during some days. The fourth WhatsApp blockage occurred in July 2016 and, unlike previous cases in which a judge requested users identity and conversation content, in this case the judge asked WhatsApp to disable encryption and allow for real time monitoring of conversations. The case is an investigation into criminal organizations.

In the previous cases, WhatsApp CEO Jan Koum had argued: "Not only do we encrypt messages end-to-end on WhatsApp to keep people's information safe and secure, we also don't keep your chat history on our servers. When you send an end-to-end encrypted message, no one else can read it—not even us."

The app has already been blocked for several hours in at least three of the court orders, and a senior Facebook executive was also arrested and detained in March 2016. Temporary blockage of applications is foreseen in article 12 of Brazil's Civil Rights Framework as a possible sanction, but specifically and only if the right to privacy, data protection and secrecy of communications are not respected in the terms of articles 10 and 11 by a service provider, even if it is located abroad. Therefore, a provision that was enacted to enhance privacy protections is being wrongly applied to implement an excessive and disproportional reaction.

The latest attempt to force access to data also included another strategy: to block Facebook's access to funds. In the case, a judge blocked US$6.07 million of Facebook assets, once WhatsApp did not have accounts in the country. Nevertheless, the fight over sustaining encryption remains.

Nevertheless, the blockage of WhatsApp turned into a debate on the status of encryption techniques in relation to the Law on access to information for purposes of LEA investigations. Following the aforementioned court orders, Brazilian's main Constitutional Court, the Supremo Tribunal Federal (STF) is considering two cases, ADPF 403 and ADI 5527 on the issues of encryption and blockage of Internet applications. The court promoted a 2-day public hearing on these issues on june 2017 and its final decision is expected by 2018.

Licensing of industry

We are not aware of any specific examples of privacy issues related to the licensing of industry in Brazil. Please send any tips or information to: research@privacyinternational.org

E-governance/digital agenda

A public consultation on the Brazilian Digital Strategy (which would cover several topics related to the use of digital technology for social and economic development) was launched in 2017 by the Brazilian Ministry for Communications, Science, Technology and Innovation (MCTIC). Its results and eventual following regulation may be disclosed in 2018.

Health sector and e-health

The Health Ministry published in 2017 its strategy for e-Health, which was compiled after a debate regarding the government approach to the issue. The document stresses the need to integrate the public health system (SUS), to develop a legal framework to e-health and also to define the architecture to be used. It is also expected that the access to public health data for research purposes will be soon regulated by the Ministry of Health, including data protection provisions.

Smart policing

We are not aware of any specific examples of privacy issues related to smart policing in Brazil. Please send any tips or information to: research@privacyinternational.org

Transport

In March 2015, the Rio de Janeiro state government announced plans to adopt a fingerprint-based transport card system. Contactless writstbands are used for ticketing in Rio de Janiero across modes of trasnport. Meanwhile, facial recognition technology on buses is already in use in a number of Brazilian cities. These biometric transport systems are largely the product of public-private partnerships.

Smart cities

We are not aware of any specific examples of privacy issues related to smart cities in Brazil. Please send any tips or information to: research@privacyinternational.org

Migration

We are not aware of any specific examples of privacy issues related to migration in Brazil. Please send any tips or information to: research@privacyinternational.org

Emergency response

Although big data has been used sporadically in situations of emergency response in Brazil, as in the case of the Zika virus outbreak, when Facebook acted together with the Brazilian government in order to identify the main regions where the disease was spreading, there has been no major public notice of usage of public data to emergency response.

Humanitarian and development programmes

We are not aware of any specific examples of privacy issues related to humanitarian and development programmes in Brazil. Please send any tips or information to: research@privacyinternational.org

Social media

In 2016, judges in different Brazilian states issued court orders to telecommunications companies requiring them to cut off access to chat applications in the country because service providers had been denying law enforcement agencies access to users' data. The blocks were lifted, but it is a worrisome trend because such an order is disproportionate and affects all internet users.

Location
Related learning resources