III. Privacy issues
Biometrics and identity
The major private bank in Brazil, Bradesco, has begun to test a biometric identification module for ATM called "Palm Vein." This is a hand reading system with sensors able to recognize the hand's vein pattern. Other banks are expected to do the same1 as well as many other businesses such as fitness centers, nightclubs2 and even at least one University.3
In November 2006, the Brazilian National Road Traffic Council approved a Resolution adopting a Radio Frequency Identification (RFID) tags in all licensed vehicles across the country. The Resolution aims to reduce the number of car thefts, facilitate the recovery of stolen vehicles, improve the control of payment of automotive-related taxes, and allow better traffic planning.4 The installation of such tags will be performed by State Traffic Departments, at no cost for vehicles' owners, and shall be fully implemented within 5 years. The Resolution creates the SINIAV, or "National System for the Automatic Identification of Vehicles,"5 to manage the required infrastructure. In terms of privacy protections for personal data, the Resolution simply states that information obtained through SINIAV that requires secrecy will be "preserved according to the terms of the Federal Constitution on the laws that regard this matter."
Due to security concerns, the number of surveillance cameras in public and private places has increased significantly in Brazil. Some regulations have been implemented in this regard. The City of São Paulo, for instance, passed a Municipal Law6 mandating the installation of signs notifying the public of the existence of surveillance cameras, both in public and private areas. Recorded images are meant to be confidential and protected under law. Failure to comply with the installation of warning signs may subject infringers to statutory fines.
Privacy case law
On December 2003, the Supreme Court issued a decision mitigating the scope of privacy rights.7 According to the decision, the seizure of e-mails stored in computers, upon a court order, is an issue referring to privacy rights instead of the protection of electronic communications. The Supreme Court recognized that such privacy rights are not absolute, and may therefore be mitigated in view of social and public interests, as well as in view of the interest of justice.
In 2006, the Court of Düsseldorf, Germany requested that the Brazilian Superior Court of Justice (Superior Tribunal de Justiça) disclose the web log and personal data concerning the user of a particular IP (Internet Protocol) address that had been used to unlawfully deny access to certain websites. The Superior Court decided that such records (name and address) are not protected by any privacy and/or secrecy regulations.8 In fact, the same court had previously ruled that the inspection of a Brazilian Internet Service Provider's log would not hurt "sovereignty or public order".9
A general bill was proposed in 199910 delineating information crimes, including restrictions on the collection, processing and distribution of information. In addition, it would outlaw computer crimes such as unauthorized access to, or alteration of, data or computer programs. After its approval at the House of Representatives, the bill was sent to the Senate for further discussions. As of June 2007 the bill is still under deliberation.
In February 2003, a privacy bill was introduced, which would make illegal the transmission to a third party of information provided by a person or organization.11 An amendment was made in June 2003, establishing that this prohibition would not apply to public organizations, registries or notaries. In April 2003, an Internet privacy law was proposed to establish criminal sanctions referring to the unauthorized disclosure of protected information and harvesting of personal information.12 As of May 2007 the bill is still under deliberation.
An Internet identification and data retention bill intended to reduce cyber crimes caught the attention of Brazilians in 2006.13 This bill originally provided that Internet users should always identify themselves before using the Internet, through personal identification cards or digital certificates; it also stipulated that providers retain logs for three years. This provision drew much opposition from NGOs and government alike, as it could be seen as a threat to universal digital access.14 The bill was recently amended to remove the compulsory identification provision. However, the bill still contemplates delegating surveillance powers and responsibilities to the private sector by using Internet Service Providers to identify illegal conduct supply the police with the personal data of the suspect.15
The first data protection bill based on European data protection standards has been undergoing amendments for the last two years and is currently being evaluated at the Senate.16
The use of digital certification in Brazil is regulated by specific norms.17 Current regulation foresees two different levels of digital certificates: those issued under the structure of ICP-Brasil (Brazilian Public Key Infrastructure), which are considered presumptively valid, and those issued by certification authorities outside the structure of ICP-Brasil, which may be considered valid if such validity has been granted or accepted by the parties or persons, and/or entities to which such documents have been presented. Technical regulation of the digital certification system is issued by ICP-Brasil's Steering Committee. ICP-Brasil stands as a hierarchical public-key infrastructure, in which the Root Certification Authority plays a fundamental role, certifying further certification authorities in the structure. The Instituto Nacional de Tecnologia de Informação (ITI) (the Brazilian Information Technology Institute), an entity directly connected to the Presidential Cabinet, is the Root Certification Authority of ICP-Brasil. ITI also stands as the entity officially entitled to promote the popularization of digital certificates in Brazil.
Use of ICP-Brasil's digital certificates is already compulsory in some spheres. In particular, its use is required in certified electronic communications between entities of the federal administration, such as ministries. Recently, the Federal Revenue and Customs Secretariat determined that the use of ICP-Brasil's digital certificates should be compulsory for the delivery of tax statements for companies whose income surpasses BRL 30 million per year (about USD 10 million per year).18 As of now, tax statements for individuals and companies with lower yearly income may also be performed by electronic means, without the use of digital certificates. Nevertheless, the Federal Revenue and Customs Secretariat showed its express intent to compel all electronic statement deliveries to be performed with the use of digital certificates in the coming years. However, a recent preliminary ruling by a federal court has determined that no law firm in the state of São Paulo is required to acquire a digital certificate in order to fulfill their tax obligations based on the fact that such a requisite violates basic constitutional principles, such as legality and the public administration morality.19
Voting is mandatory in Brazil20 for citizens between the ages of 18 and 70 and voluntary for those 16-18 and over 70. After two periods of suspended democratic rule, public elections returned once again to Brazil in 1982.21 In 1989, Brazil introduced computer voting in the Santa Catarina State. By 1996, almost a third of Brazil's22 100 million voters cast ballots on direct recording electronic (DRE) voting machines. In 1998, 57 percent of the country's voters cast ballots on DREs. In 2002, Brazil held the first fully electronic election in the world with more than 115 million participants voting.23 Chapter 4, Article 14 of the Constitution guarantees the secrecy of the ballot in public elections to its citizens.24
A 1997 law provided for the creation of a National Register for Civil Identification.25 The law stated that each Brazilian citizen should have a unique identification number, which would be linked to further data on the citizen and should be used in every relationship with public and private entities. The law also said that all the current ID documents would not be valid after a 5-year term beginning from the enactment of the law. However, more than ten years after its issuance, no further norms have been issued, nor has the National Register for Civil Identification been implemented.
Broad consumer rights in data were created under the 1990 Consumer Protection Law,26 which provides that consumers have access to personal data, consumer files and other information stored in files, and databases about themselves, as well as about the sources of this data. The law further requires that consumer files and data be objective, clear, true, easily comprehensible, and shall not contain derogatory information regarding periods prior to five years ago. In addition, the opening of a consumer file, archive, registry, or database should be communicated in writing to the consumer, if not opened at the behest of the consumer. Also, whenever consumers find that data and files about them are incorrect, they can demand immediate correction, and the archivist shall communicate the corrections within five days. Finally, once the consumer has settled his or her debts, Credit Protection Services shall not provide any information that may prevent or hinder further access to credit for that consumer.
It is worth mentioning that there is currently neither a public data agency nor private entities specifically acting in the defense of privacy rights. Courts have recognized that infringement upon any of these rights is subject to costly settlements, based on consumers' affected moral rights.27
In the beginning of 2003, São Paulo State Attorney's General Office (Ministério Público do Estado de São Paulo) investigated and questioned the data collection and processing practices of a major supermarket chain (CBD) that tracked its customers' purchases thanks to a loyalty card marketing scheme.28 As a consequence, on June 2003, São Paulo State Attorney's General Office and CBD executed an Undertaking of Performance (Termo de Ajustamento de Conduta)29 in which CBD committed itself to clearly informing its clients about the scope and intended use of the data it collected from customers, as well as to obtain their express consent before any future data collection. CBD further promised to delete customers' names from its current database if they did not expressly authorize the processing of their data.
Some of the biggest legal and public Internet-related debates involve Orkut, a social network service run by Google Inc. The majority of Orkut's users are Brazilian30 and its popularity in the country gave rise to a series of legal issues including cyber crime, paedophilia, and defamation. By the end of 2004, a group hijacked several communities in Orkut, by using a social engineering attack against community owners exploiting flaws both in Orkut and Microsoft Internet Explorer.31 More than 30 communities, which are areas for internal discussion of various subjects, each of them including more than 1,000 members, were hijacked. Communities were returned to their original owners some time later. Orkut later implemented better security measures to prevent similar problems from happening again. In April 2005, the Brazilian Information Agency (Agência Brasileira de Informações – ABIN) took down two allegedly false profiles from the Orkut network, one for the Chief Ministry of the Communication and Strategic Management Secretary, Luiz Gushiken, and the other for the President's wife.32
In almost all Orkut legal cases, the specific privacy concern relates to judges requesting Google Inc. to provide Orkut users' personal identification in order to investigate and eventually prosecute users. In October 2006, a federal judge ordered Google Inc. to supply a users' personal information in a case involving child pornography.33 Other rulings followed the same path,34 leading to a certain degree of collaboration of Google Inc. with law enforcement agencies (after a prior denial period) and hence even to a deal between Google Inc. andMinistério Público do Estado do Rio de Janeiro (the District Attorney’s Office in the State of Rio de Janeiro).35 In 2006, the Federal Attorney General's Office initiated legal proceedings in order to hold Google's Brazilian Office responsible for the provision of information to law enforcement. The initial court decision fining Google R$ 50,000 (approximately USD 25,000) for the security breach was subsequently overturned on appeal.36
A YouTube video showing a famous Brazilian model in a very intimate situation caused a judge to order YouTube to ban the video. This order caused major Brazilian Internet Service Providers to block the entire YouTube site. As a result of anti-censorship protests that arose, the same judge ordered the restoration of the YouTube site a few days later, observing that YouTube should ban that particular video.37
Unsolicited Commercial E-mails ("Spam")
Anti-spam legislation has been introduced in several separate bills,38 none of which has yet reached a final vote. A bill, proposed in 2002, would create criminal penalties for disseminating or selling personal data without the data subject's permission.39 In 2003, three separate bills were introduced to regulate the telemarketing activities, and two in 2004 - mainly, a reflection of the US "do-not-call list."40 In general, the intent is to create such lists under the control of either telemarketing companies or the Brazilian Ministry of Communications.
The Brazil Anti-Spam Group created a market-oriented self-regulation initiative to encourage advertisers to provide accurate information about themselves to recipients, to observe truth-in-advertising norms, and to let recipients opt-out of future mailings, thus aiming at promoting consumer confidence in the use of e-mails.41 However, the effectiveness of the Anti-Spam Code of Ethics has been questioned, because there are no proposed sanctions for the breach of its terms other than the listing of the spammers on the Brazil Anti-Spam Group's website and because the Code of Ethics allows the sending of unsolicited e-mails as long as some conditions have been met.42
A ruling by a court of Florianópolis considered receiving unsolicited e-mail something perfectly normal in the "cybernetic age" and unable to result in either moral or actual damages.43 Meanwhile, the spam problem began to be addressed by non-governmental institutions, such as the Comitê Gestor da Internet no Brazil – CGI.br (Brazilian Internet Managing Committee).44 CGI.br launched a website and a campaign to instruct on the proper behavior online to avoid spam, as well as to support research for legal solutions.45
The Financial Institutions Secrecy Law provides that "financial institutions will preserve secrecy in their active and passive operations and services."46 However, broad exemptions to this secrecy exist, including information exchanged between financial institutions,47 reporting of information requested by the Secretaria da Receita Federal (Federal Revenue and Customs Secretariat),48 or to report illegal activity to the appropriate authorities.49 In addition, confidentiality can be breached when necessary to confirm suspicion of any illegal activity in any phase of an inquiry or action at law.50 As a rule, such a confidentiality breach shall depend upon a court order.
The Brazilian Supreme Court has declared that bank records are private, and are covered by the constitutional right to privacy.51 This entails that bank records may only be used as exhibits in judicial proceedings if previously authorized by a judge. The Supreme Court in 2006 ruled that the inviolability of computer data is not absolute.52 In cases of seizure of computers in conformity with legal requirements, the information contained therein may be used as evidence. Furthermore, such use does not constitute a violation to the secrecy of data communications, even if the information is in electronic format. The Superior Court of Justice decided that information contained in individual income tax declarations is protected by secrecy.53 However, the Court affirmed that "there are no reasons for secrecy" with regard to information concerning the addresses of judgment debtors.
In addition, a 2004 ruling issued by the Rio Grande do Sul State Court of Justice54 determined that the breach of secrecy concerning banking accounts constitutes an intrusion into an individual's privacy, and that, as long as such privacy rights are protected by the Brazilian Constitution, any breach to such rights may only be justified by a clear determination of the need for the intrusion based on a plausible argument. Based on that reasoning, the Court denied a company's request for information regarding the defendant's banking records.
On the other hand, since 2002 the Brazilian Central Bank has been implementing an electronic system named "Bacen-Jud,"55 which allows judges to determine, through a judicial order sent via electronic means, whether to freeze accounts held by individuals in any financial institution in Brazil.
On January 9, 2004, the City of São Paulo regulated the activity of computer games in "Lan Houses,"56 by mandating those establishments to register patrons under 18 years old, or to face civil penalties of up to BRL 6,000 (2,320 EUR) and business license revocations.57
Medical record keeping is regulated by the Federal Council of Medicine (Conselho Federal de Medicina - CFM).58 Regulations authorize the use of electronic means for the storage of such documents, not only for documents originally in the electronic format, but also for digitized documents originally created as paper documents. Specific procedures in order to ensure the confidentiality, privacy and integrity of the data have been established, and the secure transmission of data shall use ICP-Brasil's digital certificates in order to ensure its confidentiality.
Under the scope of the Federal Decree on the Safeguard of Confidential Data,59 the Brazilian National Health Surveillance Agency (Agência Nacional de Vigilância Sanitária – ANVISA) issued a regulation concerning the secrecy, security and access to its own information.60 According to its terms, each ANVISA employee shall execute non-disclosure agreements concerning the information obtained during his or her working hours. Non-authorized disclosure, use or grant of access to confidential information within ANVISA is now punished by administrative, civil and criminal sanctions.
An internal regulation of the House of Representatives determined specific rules for the use of e-mail by their deputies and staff.61 The fact that the Information Technology Center of the House is competent to regulate and supervise e-mail systems, and is entitled to gather evidence on potential unauthorized uses, has raised some concerns on potential privacy violations of deputies' e-mails.
The 9th Regional Labor Court has found that auditing or monitoring an employee's computer is an illegal violation of the secrecy of electronic communications.62 Any employer's labor agreement allowing such monitoring practices is therefore also considered illegal. Any monitoring shall be authorized only upon a prior court order. Another decision, issued by the 10th Regional Labor Court,63 held that the privacy right and the right to the secrecy of correspondence and electronic communications are inviolable. As a consequence, evidence obtained by infringing these rights will not be admissible.
The highest Brazilian Labor Court (TST - Tribunal Superior do Trabalho) issued a series of cases regarding privacy and corporate e-mail. One decision stated that an employee doesn't have a reasonable expectation of privacy when using his corporate email account. Only the personal or private e-mail account based on its own server can take advantage of the constitutional and legal inviolability; corporate e-mail, based on resources supplied by the employer follows a different rule. It is possible for the employer to monitor employee use of a corporate e-mail account in the workplace.64 Another important decision in 2006 stated that video monitoring in the bathrooms of one company are illegal, as an offence of employees' privacy.65
- 1. http://www.ciab.org.br/ingles/release/03_Release_Biometria_ing.pdf
- 2. http://tecnologia.uol.com.br/especiais/ultnot/2005/07/21/ult2888u71.jhtm
- 3. http://www1.folha.uol.com.br/folha/informatica/ult124u21497.shtml
- 4. http://www.denatran.gov.br/download/Resolucoes/RESOLUCAO_212.rtf
- 5. Sistema Nacional de Identificação Automática de Veículos.
- 6. São Paulo City Municipal Law No. 13,541, March 24, 2003.
- 7. Supremo Tribunal Federal, Agravo Regimental no Recurso Extraordinário No. 373.058-4 – RS.
- 8. https://ww2.stj.gov.br/decisoesmonocraticas/decisao.asp?registro=2005001...
- 9. https://ww2.stj.gov.br/decisoesmonocraticas/decisao.asp?registro=2006002...
- 10. House of Representatives Proposed Law No. 84, 1999, altered to Senate Proposed Law No. 89, 2003.
- 11. House of Representatives Proposed Law No. 123, 2003.
- 12. Senate Proposed Law No. 95, 2003.
- 13. Substitutive Senate Proposed Law No. 76, 2000.
- 14. http://www.estadao.com.br/tecnologia/internet/noticias/2006/nov/07/98.htm
- 15. http://www.denunciar.org.br/twiki/pub/SaferNet/PLSEduardoAzeredo/PLS_Aze...
- 16. http://www.senado.gov.br/sf/atividade/materia/detalhes.asp?p_cod_mate=71080
- 17. In particular, Federal Provisional Measure 2200-02, August 24, 2001.
- 18. Secretaria da Receita Federal, Normative Instruction 482, December 21, 2004.
- 19. 3ª Vara Federal de São Paulo, Mandado de Segurança No. 2005.61.00.004736-2, Juíza Maria Lúcia Lencastre Ursaia, j. April 6th, 2005.
- 20. http://www.aceproject.org/main/samples/lf/lfx_l005.pdf
- 21. http://www.ccc.commnet.edu/stuweb/~quiterio5816/History.htm
- 22. http://lists.virus.org/isn-9902/msg00059.html
- 23. http://www.centerdigitalgov.com/international/story.php?docid=29221
- 24. http://www.oefre.unibe.ch/law/icl/br00000_.html
- 25. Federal Law No. 9,454, April 7, 1997.
- 26. Federal Law No. 8,078, Article 43, September 11, 1990.
- 27. Superior Tribunal de Justiça, RESP No. 653568-MG (12/14/2004), RESP No. 595170-SC (11/16/2004), RESP No. 612619-MG (10/21/2004), RESP No. 540944-RS (08/17/2004), RESP 602401-RS (03/18/2004), RESP No. 511921-MT (03/09/2004), RESP No. 556745-SC (10/14/2003), RESP No. 471091-RJ (05/22/2003), RESP No. 448010-SP (02/06/2003), RESP No. 419365-MT (11/11/2002), RESP No. 442051-RS (11/07/2002), RESP No. 402958-DF (08/30/2002), RESP No. 373219-RJ (05/28/2002), RESP No. 292045-RJ (08/27/2001), RESP No. 285401-SP (04/19/2001), RESP No. 165727-DF (06/16/1998).
- 28. http://www.radiobandeirantes.com.br/reporteronline/interna.asp?id_not=27144
- 29. http://www.mp.sp.gov.br/caoconsumidor/atua%E7%E3opr%E1tica/termos/TA563-...
- 30. http://www.orkut.com/MembersAll.aspx
- 31. http://www.infoguerra.com.br/infonews/viewnews.cgi?newsid1105149979,29493,
- 32. http://188.8.131.52/novo/static/text/33899,1
- 33. http://www.prsp.mpf.gov.br/cidadania/dhumInt/Liminar na ACP Google.pdf
- 34. http://idgnow.uol.com.br/internet/2007/04/23/idgnoticia.2007-04-23.60113...
- 35. http://www.estadao.com.br/tecnologia/internet/noticias/2007/abr/06/93.htm
- 36. http://producao.prsp.mpf.gov.br/news/internews/news_inter_conteudo.php?v...
- 37. http://idgnow.uol.com.br/internet/2007/01/09/idgnoticia.2007-01-09.94362...
- 38. House of Representatives Proposed Law No. 1589, 1999; House of Representatives Proposed Law No. 2,358, 2000; House of Representatives Proposed Law No. 7,093, 2002, Senate Proposed Law No. 367, 2003; House of Representatives Proposed Law No. 2,186, 2003; House of Representatives Proposed Law No. 2,423, 2003; Senate Proposed Law No. 21, 2004; Senate Proposed Law No. 36, 2004; House of Representatives Proposed Law No. 3,731, 2004; House of Representatives Proposed Law No. 3,872, 2004.
- 39. House of Representatives Proposed Law No. 6,541, 2002.
- 40. House of Representatives Proposed Law No. 2,130, 2003; House of Representatives Proposed Law No. 2,387, 2003; House of Representatives Proposed Law No. 2,404, 2003, Senate Proposed Law No. 243, 2004; House of Representatives Proposed Law No. 4,412, 2004.
- 41. http://www.brasilantispam.org/main/codigo.htm
- 42. http://conjur.uol.com.br/textos/23041/
- 43. Juizado Especial Cível, Process No. 023.04.067876-0/002,Comarca de Florianópolis – SC.
- 44. http://www.antispam.br
- 45. http://www.cgi.br/publicacoes/documentacao/ct-spam-EstudoSpamCGIFGVversa...
- 46. Federal Supplementary Law No. 105, January 10, 2001.
- 47. Id. at ¬ß 3, I.
- 48. Id. at ¬ß 3, III.
- 49. Id. at ¬ß 3, IV.
- 50. Id. at ¬ß 4.
- 51. Supremo Tribunal Federal, Recurso Extraordinário No. 219.780 – PE.; Supremo Tribunal Federal, Mandado de Segurança No. 21.729-4.
- 52. Supremo Tribunal Federal, Recurso Extraordinário No. 418416, December 19, 2006.
- 53. Superior Tribunal de Justiça, Recurso Especial No.83.824 – BA (17/05/1999).
- 54. TJRS - 12ª Câmara Cível, Agravo Interno nº 70009729112, Rel. Des. Orlando Heemann Junior, j. October 14, 2004
- 55. http://www.bcb.gov.br/?BCJUDINTRO
- 56. Cybercafes specialized in multiplayer online games.
- 57. São Paulo City Municipal Law No. 13,720, January 9, 2004.
- 58. Federal Council of Medicine, Resolution No. 1,639, July 10, 2002.
- 59. Federal Decree 5,301, December 9, 2004.
- 60. Resolução da Diretoria Colegiada- RDC No. 5, January 20, 2005.
- 61. Câmara dos Deputados, Portaria No. 96, August 20, 2004.
- 62. TRT9 – 5ª T., RO 5568/2002, Rel. Juíza Janete do Amarante, j. 20.02.2003, DJ 04.04.2003.
- 63. TRT 10 - 13.000613/2000, issued on October 9, 2001.
- 64. http://brs02.tst.gov.br/cgi-bin/nph-brs?s1=3896444.nia.&u=/Brs/it01.html...
- 65. http://brs02.tst.gov.br/cgi-bin/nph-brs?s1=4028070.nia.&u=/Brs/it01.html...