A brief analysis of the Brazil’s data protection law

October 26, 2022 / Current Affairs / By Adriana Meireles

Adriana is a journalist and author. The focus of her PhD in Political Science (2020) investigated the Internet Governance Forum as an empirical informed debate to address the political theory regarding the distinction of public and private spheres. She has also worked as a digital culture coordinator for the Ministry of Culture of Brazil and looks forward to writing more in the near future.

The debate about data protection in Brazil dates back to at least 2007, when members of civil society started pressuring the country’s lawmaking body, the Congress, over a draconian piece of legislation which aimed to regulate the internet from a criminal perspective. The proposed law generated a strong counter reaction which led to an interactive online public consultation promoted by the Ministry of Justice to gather a multitude of stakeholder perspectives on the issue. The end result was Brazil’s Internet Bill of Rights, which was approved in 2014. During the consultation, civil society organizations advocated for specific privacy legislation which would follow the approach of the European General Data Protection Regulation (GDPR). As a matter of fact, the Brazilian Data Protection law was approved by Congress a few days after the European GDPR came into effect. However, its original content was later changed by Executive power vetoes and decrees, weakening the elements focused on digital rights.

This article poses the question: what changed in the four years following the ratification of the Brazilian general data protection law? What are issues which remain open, and how should we address them? To discuss this, there is also a comparative effort to analyze the similarities and differences of the Brazilian law regarding the American jurisdiction and the European GDPR. As a result, the piece aims to discuss contemporary issues regarding privacy and data protection that are still a challenge across borders. 

Firstly, to answer the proposed case study inquiry, one has to take into account the shift of politics which occurred in Brazil the last few years. The construction of the Internet Bill of Rights (and of the data protection law itself) was a participatory process which was considered an innovation in digital democracy. However, the 2016 coup d’état which removed the Labor’s Party from government was followed by a questionable ballot that elected an anti-human rights president. Those facts should introduce and illustrate the evidence that digital rights in Brazil deviated from a civil society collaborative effort into a surveillance threat.

Privacy policies and human rights 

But what is the relation between data protection law, human rights, and journalistic work? In effect, the legislation should protect these activities. However, an authoritarian government can deviate from this intended purpose. To establish the association among these facts there is some information that should be taken into account. Firstly, the scope of the Brazilian data protection law excludes the government and its agencies from the scrutiny of the legislation. Secondly, the misrepresentation of the differences between access to information and personal data protection. In third, the effects of those changes on human rights advocates and journalistic work. Ultimately, we can observe some challenges for privacy rights both in the country and across borders.

To start this analysis there should be a comparative effort to understand one of the main differences between the Brazilian law and its original inspiration — the European GDPR. The biggest discrepancy is regarding the role of the State. The legislation in Brazil creates a different category for the public authorities in which rules applied to the private sector have no effect for the government and its agencies, including law enforcement. Hence, the regulation opened a breach for State authority abuse and surveillance, particularly while concentrating the population’s information into a single database that is shared among different institutions, including those related to investigation and prosecution of criminal offenses. 

The GDPR addresses the protection of personal data processed in the framework of police and judicial cooperation in criminal matters. There is an effort to prevent information leakage across borders and to regulate police and judicial action. The law establishes a set of best practices, which takes into account privacy, data protection in criminal investigations, demonstrating considerations for human rights and inappropriate use of data by these authorities.

On the other hand, Brazilian law facilitates the sharing of personal data among authorities, enabling the distribution of sensitive personal information without consent. Even though the Supreme Court recently ruled against this shared database, the damage already done is not measurable. That is because the data has been used for different purposes from the initial collection, contradicting the law’s principles, such as purpose limitation, integrity and confidentiality. Not enough, it excludes police and judicial authorities from the rules of the data protection law. In this way, it enhances the surveillance power of the Brazilian State and its security agents, to the detriment of human rights. In this aspect, it resembles the United States jurisdiction in which there is an alignment between the government and the private sector interests, specifically after September 11th. As argued by the surveillance capitalism theory, the tech business benefits from the lack of regulation in America, setting precedents for abuse in data privacy, as became widely known after Edward Snowden’s revelations in 2013.

As a consequence, in Brazil, the data protection law is being constantly used by authorities as a justification to not provide data when the access to information right is invoked, notably by journalists. According to a national inquiry, almost 10% of the requests for access to information have been denied on the grounds of infringing the data protection law. Even though transparency is the rule and confidentiality is the exception, the government has repeatedly declared 100 years of secrecy for simple matters such as the salaries of police officers or if the president is vaccinated against Covid-19 or not. 

This limitation on the work of Brazilian journalists was not foreseen, even by the most  pessimistic analysts of data privacy. However, it is known that authoritarian governments are a threat to human rights and privacy advocates. The decay of democratic principles in general affects the freedom of the press. According to two reports by human rights organizations, the cases of violence against journalists have multiplied in the last few years. In fact, some of them were formulated by the president himself, notably against women.

With those facts in mind, one can conclude that the data privacy legislation was not effective to protect either human rights or journalistic work in Brazil. As for the general population, after four years, in practical terms, the changes were very discreet. It is mainly noticed in websites that incorporate disclaimers about the use of personal data to improve user experience. However, there is an irony there: Most of the time the notifications about terms of use only present the option to “accept”. The trading margin remains minimal. Either you consent to the terms imposed, or you do not access the service or information. The opt-out options are extremely limited. 

The same can be said about the global privacy policies. For the common user, the regulatory frameworks on personal data protection proved to be insufficient to contain the advance of surveillance capitalism. Not even the USA antitrust laws prevented big tech giants from expanding their monopoly. As a matter of fact, the power concentration of technology companies increased since the financial market itself merged with them.

Hence, there is a sense of a collective resignation, as if the end of privacy is inevitable. 


In Brazil, the sharing of personal information by, with, and between agents of the State is worrying, even more so when police and judicial authorities are not subject to the rules of the data protection law. Effectively, it opens the possibility for the distribution of sensitive data among them. This sets a precedent to increase surveillance, political violence and persecution, especially against human rights advocates and journalists.

Therefore, it can be concluded that, even originally drafted along the principles of the GDPR, the changes made in the local jurisdiction made it closer to the regulatory framework of the United States. It grants too much power to the government over personal data management concentrated in one source. Surely in democratic countries the State has the people’s presumed interest, however that cannot be applied to authoritarian regimes. 

In many of these cases, the fact is that those arguments start from a false premise that puts a controversy between privacy and security, to justify surveillance. There is a distinction between electronic communication monitoring and intelligence information gathering. What has been seen since September 11th is an increase in the volume and range of those activities, impacting common citizens and threatening journalistic work. In both realities privacy rights are being violated. Big tech platforms still present terms of use that are impossible to not accept, unless one is wanting to become a digital pariah. Hence, people are forced to abdicate their freedom from surveillance. The biggest contradiction is that exercise of rights is no longer indivisible, interrelated and interdependent. And that power concentration is the common challenge for privacy advocates across borders. 

Latest blog posts