A brief analysis of the Brazil’s data protection law
October 25, 2022 / Current Affairs / By Adriana Meireles
Adriana is a journalist and author. The focus of her PhD in Political Science (2020) investigated the Internet Governance Forum as an empirical informed debate to address the political theory regarding the distinction of public and private spheres. She has also worked as a digital culture coordinator for the Ministry of Culture of Brazil and looks forward to writing more in the near future.
The debate about data protection in Brazil dates back to at least 2007, when members of civil society started pressuring the country’s lawmaking body, the Congress, over a draconian piece of legislation which aimed to regulate the internet from a criminal perspective. The proposed law generated a strong counter reaction which led to an interactive online public consultation promoted by the Ministry of Justice to gather a multitude of stakeholder perspectives on the issue. The end result was Brazil’s Internet Bill of Rights, which was approved in 2014. During the consultation, civil society organizations advocated for specific privacy legislation which would follow the approach of the European General Data Protection Regulation (GDPR). As a matter of fact, the Brazilian Data Protection law was approved by Congress a few days after the European GDPR came into effect. However, its original content was later changed by Executive power vetoes and decrees, weakening the elements focused on digital rights.
This article poses the question: what changed in the four years following the ratification of the Brazilian general data protection law? What are issues which remain open, and how should we address them? To discuss this, there is also a comparative effort to analyze the similarities and differences of the Brazilian law regarding the American jurisdiction and the European GDPR. As a result, the piece aims to discuss contemporary issues regarding privacy and data protection that are still a challenge across borders.
Firstly, to answer the proposed case study inquiry, one has to take into account the shift of politics which occurred in Brazil the last few years. The construction of the Internet Bill of Rights (and of the data protection law itself) was a participatory process which was considered an innovation in digital democracy. However, the 2016 coup d’état which removed the Labor’s Party from government was followed by a questionable ballot that elected an anti-human rights president. Those facts should introduce and illustrate the evidence that digital rights in Brazil deviated from a civil society collaborative effort into a surveillance threat.
Privacy policies and human rights
But what is the relation between data protection law, human rights, and journalistic work? In effect, the legislation should protect these activities. However, an authoritarian government can deviate from this intended purpose. To establish the association among these facts there is some information that should be taken into account. Firstly, the scope of the Brazilian data protection law excludes the government and its agencies from the scrutiny of the legislation. Secondly, the misrepresentation of the differences between access to information and personal data protection. In third, the effects of those changes on human rights advocates and journalistic work. Ultimately, we can observe some challenges for privacy rights both in the country and across borders.
To start this analysis there should be a comparative effort to understand one of the main differences between the Brazilian law and its original inspiration — the European GDPR. The biggest discrepancy is regarding the role of the State. The legislation in Brazil creates a different category for the public authorities in which rules applied to the private sector have no effect for the government and its agencies, including law enforcement. Hence, the regulation opened a breach for State authority abuse and surveillance, particularly while concentrating the population’s information into a single database that is shared among different institutions, including those related to investigation and prosecution of criminal offenses.
The GDPR addresses the protection of personal data processed in the framework of police and judicial cooperation in criminal matters. There is an effort to prevent information leakage across borders and to regulate police and judicial action. The law establishes a set of best practices, which takes into account privacy, data protection in criminal investigations, demonstrating considerations for human rights and inappropriate use of data by these authorities.
On the other hand, Brazilian law facilitates the sharing of personal data among authorities, enabling the distribution of sensitive personal information without consent. Even though the Supreme Court recently ruled against this shared database, the damage already done is not measurable. That is because the data has been used for different purposes from the initial collection, contradicting the law’s principles, such as purpose limitation, integrity and confidentiality. Not enough, it excludes police and judicial authorities from the rules of the data protection law. In this way, it enhances the surveillance power of the Brazilian State and its security agents, to the detriment of human rights. In this aspect, it resembles the United States jurisdiction in which there is an alignment between the government and the private sector interests, specifically after September 11th. As argued by the surveillance capitalism theory, the tech business benefits from the lack of regulation in America, setting precedents for abuse in data privacy, as became widely known after Edward Snowden’s revelations in 2013.
As a consequence, in Brazil, the data protection law is being constantly used by authorities as a justification to not provide data when the access to information right is invoked, notably by journalists. According to a national inquiry, almost 10% of the requests for access to information have been denied on the grounds of infringing the data protection law. Even though transparency is the rule and confidentiality is the exception, the government has repeatedly declared 100 years of secrecy for simple matters such as the salaries of police officers or if the president is vaccinated against Covid-19 or not.
This limitation on the work of Brazilian journalists was not foreseen, even by the most pessimistic analysts of data privacy. However, it is known that authoritarian governments are a threat to human rights and privacy advocates. The decay of democratic principles in general affects the freedom of the press. According to two reports by human rights organizations, the cases of violence against journalists have multiplied in the last few years. In fact, some of them were formulated by the president himself, notably against women.
The same can be said about the global privacy policies. For the common user, the regulatory frameworks on personal data protection proved to be insufficient to contain the advance of surveillance capitalism. Not even the USA antitrust laws prevented big tech giants from expanding their monopoly. As a matter of fact, the power concentration of technology companies increased since the financial market itself merged with them.
Hence, there is a sense of a collective resignation, as if the end of privacy is inevitable.
In Brazil, the sharing of personal information by, with, and between agents of the State is worrying, even more so when police and judicial authorities are not subject to the rules of the data protection law. Effectively, it opens the possibility for the distribution of sensitive data among them. This sets a precedent to increase surveillance, political violence and persecution, especially against human rights advocates and journalists.
Therefore, it can be concluded that, even originally drafted along the principles of the GDPR, the changes made in the local jurisdiction made it closer to the regulatory framework of the United States. It grants too much power to the government over personal data management concentrated in one source. Surely in democratic countries the State has the people’s presumed interest, however that cannot be applied to authoritarian regimes.
Latest blog posts
Cyber laws around the world: Privacy is not the policy
There is no doubt that the European Union’s GDPR has changed the cyber regulation landscape forever. As onlookers from non-EU countries urge their governments and regulators to adopt similar legislation, countries are rapidly adopting their
READ MORE »
The long and winding road : Striving for data protection in Indonesia
Juliana Harsianti is an independent researcher and journalist working at the intersection of digital technology and social impact. The long awaited Indonesian Personal Data Protection Bill was approved by the parliament on 20 September 2022.
READ MORE »
Kazakhstan needs tougher laws to address the impacts of spyware
In July 2021, the United Nations (UN) High Commissioner for Human Rights, Michelle Bachelet, issued a statement exposing the widespread use of Pegasus spyware that targeted journalists, human rights activists, politicians, and other people across
READ MORE »