You are here

State of Privacy Brazil

Last modified: 
Tuesday, March 14, 2017 - 14:22

Introduction

Acknowledgement

The State of Surveillance in Brazil is the result of an ongoing collaboration by Privacy International and Coding Rights and Privacy LatAm. Authors: Danilo Doneda, Joana Varon. Editors at PI:  

Right to Privacy

The constitution

The general principles and provisions on data protection and privacy in Brazil can be derived from the Constitution, the Brazilian Civil Code and laws and regulations that address particular types of public and private relationships, different sectors (for example, financial institutions, the health industry, and the telecommunications industry), and the treatment and access to documents and information handled by governmental entities and bodies.

In general terms, the Brazilian Federal Constitution of October 1988 protects the right to privacy, including the secrecy of correspondence, bank operations, telegraphic communications, telephone communications, and data communications. 

There are also mechanisms that enable access to information. In response to social demands after the end of the military dictatorship, the Constitution also granted access to information gathered by governmental bodies. Brazil's turbulent history, rather than the population's particular desire for data protection, was the main impetus for implementing its first mechanisms to access to information. This access was enabled through the writ of Habeas Data which was introduced in 1988 Constitution and regulated by Law No. 9.507 of 1997 (the Habeas Data Law). The writ has influenced other Latin American countries who have implemented similar data protection instruments.

The Habeas Data writ, as a constitutional remedy, can be used to grant access to information related to the individual that is registered on governmental or public databases, to correct or update data, or to proceed with annotations or clarifications on public databases concerning pending litigation. A Habeas Data writ can be addressed to any database which collects information that is or may be transmitted to third parties and information that is not exclusively used by the governmental agency or legal entity that generated or managed that information. However, the Habeas Data writ is a costly and slow remedy because a petition must be presented by a lawyer after the unsuccessfully requesting the data from the defendant. The writ is not regarded as a modern data protection tool nor did it develop into such. Instead, other instruments were developed in Brazilian law to address the increasing use of electronic data processing. These instruments include the Credit Information Law and the Access to Information Law.

The Federal Constitution also refers directly to consumer protection, both in Article 5 XXXII, which considers consumer protection as a fundamental right, and Article 170 V, which establishes consumer protection as a principle of the national economic order, as well in Article 48 of its Temporary Provisions which creates an obligation to enact a Consumer Protection Code. That Code provides for a multifaceted framework to address consumer protection issues and balance the information and power asymmetries between consumers and business enterprises. It entails a variety of principle-based norms, which are broad enough to offer solutions to new conflicts related to information technology and the protection of privacy rights. Indeed, while the country does not have a comprehensive data protection bill, the Brazilian National Consumer Protection Secretariat (Senacon), which operates under the Ministry of Justice, has been the main public entity that acts as watchdog regarding the protection of privacy rights. In one famous case, a fine of R$3.5 million (around 1 million USD) was levied on the telecommunication provider Oi, which developed a software called "Navegador" with the British company Phorm, which collected data traffic to create profiles of individuals' browsing patterns. Oi was accused of selling these profiles to companies seeking data for advertising or customizing content.

Regional and international conventions

Brazil has ratified a number of international instruments with privacy implications, including:

  • The International Covenant on Civil and Political Rights (ICCPR). Article 17 provides that “no one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation”. The Human Rights Committee has noted that states party to the ICCPR have a positive obligation to “adopt legislative and other measures to give effect to the prohibition against such interferences and attacks as well as to the protection of this right [privacy].”
  • The American Convention on Human Rights or "Pact of San José de Costa Rica" (the "American Convention"). Brazil has been a signatory to the convention since 25 September 1992 but has not yet accepted the compulsory jurisdiction of the Inter-American Court of Human Rights.

Brazil has also been at the forefront of many of the advances made at the UN on the right to privacy. It was one of the co-sponsors of the UN Resolution 68/167 on the right to privacy in the digital age, which was adopted by the General Assembly on 18 December 2013.

Communication Surveillance

Introduction

Brazil's government reacted strongly to the revelations from the files revealed by Edward Snowden revelations that the communications of Brazilian president Dilma Roussef and other major officials had been tapped. President Roussef delivered an important statement at the UN General Assembly in which she stressed that "in the absence of the right to privacy, there can be no true freedom of expression and opinion, and therefore no effective democracy.” She also highlighted that “the right to safety of citizens of one country can never be guaranteed by violating fundamental human rights of citizens of another country” and that “in the absence of the respect for sovereignty, there is no basis for the relationship among nations". 

Following that speech, the Brazilian government took a series of actions to raises the issue of surveillance in the different UN fora, from Unesco to a resolution about "Privacy in the digital age" aproved by the General Assembly, which, after a few editions, ultimately lead to the creation of a mandate for a special rapporteour on the right to privacy. Trying to address challenges of trust in internet governance, the country also held NetMundial, a global diplomatic meeting on the future of internet governance.

Internally, the Brazilian Federal Police also opened an investigation into the spying during which it called on the presidents of Yahoo, Microsoft, Google, Facebook and Apple to testify. The Brazilian Senate also installed a Parliamentary Commission for Inquiry, entitled “CPI da Espionagem”. Representatives of ICT companies and the journalist Glenn Greenwald (who received the Snowden files and lives in Brazil) were among those who were called to testify. The final report pointed out that the country was vulnerable and stressed the need for improving Brazilian systems for security and counterinteligence. It also proposed a draft bill to regulate data transfer from Brazilian citizens or companies to international organizations. 

The draft bill for the Civil Rights Framework for Internet in Brazil, the so-called Marco Civil, was also significantly changed to contain several privacy provisions. After some strong debates resulted in the removal of a provision establishing the need for nationalization of data centers, it was finally enacted into law after almost 6 years of debate. Nevertheless, the final version of Marco Civil included mandatory data retention for connection and service providers and until today, 2016, the country has not approved comprehensive legislation on data protection, regulating the right to privacy in face of private and public agents. 

Therefore, while Brazil could be seen as champion on the international arena in the fight for better privacy standards (something that may change significantly following the impeachment of former president Dilma Roussef and the position of a new president), the same is not necessarily true of the government's orientation towards privacy for Brazilians. Actually, besides implementing mandatory data retention and not approving a data protection law, the country has gradually expanded its legal institutional framework for surveillance capacities, and has acquired new surveillance technologies, a process that was accelerated as Brazil prepared to host several international large-scale events, such as Rio+20, World Cup and the Olympics.

Surveillance laws

Interception of communications

Interception of communications in Brazil is regulated by Law 9.296/96, which allows for interception on both telephone and information technology systems. The purpose set by this law is instructing criminal procedures or investigations. The requirements for setting up an interception are a court order, which can be issued directly by a court or requested by police authorities or the Office of the Public Attorney. The request must be founded within a reasonable suspicion that the person whose communications they are requesting to intercept has committed a crime, that there was no other way to obtain evidence of such crime and the interception should be runned under secrecy of justice.

Despite the safeguards presented in the law, there are concerns as to their implementation. For example, Article 5 of the law notes that the period may not exceed 15 days, but can be renewable for equal time once proven the indispensability of evidence. Therefore, this legislation leaves margin for interpretation regarding its time limit, a reason why there has been many cases of abuse.

Trying to address these issues, in 2013, the Brazilian Supreme Court has considered the lack of clarity about the successively renewal of the authorization without time limit set as an issue subjected for general repercussion (meaning that a decision on the case shall be extended to all). The final understanding was that renewal would be lawful if determined by court as the necessary and only means of proof to investigate a criminal fact.

While it seems an important restriction, nevertheless, data from the National Council of Justice, obtained by means of a Freedom of Information request submitted by Internet Lab, shows a substantial increase in the judicial approval of requests for interceptions of communications. In June 2009 a total of 13965 phones and 282 electronic addresses were monitored, while in August, 2013, right after World Cup protests, the total increased to 21925 of phones and 1563 electronic addresses were under surveillance. All these data provided is not easily accessible in order to allow transparency and accountability. Further, the answers received to the FOI request did not allow to establish the total number of requests for interception, neither of rejections through the National System to Control Interceptions. And for the format of the response, it is not possible to make a direct assessment about how many of these requests led to a criminal investigation. 

Blanket Data Retention

Resolutions 426/05, 477/07 and 614/13 of Anatel, the agency responsible to regulate the telecommunications industry and oversight of provision of related telecommunication services, require service providers to retain metadata pertaining to landline and mobile telephone services.

Article 22 of Resolution No. 426/05 requires landline service providers to retain data for at least 5 years and does not include details on the type of data, use limitation or purpose specification. Article 10, XX, of Resolution No. 477/07 disposes that mobile service providers must retain user account information and billing documents containing data on incoming and outbound calls, dates, time, duration, and price for a minimum of 5 years. Article 53 of Resolution No. 614/13 requires internet connection providers to retain data for at least 1 year. 

Article 17 of the Law no. 12.850/13, about organized crime, requires landline and mobile telephone companies to retain "identification logs of numbers of origin and destination of telephone connection terminals" for 5 years.

Law 12.965/14, also known as the Marco Civil, requires that internet connection providers retain Internet connection logs for 1 year under Article 13. For-profit application service providers are required to store logs of access to applications for a period of 6 months under Article 15. Paragraph 2 of both articles allow for the extension of retention periods in certain circumstances but there is no maximum time limit on the extension - which may be theoretically unlimited.

Such blanket data retention policies pose a significant interference with the right to privacy of users, as it was made clear in Digital Rights Ireland v Minister for Communications and Others, the Grand Chamber of the Court of Justice of the European Union (CJEU) concluded that the 2006 Data Retention Directive, which required communications service providers to retain customer data for up to two years for the purpose of preventing and detecting serious crime, breached the rights to privacy and data protection. The CJEU observed that the scope of the data retention “entails an interference with the fundamental rights of practically the entire European population”. The CJEU went on to note the Directive was flawed for not requiring any relationship between the data whose retention was provided for and a threat to public security, and concluded that the Directive amounted to a “wide-ranging and particularly serious interference" with the rights to privacy and data protection "without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary.”

Access to Stored Data

In case of investigations about money laundering (Law 9.613/98) and organized crime (Law 12.850/13) police authorities and the Public Attorney’s Office can request directly to service providers to access users’ subscription data, which comprises their name, affiliation and address. Similarly, under Article 38 of ANATEL Resolution 596/12, the agency may request service providers directly for access to account information and call records of users. 

In a similar way, paragraph 3 from article 10 of Law 12.965/14 provides that subscription data (name, affiliation and address) from connection and service providers can be access without court order by administrative authorities with legitimate competence. Paragraph 1 from article 10 of the same legislation also establishes that law enforcement authorities must require a court order to access both connection logs from service and connection providers, as well for accessing the content of private communications. So, unlike accessing logs and the content of digital communications, access to subscription data does not require a court order.

While access to subscription data without a court order is still problematic, the request for a court order for connection logs could, if effectively implemented, provide some safeguard against unlawful interference with privacy. Nevertheless, the application of such provisions has led to court orders blocking some of the most popular modern digital communications applications. 

Infiltration on Social Networks

Furthermore, while the number of interception of communications increase, we have also observed another trend from law enforcement agencies to use the expansion of digital communications to interfere with privacy even without having to go through the legal procedures for approving an interception: political monitoring and infiltrating on social networks.  

As a blog from a police chief asserts: "the online data monitoring of internet for the purpose of criminal evidence is not something exactly "new". It is already common that the police gathers information on user profiles or communities in social networks to contradict witness statements or information provided by victims and investigated. However, the scope of the sites that the police, lawyers and judges can go for information has expanded rapidly, and many more are being added daily to the list of those already existing."

So far, there is no single piece of legislation to set boundaries for the monitoring and data gathering on social media. Even so, law enforcement agencies have gone beyond web searching to compile this kind of information and have adopted practices of infiltration on digital platforms. According to Ponte Jornalismo and El País, an Army official of the Brazilian Armed Forces used, among other things, the Tinder application in order to meet women from social movements and activist groups and monitor their movements. This led to the arrest of members of one of these groups right before a planned political protest, where they were confronted by a huge operation with helicopters and lots of police officers. The group were released after a few hours with no charges. Infiltration by police agents is regulated by session III of Law 12850 of 2013, which deals with organized crime, have no particular provision on infiltration on digital platforms, but sets a series of requirements to authorize such practice: a) it can only happen under an investigation represented by the police chief or requested by the public atorney; b) requires a court order setting its limits; c) there must be indicative of a crime and that the proof cannot be be produced by other means; d) it can be authorized for the maximum of 6 months, which can be renewed in case there is necessary motivation. Nevertheless, legal justification for the infiltration in case, as well as the connection between the Army and the Military Police of São Paulo, is yet unclear. Recently, Brazilian Army affirmed they were operating jointly with State Government.

Malware

Currently, there is no regulation concerning the usage of Malware for lawful surveillance practices. Nevertheless, leaks from Hacking Team have show that the Brazilian Federal Police had a court order favorable to use their software during 15 days (starting from the day of the infection) in 17 targeted phones. The equipment was also exempted of bidding, considered as a "sensitive equipment and necessary for police investigation" under Law 13097.

Blockage of cell phone signals to "Guarantee Law and Order"

In the begining of 2016, attending a demand from CCOMGEX, the National Agency of Telecommunications (Anatel) aproved Act 50,265, which authorizes the armed forces in Brazil to use equipment to block radio signals during the Olympic and Paralympic Games, as well as for the purpose of any operation assigned as "Law and Order Guarantee" (GLO). GLO operations are regulated by article 142 of the Constitution and Law 97/1999 and Decree 3897/2001, which allow for the military to act with police power during operations for "Law and Order" untill "normality" is restablished. Such operations are determined by express order of the Presidency when "there is exhaustion of the traditional forces of public security", the Olympics and the World Cup were considered situations as such.  

During the anoucement of the autorization from ANATEL some have considered that the blockage would target cellphones, while the autorities have ensured that the measure was focused on drones. In abril 2014, a company called IACIT won the bidding process and sold to the Army eight SCE blockers, model SCE 0100-D,  for R$ 448.228,50. According to the IACIT website, the product is called "jammer" and is described as capable to "block Drones controlled by radio. However, the SCE 0100 can be configured to block RCIED and/or Cellular communication as well."

 

Surveillance actors

Surveillance capabilities

As the host country fo a series of mega events since Rio+20 to the World Cup and the Olympics, Brazil, and particularly Rio de Janeiro, have become one of the main market target for surveillance technologies. But a comprehensive pictures of the whole expenditure on security for these event, particularly on surveillance technologies is hard to draw, as the report “Security as a Commodity: Mega Events and Public Security in Brazil” published by Heinrich-Böll-Stiftung show us that estimating the total costs of these events is challenging, with the investments in security spread across many different bodies, potentially overlapping. For the World Cup and, the cost for security and defense has been estimated at approximately R$ 2.8 billion Brazilian Reais (700 million Euro), most of this spent on technology. However, this is difficult to estimate as the cost is spread between Ministry of Defense and the Armed Forces, the Ministry of Justice, and state security offices.

Breaking down all these numbers to concrete surveillance capacities is tricky. It was declared that an investment of R$108 million was expent to build Rio’s Centro Integrado de Comando e Controle (CICC), inaugurated in 2013. Integrating several public databases, the Center acts as a base for monitoring of the city, hosting workers from several agencies of the State, such as military, civil and highway police, fire and emergency departments and the traffic engineering company. But tracking exactly how all the figures on security for the Mega Events were invested in surveillance technologies is even more difficult, mostly dependent on declarations from public agents or sellers of surveillance technologies to the press, leaks and, eventually, some submissions of freedom of information requests.

In this sense, news articles show that the equipments and technologies acquired by the different bodies of government and police include drones, facial recognition in airports and public transportation, mobile CICC station vehicles (equipped with movable cameras and audio capture), high-quality video surveillance balloons (with 13 cameras each), among others. Recently an investigation by VICE News discovered that a division of the Army (CCOMGEX, the Army Command for Communications and Electronic War) has a cell-site simulator (also known as an IMSI catcher) from US-headquartered Harris Corporation. It is not clear if it was purchased for the Olympics. Finally, Hacking Team leaks have shown that the Federal Police had contracted their services for at least 3 months with a court warrent. 

Drones

Currently, anyone in Brazil who wishes to operate a UAV (which excludes small equipment used for recreational purposes) needs an express authorization from the National Agency for Civil Aviation (ANAC) or an Experimental Flight Authorization Certificate (CAVE), as well as to have an equipment that was registered at ANATEL. Also, since early December 2015, the Department of Airspace Control (Decea) from the Air Force, had determined that UAV flying over 120 meters will only get off the ground with authorization to be given upon a request at least two days in advance. It also establishes guidelines for speed according to weight of the vehicle. Enforcement of any of these provisions is guaranteed in the penal sphere by a broad interpretation of article 15 of Decree 3.688/1941, which establishes that flying outside the permited area is considered a crime punished by imprisonment or fine. 

But, as many other countries, Brazil is further regulating the usage of commercial unmanned aerial vehicles (UAV), particularly to allow some operations without the express permission of the ANAC, as currently there are many of these vehicles operating ilegaly. ANAC is the one in charge for establishing the core guidelines for such regulation, which was put into public consultation until the end of 2015. But, while a comprehesive up to date regulation is not in place, sporadic provisions have also emerged from time to time. During the Olympics, for instance, these equipment were completely prohibited, unless outside restricted areas and only to those with a permits from ANAC, DECEA and a register at ANATEL.

Nevertheless, ANAC will only further regulate the operation of civilian equipment. While military use of these technologies is outside the scope of actions from the Agency and there is no prospect for regulating this kind of usage, UAV are already integrating strategies from law enforcement agencies. Back in 2014, an agent from the Federal Police informed that they have used a drone to investigate a chief drug dealer at Complexo da Maré.  In 2015, drones to control protesters were presented to law enforcement agencies in Brazil during LAAD (an international fair for surveillance technologies). Recently, in August 2016, Elbit System, an Israeli company ranked as one of the main manufacturers of military drones, bought military communication businesses of Mectron Engenharia, defense company from the group Odebrecht.

Surveillance oversight, checks and balances

Surveillance case law

In 2009, Brazil was found guilty by the Inter-American Court of Human Rights (IACHR) of having unlawfully intercepted communications from a farming cooperative associated with the Movimento Sem-Terra (a peasant's reivindication movement) in the State of Paraná in 1999. It was revealed that the surveillance operations were undertaken for a period of 39 days and the request for it was submitted by an authority which did not have powers to make such a request (the Military Police, which does not have investigatory powers). It failed to meet the tests of reasonable suspicion as they were not undertaken within a criminal investigation procedure.

Examples of surveillance

Having infiltrated officials is an old practice from intelligence agencies, but as digital technologies become integrated in the communications practices for social movements, these practices for monitoring and surveillance also evolve. The Brazilian State is still in this transition and the most recent unlawful surveillance scandals were related to wiretapping and infiltration. Examples of surveillance include:

  • In 2013, leaders from Xingu Vivo NGO met to discuss their campaign against the construction of a power plant in indigenous land and were spied by a men infiltrated as community member, which recorded conversations with a pen. After being discovered, he declared he was supposed to send it to the government’s intelligence agency (Abin). The indigenous group is part of the movement against the construction of a Belo Monte Dam in the Xingu river. 
  • Also in 2013, a document released by the newspaper Estado de São Paulo proved that the Institutional Security Cabinet of the Presidency had ordered the National Inteligence Agency to monitor Unions who were contrary to Provisory Measure 595, particularly those at Porto do Suape, in the State of Pernambuco. The goal was to track mobilization. During the operation, agents travelled accross several states using for the first time an Israeli camera with high resolution streaming capabilities to capture activities in the ports. The case has cause tention among different agencies from the Sisbin system. Some have called it a "consequence of the militarization of Abin" refering to the recruitment of military personal for the agency. 
  • In 2014, during the World Cup protests, an agent from Força Nacional  (an elite federal public security body that assists the states and the Union when needed) was allocated in Rio to investigate the consumption of freebase cocaine at the so called “crackland". Later, this officer had another mission: became an “observer of protests” and infiltrate groups pretending to do streaming of the events. The officer was successful in the infiltration, and ultimately was included in a group of the protesters on the messaging app Telegram, which enabled him to know were every act would take place. After leaving his disguise behind, the agent served as a key witness for the indictment and charge of 23 activists.

Data Protection

Data protection laws

The Civil Code applies to private relationships involving individuals and legal entities. As data protection acts in Brazil have sectoral character and regulate specific issues (consumer protection, telecommunication, internet, etc.), they are only applicable to the particular sector. A general data protection provision applies only with regard to access to personal information and its eventual retification.

Consumer law can be applied to enforce consumer privacy in the case of any relationship involving a consumer and a supplier, while the Credit Information Law applies merely to database-related issues concerning financial data. According to the Consumer Protection Code, any transaction between a consumer and a supplier, where at least one major part of the transaction took part in Brazil, falls under its jurisdiction. Therefore, consumer law applies whenever a product or service was bought or provided in Brazil. However, enforcement might prove difficult when suppliers operate beyond Brazilian borders.

With regard to the use of data collected on the Internet, Internet connection and application providers must comply with Brazilian laws in the following cases: if collection, storage or treatment of personal data occurs in Brazil, if at least one of the terminals involved in the communication is located in Brazil, or if the providers offer services to Brazilians or have, directly or through a company pertaining to their group, an establishment in Brazil. Law 12.965 of 2014, the 'Marco Civil' or Brazilian Internet Civil Rights Framework, applies to internet users in general, internet connection providers (which promote the transmission of data packages among terminals over the Internet), on the assignment or authentication of an IP address, and Internet application providers (which provide a set of features that be accessed by a terminal connected to the Internet). The Act establishes that any treatment of personal data that is processed in Brazil, even if partially or merely collected by means of a terminal located inside the territory, must comply with Brazilian legislation.

Article 11 of 'Marco Civil' reads:

'In any operation of collection, storage, retention and treating of personal data or communications data by connection providers and internet applications providers where, at least, one of these acts takes place in the national territory, the Brazilian law must be mandatorily respected, including in regard the rights to privacy, to protection of personal data, and to secrecy of private communications and of logs.'

Article 11 applies to data collected in the national territory and to the content of the communications in which at least one of the terminals is placed in Brazil. Article 11 applies even if the activities are carried out by a legal entity placed abroad, provided that it offers services to the Brazilian public or at least one member of the same economic group is established in Brazil. Foreign companies are subjected to this rule whenever they provide services to Brazilian citizens. This means that even if a company doesn’t particularly focus and approach Brazilian users, but admits them as customers, the provisions of the Internet Civil Rights Framework shall apply. The same applies if the company holds a subsidiary in Brazil.

In this context, it is worth mentioning that during the last decade Brazilian courts debated jurisdiction issues related to foreign internet companies with small operations in Brazil but whose services were mainly provided by their foreign operations. In such cases, Brazilian jurisprudence tended to hold Brazilian subsidiaries liable for internet services, even if those services were not provided by them, at least in the technical point of view. This approach of multiple statutes aimed at regulating personal data can make it legally more and more complex, when the number of new statutes concerning consumer data protection continues to grow.

Accountability mechanisms

Despite the lack of a comprehensive data protection law, general data protection principles can be identified in essentially all specific acts of relevant sector legislation.

The principle of access is probably the one with the most robust formulation in Brazilian Law, as it is clearly based on the Brazilian constitution, or more precisely, on the Habeas Data writ, as already mentioned. There is no law establishing general data quality obligations. However, both the Consumer Protection Code and the Credit Information Law impose requirements that data must be objective, clear, truthful and easily understandable (Article 43 of CPC and Article 3, par. 2 of Consumer Information Law). In the Consumer Protection Code, some privacy principles are contained in Article 43, which grants the consumer’s right to access to data. Consumers’ files must be objective, clear, truthful, easily understood, and cannot contain the same negative information (regarding unpaid duties) for more than five years. With respect to this negative information, the consumer must be explicitly informed that such data was recorded. Moreover, a right to rectification of inaccurate or incomplete data is granted (Article 43 CPC). Credit information protection is addressed more extensively under the Credit Information Law (Law 12.414 of 2011).

Finally, Article 7 of the Internet Civil Rights Framework contains the rights and guarantees of internet users:

  • inviolability of intimacy and private life, safeguarding the right for protection and compensation for material or moral damages resulting from their breach;
  • inviolability and secrecy of the flow of user’s communications through the Internet, except by court order, as provided by law;
  • inviolability and secrecy of user’s stored private communications, except upon a court order;
  • non-suspension of the Internet connection, except if due to a debt resulting directly from its use;
  • maintenance of the quality of Internet connection contracted before the provider;
  • clear and full information entailed in the agreements of services, setting forth the details concerning the protection of connection records and records of access to internet applications, as well as on traffic management practices that may affect the quality of the service provided;
  • non-disclosure to third parties of users’ personal data, including connection records and records of access to internet applications, unless with express, free and informed consent or in accordance with the cases provided by law;
  • clear and complete information on the collection, use, storage, processing and protection of users’ personal data, which may only be used if it: justifies its collection; is not prohibited by law; and is specified in the agreements of services or in the terms of use of the internet application.
  • the expressed consent for the collection, use, storage and processing of personal data, which shall be specified in a separate contractual clause;
  • the definitive elimination of the personal data provided to a certain internet application, at the request of the users, at the end of the relationship between the parties, except in the cases of mandatory log retention, as set forth in the Law;
  • the publicity and clarity of any terms of use of the internet connection providers and internet applications providers;
  • accessibility, considering the physical, motor, perceptive, sensorial, intellectual and mental abilities of the user, as prescribed by law; and
  • application of consumer protection rules in the consumer interactions that take place on the internet.

Data breaches: case law

There is no specific legal requirement concerning security of personal data. In the light of liability rules and good faith standards, data processors in Brazil are required to take reasonable technical, physical and organizational measures to protect the security of personal data. However, there are no specific regulations, requirements, restrictions or details on how security should be implemented and guaranteed. The Civil Rights Framework for the Internet establishes provisions regarding the security of personal data. It requiring that security and confidentiality measures and procedures in the storage and processing of personal data be informed in a clear manner by the party responsible for the provision of the services.

Case law has established the obligation of service providers and networks to establish and maintain access records (such as IP addresses, and logins) in order to identify users who might commit crimes or acts of infringement. If such records are not kept for a reasonable period of time, the service provider or network may be held jointly liable for an act of infringement. The data security standards must be informed to the internet user and comply with standards (yet to be defined in a regulation) which will be produced by the Federal Government.

Examples of data breaches

There has been several examples of data breaches of State and private databases in Brazil and the danger and reach of damages can only increase as more and more services become digital without proper awareness about practices of digital security. We highlight the following cases that happened in 2016:

  • In latest july, due to security failures, a database of the Municipality of São Paulo have exposed personal data of an estimative of around 650 thousand pacients and public agents from the public health system (SUS). Data included identification, address, phone number and even medical information. Details from pregnancy stages and cases of abortion were also exposed.  The spreedsheets were quickly removed from the municipality and an investigation was open a law sue to investigate who was responsible. According to a regulation from the Ministry of Health, pacients from the SUS have the rights of confidenciality of their medical records, even after death. Among possible consequences, names of the exposed list could also suffer from practices of price differenciation in health insurance companies to become victims of identity theft.
  • Banks and Financial institutions had accessed the information from a database of workers that have applied for retirement. The breach was discovered because workers were offered by such institutions credit as retired people, even before they were notified by the National Institute for Social Security (INSS) about the aproval of their retirement request. The Federal Public Atorney in Sao Paulo had investigated the origin of the breach and in late September proposed a lawsuit against INSS and Tifim Recuperadora de Crédito e Cobranças Ltda. The law suit is fundamented on the privacy protections of the Constitution, Civil Code and Consumer legislation. 
  • Another curious databreach happened in September to the Government of the State of Sao Paulo, this one was politically motivated by a hacker group entitled Asor Hacking Team with the purpose of critizicing police brutality in protests. The group also claimed to have achieved in late August an exposed attack of a database from Grupo Claro, publishing data from its CEO and other high members of the company, in this case, the group have declared that the motivation was the companies posicion pro-internet blockage once users reach the data cap. The issues have been debated in national Congress. 
  • Besides governmental failures and hackings, Brazilian companies have also not payed proper attetion to security flaws, a recent example is Bematech, a Brazilian company that provides solution for comercial automation, which includes hardware, software and services. Last October. The website Tecmundo have figured out a security breach that allow anyone to access a list of all the partner companies and resellers and using this list, as well as company number and address, but not only, the breach also allowed for anyone to easily access revenue information from every company, amount of products sold and even make requests, sending the bill to another company.

These are just a few examples of the more then even very common episodes of databreaches, most of them without a proper legal repercution so far. If you are aware of any recent examples of data breaches in Brazil, please send any tips or information to: research@privacyinternational.org and contact@codingrights.org 

Identification Schemes

ID cards and databases

As of 2015, plans were in place to introduce a biometric ID card system in Brazil. This included fingerprint and facial capabilities. It also meant the 27 regional identity registries were to be consolidated into one single federal registry.

Voter registration

Voting is mandatory for literate citizens older than 18 years old and younger than 70, and is optional for citizens between 16 and 18 and older then 70. Citizens whose vote is mandatory and failed to do so are prevented from request a passport, to get a loan on finantial institutions and to take possession of a public office (or, if already in public service, they don't have their salaries paid).

Mandatory vote is set in Brazil since the Electoral Code of 1932. Nowadays, political rights are proposed from Article 14 to 16 of the Federal Constitution, but voter registration is also regulated by the Electoral Code of 1965 and Law nº 6.236/1975. Furthermore, vote is also electronic, an aspect regulated by Law nº 6.996/1982 and Law nº 7.444/1985, besides a number of resolutions from the Superior Electoral Court.

 According to the Superior Electoral Court, by September 2014, there are around 142.822.046 registered voters in Brazil. 

SIM card registration

Under Article 42 and 58 of the Regulation 477/07 of Anatel, users must provide a minimum set of personal data to be able to subscribe to a mobile telephone service. This information includes name, identity card number, and taxpayer number.

Specific regulation exsits for foreigners who want to buy a Brazilian SIM card, who are required to present their passport.

Policies and Sectoral Initiatives

Cybersecurity policy

We are not aware of any specific examples of privacy issues related to cybersecurity policy in Brazil. Please send any tips or information to: research@privacyinternational.org

Cybercrime

Since at least 2008, cybercrimes have been targeted by the National Congress in several occasions. Even the initiative to develop the Brazilian Civil Rights Framework for the Internet was a result of a counter action to a draft bill on cybercrime entitled as AI5 digitalAI5 was a short for "Institutional Act number 5", one of the seventeen decrees that established the military dictatorship.

In the digital realm, the bill proposed by Senator Azeredo in 2009, was broadly considered as negative due to several disproportionate restrictions it would cause to the daily usages of the internet, mostly the surveillance role it proposed to establish for the internet service providers in terms of obligations to monitor and retain data of their users. 

After online and offline coordinated manifestations from civil society, a campaign that, in a national extent, could be comparable to what lately happened in the US with SOPA and PIPA proposals, the debate of that particular bill was temporarily suspended. It was held up particularly by the perspective that first we should establish civil rights for the online environment then only later that discuss criminal law, such as cybercrime provisions.

Nevertheless, that bill came back to the public debate once naked pictures of a famous actress were hacked and leaked. In the occasion, a reduced version of the bill from Senator Azeredo, with only 6 of the 23 original provisions, was approved in 2012, turning into Law 12735/2012.

After Marco Civil was approved, in 2014, National Congress have been proposing several draft bills that jeopardize the current status of protections. Many of these proposals have emerged from the Parliamentary Commission on Cybercrime. Proposals vary from provisions on blockage of applications; changing conditions for access to users’ connection and application logs, location and subscription data (some of them require access points and service providers to collect them; another one mandates photo ID’s on SIM card purchases). Most of them are being compiled in this database developed by Coding Rights to track legislative procedures pertaining to digital rights: codingrights.org/pls.

Encryption

There is no prohibition or ban on encryption in Brazilian Law, even if throughout 2016, several court orders have demanded temporarily blockage of WhatsaApp due to disputes over access to encrypted data. The fouth and last (until October 2016) WhatsApp blockag happened in July and, unlike previous cases in which a judge required users ID and content of conversations, in this case the judge asked whatsapp to disable encryption and allow for real time monitoring of conversations. The case is an investigation on criminal organizations.

In the previous cases, Whatsapp CEO Jan Koum had argued: "Not only do we encrypt messages end-to-end on WhatsApp to keep people's information safe and secure, we also don't keep your chat history on our servers.. When you send an end-to-end encrypted message, no one else can read it—not even us." 

The app has already been blocked for several hours in at least three of the court orders, and a senior Facebook executive was also arrested and detained in March, 2016. Temprary blockage of applications is foreseen in article 12 of our Civil Rights Framework as a possible sanction - but specifically and only if the right to privacy, data protection and secrecy of communications are not respected in the terms of articles 10 and 11 by a communicatios or a service provider, even if it is located abroad. Therefore, a provision that was enacted to increase protection of privacy is being wrongly applied to implement an excessive and disproportional reaction. 

The latest attempt to force access to data also included another strategy: block Facebook's money. In the case, a judge blocked US$6.07m of Facebook, once Whatsapp do not have accounts in the country. Nevertheless, the fight over sustaining encryption remains.  

Licensing of industry

We are not aware of any specific examples of privacy issues related to the licensing of industry in Brazil. Please send any tips or information to: research@privacyinternational.org

E-governance/digital agenda

We are not aware of any specific examples of privacy issues related to governance and the digital agenda in Brazil. Please send any tips or information to: research@privacyinternational.org

Health sector and e-health

We are not aware of any specific examples of privacy issues related to the health sector and e-health in Brazil. Please send any tips or information to: research@privacyinternational.org

Smart policing

We are not aware of any specific examples of privacy issues related to smart policing in Brazil. Please send any tips or information to: research@privacyinternational.org

Transport

In March 2015, the Rio de Janeiro state government announced plans to adopt a fingerprint-based transport card system. Meanwhile, facial recognition technology on buses is already in use in a number of Brazilian cities. These biometric transport systems are largely the product of public-private partnerships.

Smart cities

We are not aware of any specific examples of privacy issues related to smart cities in Brazil. Please send any tips or information to: research@privacyinternational.org

Migration

We are not aware of any specific examples of privacy issues related to migration in Brazil. Please send any tips or information to: research@privacyinternational.org

Emergency response

We are not aware of any specific examples of privacy issues related to emergency response in Brazil. Please send any tips or information to: research@privacyinternational.org

Humanitarian and development programmes

We are not aware of any specific examples of privacy issues related to humanitarian and development programmes in Brazil. Please send any tips or information to: research@privacyinternational.org

Social media

In 2016, judges in different Brazilian states issued court orders to telecommunications companies requiring them to cut off access to chat applications in the whole country because services providers had been denying law enforcement agencies access to users' data. The blocks were lifted, but it is a worrisome trend because such an order is disproportionate and affects all internet users.