Brazil took a huge and long-awaited step in 2018 with the enactment of its overdue Brazilian Data Protection Law: a comprehensive EU General Data Protection Regulation–inspired piece of legislation that has become one of the most anticipated privacy regulations in the world. The impact of regulation in Brazil is massive and has enormous consequences for both its more than 200 million citizens and organizations operating in the country.
The LGPD has a complete set of principles, including respect for privacy, freedom of expression, information, communication and opinion, and informational self-determination, that can be seriously impacted by a new bill being voted in the Senate this week. A proposal soon to be voted in the Brazilian Senate introduces practices that directly affect privacy rights of Brazilian citizens and may provide a considerable blow to democratic values. The “Fake News Law Project,” as it has been branded by its authors, was born as a local reaction to a global debate (control and limitation of "fake news," in particular, as related to elections) but may bring forth serious setbacks for several fundamental rights of citizens.
Article 5 of the proposed bill, in a section branded “Security and Transparency,” mandates for citizens to have (and provide) (1) a valid national ID card; (2) a valid cellphone number registered in Brazil; and (3) a passport in the case of foreign phones, if they want to open an account on social networks and “interpersonal communication services.” Article 6 requires these same providers to adopt proactive measures to suspend accounts of users whose telephone numbers have been disabled by telephone companies.
Another article includes an obligation to keep logs of message forwards “from their origin, for a minimum of 4 months,” which can be, in turn, requested by a court order. This data retention provision destined only to metadata was included without any discrimination of the legality (or not) of the content of the messages or any other proportional limitation.
Data retention schemes have been always controversial. The European Court of Justice held that a directive requiring internet providers to store metadata to facilitate the prevention and prosecution of crime was found to be invalid under Article 7 (privacy) and Article 8 (data protection) of the Charter of Fundamental Rights of the European Union. Constitutional courts in several EU member states (Germany, Romania, the Czech Republic, Cyprus and Bulgaria) found national data retention laws to be unconstitutional.
In the Latin American region, the Supreme Court of Argentina declared unconstitutional its data retention law in 2009.
Article 13.II of the proposed bill provides that exclusion of content from social networks must be done after opening a moderation procedure that includes the right to contradict the request and right to defense. This provision ignores that currently most content moderation is done automatically and generates no issues for users but also that internet providers should be free to police its platform and act immediately if there is a risk for other users or the platform. The rest of the provision contradicts the right of platforms to self-regulate.
A similarly controversial provision was included in Article 24 of the proposed bill, which calls for social network and interpersonal communication services to have a local entity in Brazil with a legal representant and “keep a database in Brazil containing information regarding Brazilian users and for safekeeping of contents in those situations provided by law.” The provision is essentially a forced data localization regulation. This mandate to localize personal data in Brazil will have a large impact on Brazilian citizens and constitutes a de facto trade barrier with implications for the development of international commerce and e-commerce. The centralization of databases poses serious security issues, increases vulnerability, and implies lessening protections for data subjects added to the consequences of mandatory access and disclosures of private communications and personal information. It is widely accepted that forcing concentrations of data storage in single or limited locations runs contrary to accepted information security protocols and, therefore, may well have the effect of weakening information security (see "
In the same direction, and in an urgent call for extended discussions and broader consultation and debate with civil society, David Kaye, the UN Rapporteur on Freedom of Opinion and Expression, has pointed out that “the Brazilian Government is promoting a Bill on misinformation which seems to be extremely problematic in relation to topics such as censorship, privacy, rule of law and due process” and has made a call to legislators to “prevent this project from moving forward and conduct extensive prior consultation with civil society to adopt an approach consistent with Brazil’s commitments on human rights.” This call for a wider discussion has also been echoed by Edison Lanza, current Special Rapporteur for Freedom of Expression of the Inter-American Commission on Human Rights.
Finally, the Iberoamerican Data Protection Network’s Privacy Standards calls for the adoption of regulatory instruments that guarantee the protection of personal information and free flow of information as a basis for the development, the strengthening and exchange of goods and services in a global and digital economy, and an aim not to establish barriers on the free flow of data. A Brazilian misstep in this direction, approving a project that significantly diminishes privacy rights and promotes opaque data practices and increased citizen surveillance, will move the regional giant a long way from good practices that have become ever more present in Latin America.
Photo by Tim Mossholder on Unsplash