After two years of negotiation at the National Congress, Brazil’s Personal Data Protection Bill was finally sanctioned by president Michel Temer on August 14. The original text was approved in both houses of Congress by a unanimous vote.
The bill, as defined by members of Congress, is a “legal framework for the protection, use and treatment of personal information”. The law intends to give individuals greater power to control their data, by requiring corporate entities to obtain a person's consent before collecting their information. This is an important move in Brazil where pharmacies, public transportation and other services often capture people’s data without their explicit consent or prior notice.
After the misuse of data captured on Facebook became a worldwide concern with the Cambridge Analytica scandal in early 2018, the Congress expedited its process on the bill.
But there is a catch. The text signed by Temer is not exactly the same one approved by at the Parliament. Temer vetoed some elements of the original.
Global Voices talked to Bia Barbosa, an activist part of the collective Intervozes and a member of Coalizão Direitos na Rede (Net Rights Coalition), to learn the groups’ concerns about the bill.
Barbosa explains that the text has a series of problems, mainly caused by the Temer's vetos. She highlights three of them:
O primeiro o veto à criação de uma autoridade independente e de um conselho de proteção de dados pessoais, que estaria vinculado à essa autoridade, garantindo participação multissetorial. Hoje, isso deixa a lei sem condições e garantia de sua aplicabilidade. O governo tem declarado que vai enviar um projeto de lei ou uma medida provisória para o Congresso para criar essa autoridade, mas as informações que a gente tem é de que o modelo que vai ser enviado pelo Executivo não respeita o modelo de autoridade que foi negociado nesse texto no Parlamento. Esse é o principal problema para a gente, porque sem uma autoridade realmente independente, com autonomia administrativa e poder sancionatório, a lei corre sérios riscos de não sair do papel.
Outro risco que nos parece bastante preocupante é o veto ao artigo 28 que estabelece o dever do poder público informar, de maneira pró-ativa a sociedade quando ele compartilha dados pessoais com outros órgãos do poder público. Esse artigo foi vetado, de uma maneira, na nossa avaliação, sem justificativa e gera uma deficiência de transparência no tratamento de dados pelo poder público.
O terceiro aspecto, que para as organizações de defesa de liberdade de expressão também é significativo, é o veto dado ao artigo que garantia a proteção dos dados pessoais dos requerentes de informação via LAI. Ou seja, os dados das pessoas que pedem informação ao poder público, tinham uma previsão garantiste de proteção aos dados desses requerentes e isso também foi vetado. Na nossa avaliação, apesar da grande maioria da lei ter sido respeitada, esses vetos são preocupantes.
The first one is the veto of the creation of an independent authority and of a personal data protection council, that should be submitted to this authority, ensuring a multi-sector participation. With this section removed, the bill no longer articulates conditions or protections for its enforcement. The government says it will send a new law to the Congress to create this authority, but the information that we've received indicates that the Executive’s model doesn’t respect the model that was negotiated at the Parliament. Without this, the bill has serious risks of not coming to fruition.
Another risk that is very worrisome to us is the veto of article 28, which establishes the public duty to inform society, in a pro-active manner, when sharing personal data with other public offices. This article was vetoed, in an unjustifiable way, limited the transparency of how public data is treated by public power.
The third aspect is the veto given to the article that guaranteed the protection of personal data of those who required information via the Access to Information Act (LAI). There was a provision to ensure protection of people requesting data, but it was also vetoed. To us, even though the majority of the bill was respected, these vetoes are concerning.
The collective Net Rights Coalition warned of the possibility that the president would veto the creation of a National Data Protection Authority (ANDP) before signing. The ANDP was meant to work as an independent regulatory agency. According to the federal government, it would be “unconstitutional” if the Congress was to create such authority, therefore a governmental office should have oversight in the process, in order to ensure its functionality.
Most importantly, the group noted that the military has been working to incorporate the Institutional Security Cabinet into the policy. The Brazilian Intelligence Agency falls under the authority of the Cabinet.
A possibilidade de deixar para um órgão do próprio governo a tarefa de garantir o respeito à lei pelo poder público coloca em total risco sua eficácia.
Por isso, o texto aprovado no Congresso prevê uma Autoridade independente administrativamente do Executivo. Este modelo de autoridade não é nenhuma novidade no Brasil e é o padrão da grande maioria dos países que têm leis gerais de proteção de dados pessoais.
The possibility of leaving an organ that is part of the government with the task of ensuring respect to the law puts its efficiency at a total risk. Therefore, the text approved by the Congress has foreseen an Authority that is administratively independent from the Executive. This model is no news in Brazil and is a pattern to a large majority of countries with general data protection laws
The vetos can also affect the enforcement of Brazil's unique Marco Civil or “Internet Bill of Rights” that was passed in 2014. As Barbosa notes, currently, there are around 200 proposals under review in Congress that would change Marco Civil. Most of these proposals are focused in two areas. The first is to remove a key check on state entities that wish to access personal data held by companies — the current legislation requires state actors to obtain a court order before doing this, but many of the pending proposals would remove this requirement.
Na nossa avaliação, isso abre um precedente muito perigoso, para risco de vigilantismo total do poder das forças de segurança, do poder investigativo para o cidadão comum, por isso a gente tem combatido esses projetos.
In our evaluation, this opens a very dangerous precedent, risking a total vigilantism for the power of security forces, or investigative power of a regular citizens, that’s why we’ve been fighting against these projects.
The second line of proposals would obligate social media and other platforms to immediately remove content after receiving a request, rather than awaiting judicial review. Many of them using the “blue whale”, an internet challenge that allegedly drives teenagers to commit suicide, as an excuse.
Para a gente isso também é perigoso, porque coloca nas mãos dessas plataformas a responsabilidade de avaliar esses conteúdos e, não necessariamente, isso vai ser feito de uma maneira equilibrada com a defesa do princípio de liberdade de expressão. Então, a gente tem combatido esses processos no sentido de manter o marco civil na sua integralidade, entendendo que é uma lei principiológica, bastante atual.
We also see this as dangerous move, because it puts on the hands of these platforms the responsibility to evaluate content and, not necessarily, this would be driven in a balanced manner, defending the principle of free speech. So, we’ve been fighting these processes in the sense of keeping Marco Civil at its integrality, understanding this is a principle law, very up to date.
Bia Barbosa also points to the fact that collecting data through apps, credit card, internet browsers, is now an “indiscriminate practice” of many companies. This leads to leaking, wrongful commercialization, sharing without consent. “All our data is being constantly treated and collected, without people knowing or being informed about it”, she says.
She also notes that although Marco Civil has multiple provisions ensuring protections for users’ privacy, the text has been disrespected or ignored, which has led civil society to propose a specific law aimed at personal data protection.
A gente espera agora que com a aprovação dessa lei, o Brasil comece a mudar a cultura da coleta de dados porque a ideia da lei não é impedir o tratamento de dados, mas definir em que condições isso pode acontecer, que o usuário seja informado, que respeite direitos fundamentais, que haja limites para esse tratamento, que a comercialização não seja feita de uma maneira indiscriminada e massiva como é feita hoje.
We now hope that with the approval of this law, Brazil will begin to change the culture of data collection, because the bill’s goal is not stopping data processing, but to define under which conditions that can happen — it says that users must be informed about it, respecting fundamental rights, and that puts limits on how data can be treated, stopping indiscriminate and massive commercialization as it’s done today.
Brazil is currently approaching presidential elections. Temer, who came to power after the controversial impeachment of Dilma Rousseff, being her vice-president, will leave office on January 1.
When sanctioning the bill he promised to send a new bill to create the agency “soon”. How the agency will operate or if it will be submitted to the Ministry of Justice has yet to be defined.
Valor newspaper quoted him saying:
“Eu vou mandar logo, muito brevemente um projeto de lei, mais ou menos com os mesmos dizeres, mas sem vício de iniciativa”, explicou o emedebista. (…) “Vou deixar mais ou menos como está”, sinalizou.
I will send, very soon, a draft law, with similar language, but without the initial vice (the fact that the Legislative power was creating and could make it unconstitutional, according to the Executive)…I'll leave it more or less how it is.