Brazil Needs a Twenty-First Century Data Protection Strategy
Robert Muggah is co-founder and research director of the Igarapé Institute, as well as co-founder of the SecDev Group. Louise Marie Hurel coordinates Igarapé Institute's cybersecurity and digital liberties projects.
The world is drowning in data. Every minute, there are roughly 456,000 tweets, 510,000 comments posted on Facebook, 999,000 Tinder swipes, 3.6 million Google searches, 4.1 million Youtube videos watched, and 103 million spam emails. The numbers are mind-boggling: every day we create over 2.5 quintillion bytes of information. A common trope is that data is the “new oil” propelling economies forward.
Individuals often share their personal data without knowing how it is used. This is dangerous. After all, governments routinely collect information in ways that can infringe on civil liberties. Private companies frequently harvest data for profit without securing explicit consent. In some countries, there has been pushback, with demands for greater data localization and data sovereignty to keep personal information from being misused.
Europeans place a particularly high value on the right to privacy both online and off. Last week, the European Union’s General Data Protection Regulation (GDPR), which sets out the basic rights for how personal data of EU citizens can be used, stored and processed, entered into force. On the same day the GDPR came into effect, privacy activists filed complaints against Facebook and Google that could result in multi-billion-dollar fines.
What makes the new EU legislation so potent is that it applies to anyone handling personal details of EU citizens anywhere. For better and for worse, the new legislation has set a new precedent for data protection around the world. Civil liberties activists are clamoring for similar legislation in the United States and elsewhere, including in countries like Brazil.
The GDPR gives people control over their own data. Specifically, it requires a much higher standard of accountability from entities that collect data—including big tech companies—in handling personal information. Individuals whose data is collected by governments or companies under the GDPR’s jurisdiction can now exercise a slew of rights, including to be forgotten, to access their own data, and to data portability (to obtain and reuse their personal data).
While some companies are grumbling about the costs of implementing the new EU legislation, few doubt that it raises the bar on data protection. After all, the GDPR promotes transparency at precisely the moment the global digital economy is lifting off. By requiring companies to develop stricter rules for securing personal data, improve their IT management and develop policies for explicit data subject consent (or face a stiff penalty), the law offers a roadmap for other nations to improve their data protection legislation.
Brazil has long dragged its feet when it comes to data protection. Part of the problem is that lawmakers have been distracted by never-ending political graft, economic uncertainty, security crises, and looming presidential elections. In Brazil, as in many other countries, national security prerogatives have often trumped personal freedoms. Consequently, the country’s data protection rules are fragmented. Even though Brazil suffers from major cyber breaches and risks to personal data, the federal government has been slow to act.
There are signs that this is about to change. The wheels were first set in motion with Edward Snowden's revelations of the indiscriminate collection of personal information and espionage by the United States in 2013. The more recent string of data-mining scandals, including those involving Cambridge Analytica and its Brazilian partners that collected data on over 433,000 Brazilians, also increased the demand for reform. And the requirements of the GDPR have clearly put pressure on Brazil’s public authorities and private sector to dramatically step up their game.
The good news is that Brazil already has legislation that guides its data protection efforts, including the Brazilian Internet Bill of Rights (also known as the Marco Civil) and the Consumer Protection Code, which sets out core principles for data privacy and protection. While landmark laws, both of them lack specific guidance for establishing regulations and institutions to protect privacy. The country’s patchwork of at least thirty laws on digital privacy are in desperate need of review, consolidation, and improvement.
Over the past few years, Brazilian legislature have debated two proposals that could radically reshape the country’s data protection landscape.
The first, proposal 5276/2016, sets out concrete provisions to protect privacy, curb discriminatory profiling, and establishes institutions to regulate data protection practices. It was crafted on the basis of over 2,000 submissions from businesses, universities, and activists, and is preferred by digital rights campaigners. The second, PLS 330/2013, is preferred by the government and businesses, since it grants them more discretion to store and share the personal data of Brazilian citizens. Not surprisingly, there has been vociferous disagreement about which proposal offers the best way forward for Brazil.
After months of intense wrangling, Brazil's lower house of Congress finally approved proposal 5276/2016 (renamed PL4060/2012) this week. If it is approved by the Senate, the new law will dramatically affect the rules for government agencies and companies operating in Brazil. For example, it will require all government agencies and companies operating in Brazil to require individual consent to hold their information and to eliminate it after they terminate their relationship. It also sets out strict rules on individuals' access to data, requirements for parental or legal guardian support for the use of children's data, and rules on data for health-related research.
Crucially, the new data protection legislation calls for the creation of centralized bodies to implement these requirements. At a minimum, the government will be required to establish a Data Protection Authority and a National Council for the Protection of Personal Data. These new bodies will be made up of a fairly broad array of stakeholders, albeit mostly public authorities, with the express purpose of implementing and monitoring the new law. Once passed, Brazilian public and private authorities will have eighteen months to comply.
Comprehensive privacy laws like the GDPR have far-reaching effects extending far beyond their borders. It has clearly has helped revitalize Brazil’s data protection legislation, and the digital rights of Brazilians everywhere. While there is still work to be done, data protection is a fact of life. And that is good news for a change.