Systematic Government Access to Private-Sector Data in Brazil
Systematic Government Access to Private-Sector Data in Brazil
Abstract and Keywords
This chapter describes the ways through which the Brazilian government may have access to personal data in possession of private-sector organizations with a specific focus on identifying the possibility of systematic access. There is no comprehensive data protection legislation in Brazil, but specific and sparse statutes regulate governmental access in areas such as telecommunications, wiretapping, financial data, money laundering, and national intelligence. There have been many conflicting decisions in the judiciary about governmental access to personal data, particularly registration data. In order to address this issue, a statute in 2012 expanded the investigative powers of the police and the Public Prosecutor’s Office, granting them access to registration data regardless of a court order. Brazil’s Internet Bill of Rights from 2014 aims to provide further clarity on some unresolved issues at the same time that it creates new ones.
This chapter describes the ways through which the Brazilian government may have access to personal data in possession of private-sector organizations with a specific focus on identifying the possibility of systematic access. There is no comprehensive data protection legislation in Brazil. However, a law from 2014 together with specific statutes regulate governmental access for cases such as law enforcement access to data from the Internet and telecommunications companies, wiretapping, financial data, money laundering, and national intelligence. There have been many conflicting decisions in the judiciary about governmental access to personal data, particularly registration data. In an attempt to address this issue, a 2012 statute expanded the investigative powers of the police and the Public Prosecutor’s Office, granting them access to registration data regardless of a court order. Later in 2014, the so called “Marco Civil da Internet” established new rules about government access to both registration data and the content of digital communications. An evaluation of several statutes revealed the existence of at least one potential case of systematic access granted by the law to the telecommunications regulatory agency.
Brazil is a federal republic founded on the rule of law. The Brazilian federal system comprises the Union (federal government), the states and the municipalities. Powers at the federal and the state level are divided among the executive, the legislative and the judiciary, whereas the municipalities have no judiciary.
Although states have general authority to legislate in all matters not assigned to the federal government, the Constitution has enumerated a substantial list of powers preserved for the latter. The federal government has exclusive authority to legislate over civil, commercial, criminal, and procedural law, in addition to telecommunications, broadcasting, and computer issues, among others. On issues such as finance and consumption, both the federal government and the state have concurrent lawmaking authority, but the former has the power to enact general rules, whereas the states can only enact supplementary legislation. If the federal government has not regulated the issues of this second group, the state has full authority until federal legislation is enacted. In short, the competence for virtually all relevant legislation about governmental access to private-sector data belongs to the federal government.
The Brazilian legal regime is based on the civil law tradition, and as such court decisions are not generally binding—unless decided by the Brazilian Supreme Federal Court (“Supremo Tribunal Federal”—STF) following a specific legal procedure. Legal precedent might influence future decisions, but judges are not bound by it. Therefore, cases involving issues not extensively regulated by the law are often subject to contradictory decision by different judges.
In very general terms, the STF has authority to decide on the constitutionality of laws using two main mechanisms: (1) an abstract judicial review—which considers the law in abstract without reference to any particular case; and (2) a concrete constitutional review—which reviews constitutionality for particular cases. Decisions made through the abstract review are binding and any legislation struck down this way is considered to be null for all purposes (erga omnes). In the second case, when the STF reviews constitutionality of laws for particular cases, decisions have effect only for the case under analysis and not for future cases. There is no stare decisis in Brazil. Despite this, a recent change allowed justices to decide whether to extend binding effect for decisions involving similar recurrent cases.
It is worth noting that the executive branch does not conduct public prosecution functions. Instead, they are carried out by an autonomous body, the Public Prosecutor’s Office (“Ministério Público”), which operates at both the federal and state levels. Prosecutors must pass a rigorous public exam to gain admittance. Some constitutional specialists consider the body to be a fourth power in terms of separation of powers, given its independence.1 The president (p.131) appoints the Prosecutor General and his or her nomination must be approved by the Senate. Both the federal and the state governments are not represented in courts by public prosecutors, but instead this responsibility belongs respectively to the Attorney General of the Union and the State Attorney General. Although public prosecutors are considered to represent and defend diffuse and collective interests of society in general—on cases of murder, for instance—the Attorney General of Union and the State Attorney General represent their respective federative member in courts in cases where that particular entity is involved.
The Brazilian Constitution2 is quite prolific in enumerating rights and liberties.3 As an example, article 5, which deals with most of the individual and fundamental rights, contains 78 items, including various more specific rights.4
A recent change to the Constitution gave human rights treaties the status of constitutional amendments once they are approved by Congress according to the same procedure governing constitutional amendments proposed in the standard manner. So far only one treaty has been incorporated into the Constitution as an amendment: the Convention on the Rights of Persons with Disabilities.5
Brazil has no broad data protection legislation. However, in 2014, Congress passed legislation—called “Marco Civil da Internet”—to regulate basic rights for citizens online, as well as access by law enforcement to data in possession of telecommunications and online providers; it also dealt with data retention, intermediary liability, network neutrality, open government, and other issues.
III. Statutory and Regulatory Overview
A. Laws (including Regulations or Other Authorities) Requiring, Explicitly Authorizing, or Restricting Governmental Access to Private-Sector Data and the Implications That Such Laws Have for the Question of Systematic Access
1. Constitutional Provisions
The Brazilian Constitution protects various aspects of privacy rights in several provisions located under the individual rights section of its article 5 as follows: (IV) “the expression of thought is free, and anonymity is forbidden”; (X) “the intimacy, private life, honor and image of persons are inviolable, and (p.132) the right to compensation for property or moral damages resulting from their violation is ensured”; (XI) “the home is the inviolable refuge of the individual, and no one may enter therein without the consent of the dweller, except in the event of flagrante delicto or disaster, or to give help, or, during the day, by court order”; (XII) “the secrecy of correspondence and of telegraphic, data, and telephone communications is inviolable, except, in the latter case, by court order, in the cases and in the manner prescribed by law for the purposes of criminal investigation or criminal procedural finding of facts”; (LXXII) “habeas data shall be granted: (a) to ensure the knowledge of information related to the person of the petitioner, contained in records or databanks of government agencies or of agencies of a public character; (b) for the correction of data, when the petitioner does not prefer to do so through a confidential process, either judicial or administrative.”6
Of these items, three are of special interest to understanding governmental access to private-sector data in Brazil: the prohibition of anonymous speech (article 5, item IV), the right to the secrecy of communications (article 5, item XII), and a generic protection to privacy, private life, honor, and image (article 5, item X).
Article 5, item X provides for a general privacy right. According to some decisions from the STF, rights such as the secrecy of financial data, professional secrecy, and several others have been derived from this general privacy clause.7 The article is often used as a general privacy umbrella when other more specific articles do not provide enough protection.
Unlike in other jurisdictions, anonymous speech is forbidden in Brazil.8 One of the main consequences of this provision is that courts have ruled that judicial authorization is not required for the police or the Public Prosecutor’s Office to have access to subscriber identifying data from companies. This understanding, however, is far from being unanimous and a recent decision at a Federal Court decided exactly in the opposite direction, stating that the privacy provisions of article 5, items X through XII protect a subscriber’s identifying information.9 In a slightly different case, the STF decided that an email provider had to give access to subscriber identifying data when the party requesting that information was part of the communication process.10 The court found that there was (p.133) no privacy violation in this case, because the communication had been directed at the recipient and therefore he not only already had access to the content of the message, but the prohibition of anonymous speech in the Constitution allowed that party to know the identity of the sender. Given the high level of controversy over this issue in the courts, lobby groups have managed to pass language in what was supposed to be a minor change to the money laundering law that now allows for the police and the Public Prosecutor’s Office to have uncontroversial access to a subscriber’s identifying information in possession of the electoral courts, Internet service providers, telecommunications companies, financial institutions and credit card companies. This will be covered in more detail below.
Article 5, item XII (see above), on the other hand, protects the secrecy of communications. There are four types of communications listed in the article: correspondence, telegraphy, data, and telephone communications. Although the clause protects them from access by others, there is an exception that allows for communications to be intercepted for the purposes of criminal investigation or criminal procedural findings of fact as long as authorized by the courts. The controversy involving this article lies in whether the expression “except, in the latter case” would refer only to telephone communications, or if it would also apply to data. The doctrine and the courts also diverge as to whether the expression includes the content of the data or only the transmission of such data.11 The issue was partly resolved by case RE 418.416-8/SC with Justice Sepulveda Pertence writing the majority opinion. The case involved the seizure of computers containing data about fraud on import taxes committed by a company. The computers were seized according to a court order, but the defendant argued that the data was inviolable according to the provision of article 5, item XII. In the opinion, Justice Pertence established a difference between the content of the data and the transmission of data, stating that although the latter was protected the former was not. To be clear, according to this opinion courts can authorize seizure of computers and access the data stored in them. Although his opinion resolved the matter of access to the content of static data stored in computers, it also affirmed that the transmission of data was inviolable, which raised questions as to whether the monitoring of real-time digital communications—even when authorized by the judiciary—would be constitutional. We will come back to this issue when discussing some of the pending issues in item IV.
a. The Brazilian Civil Code
Brazil does not have a data protection law, so general statutory privacy protections can only be found in the Civil Code—although more detailed protection is provided for specific types of data. The general protections are included in the broader section of personality rights and provide little specification in addition to the constitutional provisions. In this sense, one article is relevant to our analysis: article 21 provides that “the private life of the natural person is inviolable, and the judge, attending the applicant’s request, may take the necessary measures to prevent or terminate action contrary to this standard.” The article establishes some basic general privacy protections, however, its broad and abstract wording provides little guidance in determining the limits to systematic governmental access to personal data in the private-sector. This is especially true when an individual agreed to terms that allow such practices to take place.
B. Separate Laws That Might Exist for Law Enforcement Access, Regulatory Access, and/or National Security Access (including Distinctions, If Any, between Domestic Intelligence and Foreign Intelligence) and, If Applicable, How These Laws Address Systematic Access
1. Law Enforcement Access
In 2014, Brazil passed legislation to regulate the use of the Internet.12 The statute known as Marco Civil da Internet—from the Portuguese expression to describe an Internet regulatory framework—created rules addressing access by law enforcement to personal data, the content of communications, subscriber identifying information (IP address), and registration data from telecommunications and online providers.
As a general rule, the Marco Civil da Internet requires a court order before law enforcement can get access to personal data, to the content of communications, and to basic subscriber identification data such as IP addresses. When it comes to registration data related to personal qualification, affiliation and address (Art. 10, §3°), the statute simply recognizes that other legislative bodies may grant access to such information without a court order. As we will discuss in Section B(5) below, the Money Laundering Act grants law enforcement with access to this kind of data regardless of court orders.
The law establishes two groups of actors that must retain and make basic information available in order to identify Internet users: (1) “Internet connection providers” and (b) “Internet application providers.” The first (1) refer to organizations that offer connection services or access to telecommunication infrastructure. In order to simplify understanding of the regulations we will refer to them as telecommunication providers. The second category (2) refers to organizations (p.135) that offer online services or applications on top of the telecommunication infrastructure; they will be referred to as online providers.
The Marco Civil statute requires both providers to retain certain basic subscriber information that allow for the identification of users. Telecommunication providers must retain for one year records that inform “date and time of the start and end of an Internet connection session, its duration and the IP address used by the [computer] terminal to send and receive data packets.” Online providers must retain for six months “information related to the date and time that a certain application was used from a given IP address.”
In order to identify a user, first law enforcement is required to request the online provider to inform law enforcement of the IP address used by that individual to access the service on a certain date and time. Once in possession of this information, authorities can go to the telecommunication providers and request them to identify which of their users was assigned to that IP address on that particular date and time.
Law enforcement may request telecommunication and online providers to preserve data for a longer period of time. However, law enforcement will have 60 days to file an application for a judicial order of access to data—if no application is filed during this period, the request becomes ineffective (Art. 13, §§ 2, 3, and 4).
Telecommunication providers are prohibited from storing records of access to applications (Art. 14). According to the legislative debate the intent was to prohibit telecommunication providers from keeping a sort of browsing history obtained from their users. Online providers are prohibited from storing access data regarding other Internet applications, unless previously authorized by the user (Art. 16). Finally the statute also forbids the storage of personal data considered excessive in relation to the purpose that governed the consent originally given (Art. 16). These restrictions combined with the requirement of a court order before the government can have access to personal data help prevent systematic access to private-sector data.
Marco Civil’s implementing regulations (Decree 8,771/2016) established further requirements for law enforcement to have access to registration data without court orders. Accordingly, law enforcement is required to inform the specific legal authority that grants access to the registration data, alongside with the motivation for the request (Art. 11). This request must also be specific about the individuals whose data are requested—collective requests that are generic or unspecific are forbidden (Art. 11, §3).
The definition of registration data under the request comprises: affiliation, address, and personal qualification—user’s name, marital status, and profession (Art. 11, §2). It also requires law enforcement—or any other authority that may have access to registration data—to publish annual transparency reports including data about the number of requests for registration data (Art. 12).
It is worth noting, though, that when the article on which this chapter is based was finished, both Marco Civil and its regulations had been enacted very recently, so not many parts of the law had been tested by higher courts.
Since 2010, the Brazilian Communications Agency (ANATEL) has been at the epicenter of what is probably one of the main examples of governmental systematic access to private-sector data in the country. During that year, a major newspaper revealed that the Agency planned to build technical infrastructure and enact regulation to allow it to connect directly into telecom companies’ systems13 and obtain information related to customer’s usage of services, such as numbers dialed, time, date, amount paid, and duration of all phone calls made.14 To be sure, this technical and legal structure would allow ANATEL’s officials to have direct and unmediated online access to telecom carriers’ system with the alleged purpose of assessing whether companies are providing services with the level of quality that is determined by the Agency.
According to the Agency’s general enforcement manager, such access would be necessary to validate information that is provided by telecom companies without any sort of filtering or meddling with the data. Moreover, it would allow the Agency to assess in real time the capacity of the network infrastructure and order its expansion before the situation reaches a critical level. The system has also been justified by the need to modernize the Agency and the limited availability of technicians to inspect all companies.15
ANATEL has given assurances that the system will not be used for surveillance. According to the new rules issued by ANATEL, “the data and information accessed and obtained by the Agency pursuant to this Regulation are those directly related to the obligations of the company under supervision and essential to the effective exercise of the supervisory function of ANATEL, making sure that the content of communications between users remains secret.”16 The rule also mandates ANATEL to keep user’s personal data secret and establishes both civil and criminal liability for official misconduct.
3. Wiretapping Act
The Wiretapping Act17 dates back from 1996 and regulates wiretapping of both telephone and digital communications. The statute authorizes eavesdropping (p.137) on communications only for the purpose of producing evidence to be used in criminal investigations (article 1) and requires that the Court order the procedure. Additionally, wiretapping is not allowed if: (1) there is no reasonable suspicion that the crime has been committed by the person who will be investigated, (2) evidence can be produced through other means available, or (3) if the crime is punishable with “detention”—a less rigorous type of imprisonment.
Interception may be ordered ex officio by the judge or can be requested by either the Public Prosecutor’s Office or the police (articles 3 and 4). The statute also requires the request to include a clear description of the purpose of the investigation indicating the subjects who will be placed under surveillance—unless such indication is not feasible—and the means through which the interception will be performed. Eavesdropping may last for 15 days, but the term may be renewed. Courts have allowed for the extension of such term but have not established a maximum time limit for the procedure, as long as the judge supervising it deems it relevant to the investigation.18
Wiretapping practices of the Federal Police and the Brazilian Intelligence Agency were the focus of a recent scandal when an agent intercepted calls of a justice from the Brazilian Supreme Federal Court. The scandal led to public scrutiny over current wiretapping procedures and revealed that there was a clear abuse of the practice. The public outcry for more control over wiretapping practices led to the promulgation of a resolution by the National Counsel of Justice in 2008 establishing specific procedures to enhance the secrecy of the interception process and judicial control over them.19 According to the most recent data made available (related to the entire year of 2016), the judiciary authorized the monitoring of 11,066 email accounts, 18,298 lines using voice over IP, and more than 255,000 telephone lines.20 Although the rationale behind the judicial authorization is that the courts will protect citizens from abuse, such a high number of interceptions may suggest that when this control is not sufficiently exercised by judges, practical results may be very similar to those of systematic access.
The statute allows for the police to request that telephone companies provide the necessary technical services and personnel to perform the wiretapping. Illegal wiretapping is punishable with imprisonment of two to five years and a fine.
The secrecy of financial data is protected both by the general privacy provision of article 5, item X of the Constitution (above) and by the Secrecy of Financial Data Act.21 The statute applies to financial institutions such as banks, credit card companies, securities companies, stock exchanges, credit unions, and many others. The general rule is that financial data can only be obtained with a warrant, when necessary to the investigation of illicit activities. The statute however allows for the Brazilian Revenue Service (BRS) to request and obtain financial information directly from financial institutions regardless of judicial authorization. Although the Act has authorized such access to take place since 2001, it faces increasing opposition in the public opinion and the judiciary. For instance, an article in a major Brazilian newspaper criticized the system, revealing that since the law was enacted, the BRS had requested financial data to be disclosed over eighty thousand times.22 Despite the critics, recently the STF, judging five actions that called into question provisions of the Secrecy of Financial Data Act, decided that the BRS may request and obtain financial information directly from financial institutions with no need for a judicial order.23
Violating the secrecy of financial data is punishable with up to four years in prison and a fine.
5. Amendments to the Money Laundering Act
In 2012, the Money Laundering Act was amended to broaden investigative powers of both the police and the Public Prosecutor’s Office. A new article 17-B was included to allow both of them to have access, without a warrant, to a suspect’s identifying data in possession of the Electoral Courts, telephone companies, financial institutions, Internet service providers, and credit card companies.24 Access to subscriber identifying information has been a long-standing demand of the police and the Public Prosecutor’s Office.
Members of the Public Prosecutor’s Office have been arguing that despite the fact that the provision was included in the Money Laundering Act its effects are not limited to the scope of the statute, but rather apply to all criminal (p.139) investigations.25 The inclusion of such an overreaching provision in a statute dealing with a subject that is not commonly monitored by digital rights activists suggests that it was part of a strategy meant not to draw attention until the Act had been approved. In the beginning of 2013, the constitutionality of access provision was challenged, but it is yet to be decided whether the STF will hear the case.
The Brazilian Intelligence System is a collegiate body responsible for planning and executing intelligence activities in Brazil. It is coordinated by a central agency, the Brazilian Intelligence Agency (ABIN), and composed of governmental institutions such as the Central Bank, the Federal Police, the Revenue Service, and the Ministries of Defence, Foreign Relations, Justice, Environment, and Finance. The Agency reports to the Office of Institutional Security, which in turn reports directly to the president.
The ABIN does not have investigative or surveillance powers, which are reserved to the police.26 Additionally, the Constitution only authorizes interception of communications for the purpose of investigating crimes, a provision that severely restricts the possibility of these practices being used in intelligence activities. These limitations to the Agency powers can probably be explained by recent history. During the military regime from the 1960s to the 1980s, the National Information Service was responsible for intelligence activities, and as such conducted wiretapping and investigation of several political dissidents and leaders of social movements. The Agency’s activities during the military regime still resonate in the public opinion and create substantial political barriers whenever a proposal to expand its powers appears.
In 2008, a scandal revealed the involvement of ABIN’s agents in the wiretapping of telephone calls made by a Supreme Court justice.27 After the scandal, a Presidential Decree expanded even further the possibilities of cooperation between the ABIN and other bodies of the Brazilian Intelligence System—such as the Federal Police—as a way to fix the alleged illegality.28 Instead of responding to public criticism with stricter rules, the executive did the opposite. The Decree created a Department for the Integration of activities developed by the Brazilian Intelligence System (DIBIS), which was tasked with the coordination and articulation of data flows relevant to intelligence activities. This has (p.140) significantly expanded the exchange of information between governmental bodies and created unprecedented integration of the police and the ABIN’s databases.29 When reviewing the case many years later, the High Court of Justice ruled that the participation of intelligence agents in the wiretapping was illegal. However, it is not clear if the decision would be the same in light of the new rules introduced by the aforementioned Presidential Decree.
In short, given (1) that the Brazilian Intelligence Agency does not have investigative powers, (2) that only the police and the Public Prosecutor’s Office can investigate and request wiretap of communications, and (3) that such requests have to be authorized by the courts, in principle, intelligence activities do not seem to be a fruitful field for the Brazilian government to gain systematic access to private-sector data.
C. Laws Requiring Broad Reporting of Personal Data (Passenger Records, Financial Data) by Private-Sector Entities, Especially in the National Security and Law Enforcement Contexts and, if Applicable, How These Laws Address Systematic Access
Broad reporting of data in Brazil is usual in the context of financial data. The Secrecy of Financial Information Act creates obligations for financial institutions to report financial transactions exceeding a certain amount (R$5,000 per month for natural persons or approximately $2,500 in 2012 dollars) to the Revenue Service.30 Data reported must include only the name of the customer and the total amount of the money transacted in a given month. It is forbidden to report information related to the origin or the nature of each individual transaction, but such additional information can be obtained with a warrant.31
The Money Laundering Act mandates several organizations—such as banks, stock markets, insurance companies, credit card companies, jewelers, public registries, accountants, and others—to report activities that might indicate the existence of money laundering and related crimes. The information must be reported to the Counsel for the Control of Financial Activities (COAF), a department of the Ministry of Finance responsible for monitoring money-laundering activities in the country.
In November 2012, the Brazilian National Civil Aviation Agency (ANAC) enacted resolution 255/2012 mandating the report of passenger data—comprising Advance Passenger Information32 and Passenger Name Record—to (p.141) border control authorities.33 The rules create an electronic system through which air companies will send passenger records to law enforcement authorities before the departure or arrival of flights. The types of data requested and the process of automatic communication to law enforcement appears to have been heavily inspired by regulations in place in the United States. The Brazilian Aviation Agency has defended the new rules on the grounds that law enforcement would be better prepared to act against illicit activities related to drug trafficking and terrorism, and that Brazilian regulations needed to be harmonized with international standards.
D. Laws Permitting or Restricting Private-Sector Entities from Providing Government Officials with Voluntary Broad Access to Data, Whether Pursuant to a Formal Order or as a Result of More Informal and Cooperative Arrangements
There are no specific laws other than the ones aforementioned dealing with the specific issue of voluntary disclosure of data from companies to governmental agencies and law enforcement authorities. To be clear, there is specific legislation determining the secrecy of financial information and communications, but there are exceptions for law enforcement access as long as judicial authorization is granted. Nevertheless, as many companies include in their terms of services provisions allowing the disclosure of information to law enforcement officials without a warrant, voluntary systematic access would be possible.34
Since the early 2000s, public prosecutors have been pressing companies to disclose increasingly more information. In this sense, at least two examples are worth noting. First, after the police unveiled a series of cases of child pornography in Orkut—Google’s first social network, which became extremely popular in Brazil—Google was forced to sign an agreement giving authorities a direct communication channel with the company allowing officials to request data retention, removal of content, and identification of users. Access in this case does not seem to be direct or even unmediated.
Second, in a recent Federal Court decision, it became clear that the Public Prosecutor’s Office had been trying to compel telecom companies to make subscriber identifying data available to law enforcement authorities through (p.142) an online electronic system that would give them unmediated access to such information. Despite this attempt, the Federal Court has decided that subscriber identifying information is protected under article 5, items X through XII of the Constitution, and therefore, can only be accessed with a warrant.35
E. For Major Categories of Data (Communications Content, Communications Metadata, Subscriber Identifying Data, and Non-communications Transactional or Business Records), the Role of the Courts (When Is Judicial Authorization Required and When Can Data Be Compelled upon Executive or Administrative Authority?)
The following Table 6.1 summarizes the role of the courts in authorizing access to different sorts of data. To avoid repeating what has been addressed on previous sections, please refer to them for more detailed information.
Table 6.1. Type of Authorization Required to Access Different Sorts of Data
Type of Data/Type of authorization needed to have access to it.
Judicial authorization is required
Police or the Public Prosecutor’s Office request is sufficient
A Regulatory Agency can access the data with the strict purpose of supervising the regulated activity
Non-communications Transactional or business records
F. Standards for Use (e.g., Once the Government Acquires Data, What Rules Govern Its Use and Sharing?), Access, Retention, and/or Destruction
Rules dealing with standards for use, access, retention, and destruction of data by the government are rather scarce and vague. Brazil’s Internet bill of rights36 established rules to govern access of the data by the government, but did not (p.143) establish specific rules concerning how the government should handle such data. As there is no general legislation addressing the issue, only the Wiretapping Act and the Constitution provide some guidance to the courts. In the case of wiretapping, existing provisions related to these standards refer to the physical cautions necessary to handle recordings and transcripts. In this sense: (1) files must be kept secret in a separate court record; (2) recordings that are not used as evidence for the case must be destroyed, and (3) blank envelopes should be used to transport and communicate files.37 Despite the fact that the Wiretapping Act allows for the interception of digital communications, there are no further provisions regulating how the data should be treated.
The absence of substantial standards for using intercepted communications was a key factor that influenced the International Human Rights Court to rule against Brazil in the case Aso Escher v. Brasil.38 It dealt with illegal wiretapping of the phones of an organization connected to the landless movement in the State of Paraná—the country was condemned for disrespecting due process guarantees (8.1) and for failing to adopt internal measures to give effect to human rights protections, as put forth by the American Convention on Human Rights.
Finally, intelligence statutes allow for information to be shared between the members of the Brazilian Intelligence System, such as from the Central Bank to the Federal Police, the Revenue Service, and several Ministries of State.
G. Cross-Border and Multi-jurisdictional Issues (e.g., under What Circumstances Does the Government Assert Jurisdiction over Data Stored outside Its Borders?)
The Internet bill of rights from 2014 included provisions39 to try and address the long-debated issue of Internet jurisdiction.40 The law and these particular provisions were crafted as a strong response to the leaks claiming that the Brazilian president at the time, Dilma Rousseff, had been the target of surveillance by the United States government. Accordingly, article 11 states that “in any operation of collection, storage, retention or processing of personal data or communications conducted by [telecommunication] or [online providers] in which at least one of the aforementioned acts occur in national territory, Brazilian law shall be observed along with the protection of personal data and the secrecy of private records and communications.” The statute goes on to apply the provision above to “activities carried out by a legal person established overseas, as long it provides (p.144) services to Brazilian audiences or at least one member of the same economic group has an establishment in Brazil.”
In an attempt to fix a complex jurisdiction issue, the Marco Civil statute caused additional confusion by potentially creating contradictory obligations for global or multinational online providers offering service worldwide and with offices in multiple countries. Even though there is no precedent at the Supreme Court level testing Marco Civil’s jurisdiction provision, lower courts have issued diverging decisions.41 The main issue at stake in these cases involve the interpretation of Marco Civil’s jurisdiction clause in accordance with an existing mutual legal assistance treaty (MLAT) in criminal matters between Brazil and the United States.42 In other words, given that the data controller entities of many multinational online providers are based in the United States, should Brazilian law enforcement rely on the legal process established by international cooperation treaties to request data from online providers, or can they request this data directly from the Brazilian entity that is part of the same economic group? The answer to this question has two practical consequences: (1) the amount of time necessary for law enforcement to have access to the data, and (2) the determination of the law applicable to the case.
Although there is no definitive answer from Brazilian high courts, there are diverging court decisions across the country both interpreting Marco Civil so as to recognize the need to use existing legal assistance treaties, and dismissing such treaties to apply solely the Marco Civil jurisdiction clause. This lack of definition by courts has generated confusion for online providers and has increased the uncertainty of operating in Brazil.
IV. Recent Controversies and/or Pending Unresolved Issues concerning Systematic Government Access to Private-Sector Data
There is still much controversy in the judiciary with regard to the limits of governmental access to private-sector data.
(p.145) One of the key issues relates to whether public prosecutors and the police may have access to subscriber identifying data without a warrant.43 For instance, although a couple of decisions at the Superior Court of Justice44 (STJ) have found that ISPs can only provide information about its subscribers when authorized by the judiciary,45 the STF has indicated that such information should not be protected under the prohibition of anonymous speech.46 As higher courts’ decisions do not bind those of lower courts, there are many conflicting interpretations, which makes it hard to establish a uniform position. Should the courts understand that judicial authorization is required, then systematic access such as the one mentioned in Section III(D) above—direct unmediated online access by the public prosecutor’s office and the police to identifying data—is likely to be considered illegal.
Wiretapping is also far from being uncontroversial, and the law has been challenged twice before the STF.47 In one of the cases, the provision allowing for the interception of digital communications was brought to the attention of the court, but it has yet to be decided.48 There is a clear tension between Justice Pertence’s interpretation of the secrecy of communications’ constitutional clause and the provision that allows for the interception of digital communications. As mentioned above when we discussed the constitutional protections to data, the Supreme Federal Court has already decided that although data stored on a computer might be obtained with a warrant, Justice Pertence’s opinion also affirmed that the flow of data was protected under article 5, item XII even against judicially authorized wiretapping.
V. Concluding Observations
There is at least one clear example of systematic governmental access to private-sector data in Brazil: the one established for the purpose of regulatory supervision of telecommunication companies.
(p.146) The approval of the Marco Civil da Internet in 2004 made it harder for the government to have access to private-sector data without court orders or in systematic form. Although the statute still left many unresolved issues to be interpreted by the courts, there are clear improvements when it comes to the protection of citizens from government access to their data or that of private organizations. These very interpretative gaps left to the courts may prove, however, to create uncertainty and increase costs for organizations to operate in Brazil.
(*) This chapter was first drafted around 2011 and at some point after 2014. During that period, Brazil was going through very intense legislative debates about data privacy regulation and Internet regulation. For this reason, I decided to take out most of the references to legislative proposals discussed by Congress and focus instead on the statutes and some of the recent decisions rendered by the high courts. Additionally, given the recent approval by Congress of the 2014 Internet Bill of Rights—also referred to here as “Marco Civil da Internet”—there was still no sufficiently stable or consolidated interpretation of this regulation by Brazilian courts. Finally, I would like to thank Marília Monteiro, Giovanna Carloni, Walter Britto, and Rebeca Garcia for their invaluable research assistance and comments on this chapter.
(1.) Alfredo Valladão, Haroldo Valladão, Mário Casasanta and Themístocles Brandão Cavalcanti, O Ministério Público, Quarto Poder do Estado e Outros Estudos Jurídicos (Rio de Janeiro: Livraria Freitas Bastos, 1973).
(3.) Marcos Nobre, “Indeterminação e estabilidade: Os 20 anos da Constituição Federal e as tarefas da pesquisa em direito,” Novos Estudos—CEBRAP v. 82, p. 97–106 (2008).
(4.) Luiz Costa, A Brief Analysis of Data Protection Law in Brazil (June 2012). 28th Plenary meeting of the Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data [ETS No. 108] (T-PD), Council of Europe, http://ssrn.com/abstract=2087726.
(5.) According to information available at http://www.planalto.gov.br/ccivil_03/constituicao/quadro_DEC.htm.
(7.) Supreme Federal Court. HC 87.654. See also AI 655.298-AgR.
(8.) In the United States, for instance, the First Amendment protects anonymous speech.
(9.) Federal Regional Court 4. Embargos Infringentes n. 0033295-12.2006.404.7100/RS, http://www.trf4.jus.br/trf4/processos/visualizar_documento_gedpro.php?local=trf4&documento=4852744&hash=ada05adcfc6834d2f9e5b5d10f66309f.
(10.) See Brazilian Federal Supreme Court. AI 763133/SP. Justice Cármen Lúcia. March 5, 2012.
(11.) See Tercio Sampaio Ferraz Jr., “Sigilo de dados: o Direito à privacidade e os limites à função fiscalizadora do Estado,” Cadernos de Direito Tributário e Finanças Públicas, n° 1, RT (São Paulo: 1992), pp. 141–54, http://www.terciosampaioferrazjr.com.br/?q=/publicacoes-cientificas/28. See also Fábio Alceu Mertens, “O sigilo de dados no direito constitucional brasileiro” for an overview of the major doctrinal and judicial positions about the issue. Available at http://jus.com.br/revista/texto/10748/o-sigilo-de-dados-no-direito-constitucional-brasileiro.
(12.) See Federal Act 12,965 / 2014.
(13.) See “Anatel terá acesso total a dado sigiloso de telefones,” Folha de São Paulo (January 19, 2011), http://www1.folha.uol.com.br/mercado/862698-anatel-tera-acesso-total-a-dado-sigiloso-de-telefones.shtml (last visited October 5, 2011).
(14.) See Ronaldo Lemos, “Brazilian Communications Agency Moves towards Surveillance Superpowers,” Freedom to Tinker (January 31, 2011). Available at https://freedom-to-tinker.com/blog/rlemos/brazilian-communications-agency-moves-towards-surveillance-superpowers/ (last visited February 4, 2012).
(15.) “Agência diz que não haverá quebra de sigilo,” Folha de São Paulo (January 19, 2011), http://www1.folha.uol.com.br/fsp/mercado/me1901201104.htm (last accessed June 22, 2011).
(16.) See ANATEL, Regulation 596/2012, article 36, http://legislacao.anatel.gov.br/resolucoes/34-2012/308-resolucao-596 (last visited June 23, 2014).
(17.) Brazilian Federal Act 9296/1996.
(18.) See Superior Court of Justice (STJ) HC 110644/RJ. April 16, 2009.
(19.) The National Counsel of Justice is a body formed by members of the judiciary, the Public Prosecutor’s Office, lawyers, and members of civil society tasked with overviewing judicial malpractices and improving the management of the judiciary. For information about the control of wiretapping by the Counsel, see Conselho Nacional de Justiça (CNJ). Resolution 59/2008, as amended by Resolution 217/2016.
(20.) See Conselho Nacional de Justiça (CNJ), http://www.cnj.jus.br/interceptacoes_tel/relatorio_quantitativos.php (last visited April 15, 2017).
(21.) Brazilian Federal Supplementary Act 105/2001.
(22.) Danilo Fariello, “Leão que Devora Sigilo,” O Globo Economia, p. 15 (September 4, 2012), http://oglobo.globo.com/economia/leao-que-devora-sigilo-6177901.
(23.) http://www.stf.jus.br/portal/cms/verNoticiaDetalhe.asp?idConteudo=310670 (last visited March 10, 2016).
(24.) Brazilian Federal Law 9.613/1998: “Article 17-B. Police authorities and public prosecutors shall have access, exclusively, to registration data of the suspect that disclose personal qualification, father and mother names and address, independently of judicial approval, kept by the Electoral Justice, by phone companies, by financial institutions, by Internet providers and by credit card companies,” http://www.planalto.gov.br/ccivil_03/leis/l9613.htm and https://www.eff.org/pages/mapping-laws-government-access-citizens-data-brazil.
(25.) Vladimir Aras, “Requisição de dados cadastrais: o segredo de polichinelo,” Blog do Vlad (July 26, 2012), https://blogdovladimir.wordpress.com/2012/07/26/requisicao-de-dados-cadastrais-o-segredo-de-polichinelo/ (last visited September 8, 2012).
(26.) Brazil, Constitution of the Federative Republic of Brazil. Article 144.
(27.) See High Court of Justice (STJ). Habeas Corpus n.149.250—SP.
(28.) See Presidential Decree 6540/2008, which modified Presidential Decree 4376/2002, https://www.planalto.gov.br/ccivil_03/decreto/2002/d4376.htm.
(29.) Ibid. Art. 6-A, § 4.
(30.) Brazil. Federal Supplementary Act n. 105/2001. Article 5. See also Presidential Decree n. 4489/2002. Article 4.
(31.) Ibid. Article 5, §2.
(32.) Advance Passenger Information (API) include information such as: travel document number and type, passenger full name, nationality, date of birth, gender, visa number, seat, residential address, destination, etc. Passenger Name Record (PNR) information comprise information such as: full name, telefone number, API information, frequente flyer number, reservation number, flight dates, payment type, seat, etc.
(33.) See Resolution 255/2012 from Agência Nacional de Aviação Civil, http://www.anac.gov.br/assuntos/legislacao/legislacao-1/resolucoes/resolucoes-2012/resolucao-no-255-de-13-11-2012/@@display-file/arquivo_norma/RA2012-0255%20consolidado%20at%C3%A9%20RA2014-328.pdf. For background and discussion about the Resolution see also http://www2.anac.gov.br/transparencia/audiencia/aud22_2012/justificativa.pdf.
(34.) In this sense, and as an example, see the terms of services of: (1) Mercado Livre, available at http://www.mercadolivre.com.br/seguro_privacidad.html; (2) Terra, http://www.terra.com.br/avisolegal/.
(35.) Federal Regional Court 4. Embargos Infringentes n. 0033295-12.2006.404.7100/RS, http://www.trf4.jus.br/trf4/processos/visualizar_documento_gedpro.php?local=trf4&documento=4852744&hash=ada05adcfc6834d2f9e5b5d10f66309f.
(36.) See Brazil Federal Act 12.965/2014.
(37.) See Wiretapping Act, Federal Act n.9296/1996. See also National Counsel of Justice (CNJ). Resolution 59/2008.
(38.) Escher v. Brazil, Judgement (IACtHR, 20 Nov. 2009), http://www.corteidh.or.cr/docs/casos/articulos/seriec_200_por.pdf.
(39.) See articles 10 through 12 from Law 12.965 / 2014.
(41.) Just by means of illustration, the lower court of the state of Rio Grande do Sul has recently decided that the Federal Prosecutor’s Office should use the MLAT to request access to private messages exchanged via Facebook—the information would be allegedly included in an investigation on corruption and extortion (see https://jota.info/justica/mpf-deve-obter-por-tratado-dados-de-rede-social-diz-juiz-02122016, last visited May 7, 2017). On the other hand, also as an illustration, the 4th Circuit Federal Court has considered that the MLAT was unnecessary if the company at hand was regularly established in Brazil, having a foreign shareholder (TRF, 8th Panel, Appeal No. 0000310-03.2013.404.0000, June 12, 2013).
(42.) For more information on the treaty between Brazil and the United States on mutual legal assistance in criminal matters please see https://www.state.gov/documents/organization/106962.pdf.
(44.) The Superior Court of Justice is a high instance of the Brazilian judiciary responsible for deciding cases involving divergence of interpretation of federal legislation. For more information see http://www.stj.gov.br.
(45.) See Superior Court of Justice (STJ) AI 1.203.054/SP. See also Superior Court of Justice (STJ) REsp 1.068.904/RS.
(48.) See Brazilian Supreme Federal Court (STF) ADI 1488.