Brazil: Digital Policies during COVID-19 times

By Carolina Telles

When the quarantine began in the Brazilian states, between the third and the fourth week of March, the country had only 2,271 cases and 47 deaths. Five months later, the total number of cases is more than 1000 times higher: the country already exceeds 4 million cases and is the third with the highest number of cases in the world, behind only the United States and India. Between exchanges of ministers and campaigns against social isolation promoted by the president, there was a serious political and economic crisis, in addition to the dramatic increase in the number of cases.

At the end of March, the Ministry of Science, Technology, Innovations and Telecommunications (MCTIC) announced an agreement between the federal government and five Brazilian telecom companies to map compliance with isolation orders through geolocation monitoring. The operators said the data would be anonymized and stored in a public cloud, in addition to being in accordance with the Brazilian General Data Protection Law (LGPD) and the Internet Civil Framework (Marco Civil da Internet). The partnership, however, did not even go into action, being suspended less than 15 days later.

When suspending the measure, on April 13, President Jair Bolsonaro claimed that there are possible privacy risks and that the Presidency needs to study the issue better – even though the Federal Attorney General had given a favourable opinion regarding it.

As mentioned by Professor Danilo Doneda, personal data are essential for the implementation of public policies to contain the pandemic – which includes geolocation data – in addition to providing faster advances in scientific research.

Regardless of the overturned measure, the State of São Paulo announced the use of cellphone data to track agglomerations on April 9 – despite indications that monitoring had been taking place since the beginning of the quarantine, on March 24, two weeks before the agreement between the telcos and the government being closed. Simi[1] (Sistema de Monitoramento Inteligente, in portuguese) was organized by the Institute of Technological Research of the State of São Paulo (IPT) and is carried out in partnership with the four largest operators in Brazil (Oi, Vivo, Tim and Claro).

Simi was even contested in some Court actions, including a Popular Action, whose provisional remedy was denied, since the system does not infringe on the rights of locomotion and privacy. Furthermore, Simi’s main object – geolocation data – was already collected, anonymized and inserted into big data platforms by operators for a long time; the material, managed by the private company ABR Telecom, is used only for statistical purposes and to maintain the demand for telecommunications. Given the exceptionality of the current global situation, the system becomes justifiable, in addition to being backed by the Attorney General of Union.

Although the Brazilian General Data Protection Law (LGPD) is not in force, it is essential that companies and public bodies follow the Methodology principles, which include pseudonymization, time limitation, active transparency and seven other steps. In the report “Privacy and Pandemic: Recommendations for the Legitimate Use of Data to Combat Covid-19”, the CyberBRICS Associated Scholars Bruno Bioni and Renato Leite with other colleagues from Data Privacy Brasil listed some of the main recommendations, including:

  • Need for technical and scientific reasoning regarding the need and efficiency of the use of personal data;
  • Need for law and other specific legal rules to support cooperation between the public and private sectors;
  • All measures employed must be guided by the least possible intrusion into privacy;
  • Respect for the idea of ​​a well-defined purpose;
  • Predefined life cycle: any and all data use operations for Combating COVID-19 must have a beginning, middle and end;
  • Measures to contain privacy risks must be articulated in all cases;
  • Maximum transparency in measures and their governance;
  • Open sourcetechnologies.

Provisional Measure provided for sharing databases of telecommunications operators

Also in April, the edition of Provisional Measure No. 954 determined the operators to compulsorily share their databases electronically. The data requested were the names, telephone numbers and addresses of the users. According to the Executive Summary of the MP, the intention was to maintain official interviews conducted by IBGE in a non-face-to-face manner during pandemic. The MP included safeguards, stating that the data would be kept confidential, was to be used exclusively for the production of official statistics and would be eliminated as soon as the emergency caused by the pandemic ended.

The attempt to collect the personal data of millions of Brazilians generated concern among politicians and scholars, which led the PM to be the target of several Direct Actions of Unconstitutionality – that were addressed by Luca Belli and Nicolo Zingales in a recent article. On April 24, 2020, an injunction was granted to suspend the effects of the PM, after judgment of the action by the Federal Council of the Brazilian Bar Association, with Min. Rosa Weber as its rapporteur.

5G auction: possible lack of investment worries operators

Another important event for the digital medium, the 5G Auction, is at risk of being postponed due to the pandemic. Although Anatel declared that “it is still too early” to give a position on the matter, the possibility has not been completely ruled out. The Agency claims to be “closely monitoring” the possibility of a postponement, which can be determined until the first two months of 2021. The Auction is scheduled to take place in March 2021.

Local operators, such as Oi and Claro, approve delaying the Auction. Both companies fear that post-pandemic Brazil’s economic uncertainties will make the event less attractive, reducing investment capacity in 5G.

LGPD’s unpredictable future

The Brazilian General Data Protection Law (LGPD) was one of the digital policies that were most redesigned during the first quarantine months in Brazil. On April 29, Provisional Measure 959/20 has been edited by the President, determining the postponement of the term of the LGPD to May 2021. The PM, which touches mainly on topics related to the Government’s Emergency Aid for COVID-19 response, has not yet been voted.

On May 19, Bill 1179/20 was approved, establishing special rules of Private Law during the Covid-19 pandemic, including the postponement of LGPD’s administrative sanctions, which will only become effective in August 2021. The rest of the Law follows the legal text; that is, until now, the date of May 2021 defined by PM 959/20 is valid. If this Provisional Measure is rejected by Congress, the original date of the law (August 2020) returns. The expectation is that this original date will be recovered.

With a possible postponement of the LGPD, the country would remain outdated in terms of cybersecurity and data privacy. Although the government affirms compliance with the Law in its most recent promulgations, there are gaps for the misuse of data by public and private institutions, such as the attempt to install facial recognition cameras on the São Paulo Metro, in February 2020. On the other hand, there are still numerous pending issues that need to be solved before the law is actually enacted, as the creation of the National Data Protection Authority (ANPD), whose structure was defined by the government but continues to be delayed.

In an interview with ConJur in April 2020, the president of the OAB’s Data Protection and Privacy Commission, Estela Aranha, stated that this “middle ground” would be ideal: to keep the law’s principles and foundations in force “even for to give a standard for the public power to use this data during the new coronavirus pandemic “, but to postpone the sanctions, aiming at the preservation of the already fragile Brazilian economy.

In the end, the Provisional Measure is likely to fall by the wayside, as its main focus was on Government’s Emergency Aid. If the PM loses its effects, the law’s previous valid date (August 2020) will be applied. Sooner or later, the Law will come into effect; it is a new global urgency, and not a mere bureaucracy. We still have two long months until August, and the way in which Brazil will reconcile the crisis in large sectors with political needs will be fundamental to guarantee the protection of personal data.

Internet as a fundamental right

It is worth mentioning that, as stated in Article 7 of the Internet Civil Mark Network, “access to the Internet is essential to the exercise of citizenship”. Therefore, without access to the network, especially in times of pandemic, it is impossible to exercise basic rights as a citizen: home office, attend classes, have access to information, leisure or delivery services. In a recent article for the Convergência Digital portal, Luca Belli talks about the social exclusion resulting from the disparity in access to the network in Brazilian regions, especially in times of pandemic. In addition, the author also addresses the risk posed by limited data franchises and zero rating practices, which form a perfect environment for fake news; in an election year, “having access to sponsored apps only is a real time bomb for democracy”.

In order to debate the digital policies adhered to by BRICS countries during the pandemic, CyberBRICS organized the BRICS Digital Policies Webinar, which took place on the morning of September 10. Luca Belli and Larissa Magalhães raised a debate about The Fake News Bill, whose article 10 violates human rights, and the controversy surrounding the validity of the LGPD.

[1] “The Simi project is also supported by the opinion of the Attorney General’s Office, regarding the possibility of using anonymous data, in general, to combat COVID-19. AGU notes that anonymized data cannot be considered personal data, deserving different legal treatment. Furthermore, it points out that even if they were subject to the General Data Protection Law, it provides for exceptions for the processing of personal data in matters of public health, and that in these matters the principle of the supremacy of the public interest over the private should be considered. ”, extracted from ConJur.