Brazilian Data Protection under Covid-19: Legal Certainty is the Main Casualty

By Luca Belli and Nicolo Zingales

On 14 August 2018, Brazil adopted its new General Data Protection Law, n° 13.709/2018, better known under its Portuguese acronym “LGPD” (Lei Geral de Proteção de Dados Pessoais). Hailed as a legislative milestone for Brazil, the law was predestined to stir controversy since its approval. The very ample margin for interpretation of a wide range of unclear provisions, the absence of a Data Protection Authority able to clarify such provisions, and the general unfamiliarity with data protection concerns amongst Brazilians were only the initial obstacles LGPD had to overcome. Then, Covid-19 struck.

In the uncertain context where the LGPD emerged, the utmost priority was to create the new DPA – called ANPD in its Portuguese acronym (Autoridade Nacional de Proteção de Dados) – as expeditiously as possible. Importantly, the creation of the ANPD is the only existing choice allowing to avoid legal uncertainty and the impossibility to concretely implement the law. Although the creation of the Authority was initially vetoed by former President Temer, the understanding of its fundamental value to give meaning to the LGPD led to its reintroduction in the LGPD together with the prescription of the immediate entry in force of the norms establishing the authority. A vacatio legis period of 18 months was initially established to allow Brazilians to get ready to comply with the new legislation. In August 2019, the vacatio legis was extended by a further 6 months, pushing the date of entry into force to 16 August 2020.

Readers should make no mistakes however, believing that the mere entering into force of this law can provide Brazilian data subjects and data controllers with the necessary legal certainty. To date, the ANPD has not been established, to the greatest disappointment of an ample spectrum of stakeholders. Conceptually, the LGPD is largely inspired by the European data protection model, enshrined by the Council of Europe Convention nr 108 and, in its most refined expression, the General Data Protection Regulation. However, key elements remain undefined, such as the procedures for data subject requests, the criteria used to deem data anonymized, the procedures for data breach notifications and the criteria for the conduct of Data Protection Impact Assessments, just to name a few examples.

If anything, the arrival of the Covid-19 pandemic has made the establishment of the ANPD and the entry in force of the LGPD even more urgent. Especially, considering the repeated calls for development of contact-tracing apps or other data-hungry approaches, frequently heralded as miraculous solutions to stop the pandemic. Instead, the Brazilian Congress and the Presidency have been competing for postponing the entry in force, of the LGPD that, as it stands, will enter in force on 3 May 2021, while the section regarding its sanctions will only enter in force on 1st August 2021. However, to confuse even more the scenario, this timeline is far from certain because the postponement was established through an Executive Order (MP959/2020), which, albeit immediately effective, requires approval from Congress. For conversion of the Order into law, Congress has a 60-day term, which is renewable once. As a result, it may well happen that the official date for the entering into force of the law remains 3 May 2021 until the expiry of the 60+60 days term, and on 30 August 2020 backtracks to its original date of 16 August 2020 (while sanctions would only be applicable in August 2021). Cristal clear, isn’t it?

To add insult to injury, in mid-April the Brazilian President issued a loosely worded Executive Order (MP954/2020), mandating telecom operators to share name, telephone numbers, and addresses of their more than 200 hundred million subscribers with the governmental agency responsible for the national census, the Brazilian Institute of Geography and Statistics (IBGE). If this sounds like a revival of the notorious Census case, it is because it really does, as the next section explains.

The IBGE Case a.k.a. Census Reloaded: The pandemic’s Silver Lining for Data Protection in Brazil?

According to Executive Order MP954/2020, the subscriber data shared by telecom operators would be used by IBGE to conduct non-presential interviews “for the production of official statistics” during the pandemic. The Order included minimal guarantees with regard to the collected data, namely: that they would be maintained under strict confidentiality; they would not be used for any other purpose, including certification or proof in administrative, fiscal or judicial proceedings; and they would be deleted, at the latest, 30 days after the official end of the emergency situation. However, those guarantees were deemed vague and insufficient by several political parties and by the Federal Council of the Brazilian Bar Association, all of which brought direct challenge before Brazil´s Supreme Court to obtain a declaration of unconstitutionality (and thus annulment) of the Order.

The petitioners stressed the broad formulation of the purpose of the data processing and the absence of effective controls over IBGE´s responsible handling of subscriber data, among other procedural and substantive flaws. Based on such considerations, the petitioners relied on the core argument that such measures violated the constitutional protections of human dignity, intimacy, honor, confidentiality and (most importantly) the right to informational self-determination.

Although informational self-determination is explicitly listed by art. 2 of the LGPD as one of its founding principles, the Brazilian Supreme Court had never formally recognized it as a fundamental right. However, in a sort of tropical revival of the landmark Census case, which gave birth to informational self-determination in Germany in 1983, the Brazilian Court seized the opportunity to recognize this right in this particular case, taking into account historical and technological developments since its illustrious precursor.

To give an illustration of the fundamental importance of this ruling, we highlight here some of the key passages of the two judicial opinions that have been made publicly available so far: the monocratic decision by judge Rosa Weber to grant injunctive relief to the petitioners (and thus suspend the decree) pending the final judgment, and the opinion by judge Gilmar Mendes that followed that ruling and voted in favor of the declaration of unconstitutionality on the merits. This is also the position followed by the majority of the judicial college, which resulted in the annulment of the decree on 7 May 2020, with a resounding 9 to 1 vote.

Judge Weber convincingly pointed out that the vaguely formulated purpose of “official statistics” does not permit the identification of the legitimate interest that the government intends to pursue with the measure in question, much less its necessity and proportionality. She further noted, crucially for the establishment of the right to data protection, that the Order did not establish any suitable technical or administrative mechanism to protect the personal data from third party access, data breach or unauthorized use.

In a well-written and academically referenced opinion, Judge Mendes endorsed that position, tracing the evolution from the right to privacy to data protection in the scholarly debate, as well as through some landmark cases and statutes in the US and EU. Emphasizing the fundamental character of adaptability of constitutional protections to a changing (technological) world, he grounded the recognition of the right to data protection on (i) the fundamental right to human dignity; (ii) the right to protection of intimacy in light of new risks derived from technological advancements; and (iii) the substantive protection offered by the Habeas Data, a well-established procedure in the Brazilian system, which provides data subjects with the right to request access to any of their personal information that is used in publicly owned or publicly used databases.

Against this backdrop, Judge Mendes reiterated Weber´s criticism for the purpose and the absence of limits on data processing, and made clear that the State has not absolved itself from the duty to establish the necessary technical and administrative safeguards, such as the anonymization of data and a minimum of transparency. Among those safeguards, he stressed the necessity of an independent data protection authority, which is recognized as integral part of the fundamental right to data protection in the EU Charter for Fundamental Rights.

A Transnational Epiphany for Data Protection?

While there are several other points worth highlighting in this landmark case, it is interesting to situate the judgment in the peculiar context in which Brazil finds itself in facing the emergency. First, the Brazilian government´s response to the pandemic has been characterized by confusion, institutional conflict, and, critically, the lack of a clear strategy. Epitomized by the President´s downplaying of the situation, the institutional “response” has led to sustained skepticism and erosion of the effectiveness of the social isolation measures adopted by the governors of States and municipalities.

The fact that the data protection discussion has revolved around the lack of the most basic safeguards in government´s handling of personal data, rather than the adoption of strategic and more sophisticated measures to curb the spread of the virus, including via the legitimate use of personal data, provides a telling picture of the current scenario. Importantly, 2020 is also an electoral year for Brazil. Almost 5,500 Brazilian municipalities will have to renew their administrations. In such a context strong data protection, rather than loose sharing of millions of voters, is of utmost importance.

Second, the lack of a data protection authority and of a data protection law played a role in motivating the Court to be act in a more active and assertive fashion in keeping the government in check with regard to the processing of personal data. This was specifically acknowledged by both judges, making explicit the pressing need for the establishment of a well-resourced and well-staffed ANPD, as expeditiously as possible.

Third, and perhaps most interestingly from an academic perspective, the IBGE case demonstrates the transnational dimension of the judicial and regulatory dialogue on data protection, leading to cross-fertilization amongst different legal systems. In an increasingly globalized world, the response to global issues cannot be confined within national borders. This consideration has become self-evident as regards the Covid-19 pandemic, but it applies also to the protection of personal data, increasingly collected, processed and exploited by essentially transnational actors with local as well as global consequences. The fact that both Werner and Mendes cited the German Census decision and international literature demonstrates the acknowledgment of such a situation at the highest level of the Brazilian judiciary.

The recognition of the fundamental importance of a sound data protection framework, rather than its continuous undermining and postponement, should be the driving force of the current Brazilian approach to personal data in general and to their use in context of Covid-19 in particular.

This essay was originally published on Blog Droit Européen as a part of the e-conference on “Data Protection Issues and Covid-19: Comparative Perspectives”, on 03 July 2020.