Brazil delays privacy law, uses Covid-19 for data grab

Commentary

Federal, state, and city governments are working with technology companies to monitor citizens during the pandemic, with no guarantee of what will happen to the data after the crisis passes. The irony is that Brazil already has a law that would protect the right to privacy – but the government is trying to delay its implementation.

In February, at the beginning of the Covid-19 pandemic, Brazil granted sweeping new powers to its Ministry of Health, including the ability to decide how long infected persons should be isolated or quarantined. This newly passed law (13.979) also established the possibility of compulsory medical exams, collection of clinical samples, and restrictions on entering and leaving the country. It made it mandatory for public agencies and private entities to share “data essential to the identification of persons infected or suspected of infection by the coronavirus,” while not providing details on how such personal information would be secured.

As the Covid-19 pandemic progresses, national efforts to combat the virus depend largely on the capacity of governments to measure its spread and so, on the surface, Brazil’s new law may appear to be part of an important endeavor to protect public health. Yet the importance of contact tracing for public health must be balanced with the right to privacy and data protection – and in Brazil, this is not being done. Instead, data protection has become more lax during the pandemic, at the precise moment when such regulations are most needed.

The coronavirus data grab

Federal, state, and city governments have already begun contracting technology companies for monitoring services. In the state of São Paulo, for example, the government partnered with four mobile phone operators to monitor geolocation and verify whether citizens were self-isolating. These mobile phone companies then offered a unique service that allows state, municipal and federal governments to see heat maps of the most crowded places.

This endeavor involves massive data collection, which is itself a risk. When more information is collected, more data analyses are possible, and it becomes easier to re-identify a person whose data was once anonymized. Additionally, official disclosures do not explain which data will be collected, how the databases will be developed, and what degree of anonymization will be employed, among other factors. Yet fifteen states and two cities have already shown interest in using this service, though it’s unclear how many have adopted the system.

Other forms of data collection take place through health applications and platforms, both public and private. Citizens access these platforms to answer questions about their health status and check whether they have any symptoms of Covid-19. They are required to provide identifying information – such as their social security number, full address, and sometimes access to their geolocation – without any guarantee that all this data will remain safe after the pandemic. Covid-19 is becoming an opportunity for the government and companies to violate the civil rights of Brazilians.

Brazil’s existing data protection law

None of these actions are in harmony with Brazil’s existing, but not yet enacted, data protection law. In August of 2018, the General Protection Law for Personal Data (LGPD) was approved to establish rights, requirements, and procedures for protecting personal and sensitive data. (Personal data are defined as those that allow the identification, directly or indirectly, of an individual – including name, residential address, date and place of birth, name of parents, and social security number, among others. Sensitive data includes information such as race, ethnicity, religion, sexuality, political opinion, and biometric data, all of which can be used in a discriminatory manner.) LGPD also creates a supervisory authority, the National Authority for Data Protection (ANPD), to oversee and implement LGPD compliance.

Under LGPD, citizens are able to know how public and private companies treat their data: how and why they collect it, how they store it, how long they keep it, and with whom they share it. They also have the right to revoke and correct their data, as well as port it to other platforms. In the context of the pandemic, LGPD would ensure that health data collected during the crisis would not be used by companies and governments afterward without the subject’s knowledge and authorization.

Law 13.979, which gave new powers to the Ministry of Health, is supposed to follow the principles of LGPD and ensure protection of sensitive personal data. LGPD also supersedes an October 2019 decree (10.046) from the government of President Jair Bolsonaro that established a Citizen’s Registry unifying more than 50 public databases, which comprise an enormous amount of sensitive data belonging to Brazilian citizens.

But two years after being passed, LGPD is still not in effect. The ANPD should have already been established, but that is not the case. None of the rights guaranteed by LGPD are being regulated and inspected.

Continuing delays

There is still pressure from both the business and government sectors to postpone implementing LGPD. Since digital capitalism is largely structured on big data, there is economic pressure to weaken any regulation that limits the processing of personal data. On the other hand, given the current lack of respect for social rights and democracy in Brazil, public authorities, too, do not want limits on their ability to collect personal data to surveil citizens. As a result, in the beginning of April, the effective date of LGPD was pushed back from August 2020 to January 2021. The federal government and parliament have also tried to delay enforcing LGPD sanctions until August 2021.

In Brazil, technological solutions for the pandemic have been adopted uncritically.

The collection and processing of personal data during Covid-19 must take place under a more robust regulatory system. The lack of adequate legislation in force and of any transparency regarding how these technologies function – added to the enormous interest in monetizing personal data – raise important questions about the possibility of using these same tools to track individuals for other purposes after the health crisis has subsided. This type of surveillance could substantially compromise democracy – for example, by monitoring citizens demonstrating against the government. Without the implementation of LGPD and the ANPD, there is no guarantee that the data collected during this pandemic in Brazil will be protected and the technologies curtailed. The constant delays create insecurities and threats to civil rights and put Brazil on a dangerous path.

A similar version of this article was first published in Portuguese on the website of the Heinrich Boell Foundation in Rio de Janeiro on April 30, 2020.