Open Letter from Brazilian Civil Society on the occasion of the 15th edition of the United Nations Internet Governance Forum

Brasília, November 17th, 2020

In the context of the 2020 Internet Governance Forum the organizations part of Coalizão Direitos na Rede (Network Rights Coalition) would like to publicly address the International Internet Governance Community concerning the development of issues related to the creation of the Brazilian Data Protection Authority and recent developments regarding massive data collection of personal data from Brazilians and anyone residing in the country. 

Brazil has been known as a good case in terms of setting forth a global standarde of conducting multi stakeholder participation in legislative processes. Legislations such as the Civil Rights Framework for the Internet and also the Brazilian Data Protection Law represent processes in which the input from all interested stakeholders was taken into account in an equitable manner. Regulatory processes such as the above mentioned have also been successful in taking into account Human Rights principles, as reflected in the Universal Declaration of Human Rights. 

Unfortunately, initiatives such as the expedited deployment of facial recognition technologies and massive and disproportionate collection of personal data through the implementation of a centralized database have been a reality in the country during a scenario in which the Brazilian Data Protection Authority was still being discussed and implemented. 

By the end of 2019, a massive database containing biometric information and other categories of personal data of around 200 million brazilians was created by President Jair Bolsonaro. The main objectives of the database were simplifying data sharing between government departments and improving the provision of public services. This database, called Cadastro Base do Cidadão, will be operated by the Secretary of Digital Government at the Ministry of Economy and – depending on the data category – some information might not be subject to any access restrictions to Ministries and other Public Authorities. 

Initiatives such as the Cadastro Base do Cidadão can be concerning in a scenario of rampant militarization of the government that legitimizes National Security and intelligence activities and discussions as a top public policy. This narrative is reinforced by incidents such as the recent requests from the Brazilian Intelligence Agency for the records of the 76 million Brazilian citizens who hold driver’s licenses under a broad data acquisition scope provided by the Database. 

Additionally, the inconsistencies between the Cadastro Base do Cidadão and the Brazilian Data Protection Legislation – which entered into force in August 2020, after several attempts of postponing the application of the law due to emergencies such as the Covid pandemics – is something that could reinforce possible asymmetries between citizens/data subjects and the state. 

Such asymmetries are reinforced by the president’s alleged intent to use data as an instrument of power. Recently, Intercept Brazil reported a governmental artificial intelligence/surveillance system called Córtex that uses the reading of license plates by thousands of road cameras spread over highways, bridges, tunnels, streets and avenues across the country to track moving targets in real time. This system can also access several databases with sensitive information from citizens and companies and, with just a few clicks, officers can have access to registration and labor data that all companies have on their employees, including ID, CPF, address, dependents information, salary and position.

More recently, Brazilian Government issued a Presidential Decree responsible for the installment and operationalization of the country’s Data Protection Authority. Over a year ever after the enactment of the law responsible for including the provisions regarding the creation of the Authority, the Board of Directors was nominated by the President and confirmed by the Federal Senate. With regards to the composition of the ANPD’s Board of Directors, it is worth mentioning that the appointed members might be unprecedented as three of the five directors are part of the Military and hold experience in Cyber and National Security.

While the arrangement and distribution of the ANPDs Board of Directors mandates between stakeholders might not be optimal, this composition only emphasizes the need for the Authority to work with civil society and other interested sectors in shaping the yet to be developed National Policy on Protection of Personal Data and Privacy. On the note of the National Policy and participatory instances for stakeholders, the LGPD also provides that a Brazilian Council on Privacy and Data Protection (CNPDP), with granted seats to all stakeholders, should be implemented as an instance responsible for advising the ANPD with strategic guidelines and input. 

Despite the procedures for the nomination and appointment of stakeholders representatives is still to be issued by the ANPD, it is of utmost importance that the Brazilian Government encourages Multi Stakeholder participation and refrains from interfering or even vetoing any CNPD appointed representatives for reasons different than criteria stated in the Brazilian Law. Here, more than ever, stakeholder diversity and multi-participatory instances should be granted in order for the Brazilian Data Protection to be implemented in a fair and transparent way.

Governments should ensure that the emerging digital technologies  have a positive impact on citizens’ lives instead of reinforcing or worsening the already existing power asymmetries and weakening rights. In this context, discussions surrounding the immediate moratorium on sale, transfer and use of surveillance technologies, performed in the context of UNHCR and as part of the activities of the UN Special procedures special rapporteurs, are indisputably necessary. 

The use of technology for repressive and authoritarian purposes is a phenomenon that poses serious threats to the full enjoyment of both online and offline human rights such as access to justice, right to privacy, freedom of association and liberty of movement. The implementation of technologies dedicated to identifying individuals or predicting human behaviour should be preceded by human rights impact assessments able to attest the risks and promote trust to society. 

Call to Action

The work Civil Society and other stakeholders have performed in upholding citizens’ right to privacy and data protection across the world  in the past years cannot be lost. 

We therefore invite Brazilian authorities to: 

  • Promote respect for human rights, democracy, and the rule of law in the design, development and procurement of governmental initiatives dedicated to the implementation of centralized databases; 
  • Fully implement the Brazilian Data Protection Authority, as well as reinforce its commitment to transforming the Data Protection Authority into a fully independent authority within the two-year period, as provided by law; 
  • For the Brazilian DPA to uphold its commitment with Multi-stakeholder participation at the Brazilian Council on Privacy and Data Protection (CNDP) with sufficient stakeholder diversity. 
  • Oversee the implementation, sale, transfer and use of surveillance technologies in the context of public policies, as well as employing proper impact assessments mechanisms upholding the importance of Human Rights and limitations to its full fruition caused by surveillance tech.