A new milestone for data protection in Brazil

As the Covid-19 pandemic expanded across the world, so did the debates on whether fighting this sanitary emergency would require the use of personal data, and on how that would impact pre-established data protection frameworks.

In Brazil, these concerns first came to light with the announcement of agreements between government and telco companies, which would allow use of personal data to enforce isolation policies. Even though a modern Data Protection Law was approved in 2018 (Law 13.709/2018), the Brazilian landscape is particularly threatened by its recent postponement to 2021 and the lack of a data protection authority. Overall, this results in an institutional environment mostly defined by blurred competences and legal uncertainty.

Despite the concerns of even further setbacks for data protection, last week the country reached an important milestone, as the Supreme Court ruled on the unconstitutionality of a legal provision that mandated personal data sharing for statistics purposes as an emergency measure.

The constitutional quarrel

Case law ADI 6387 questioned the validity of the Executive Order 954/2020 (MP 954), which obliged telecom operators to share with the Brazilian Institute for Geography and Statistics (IBGE) personal data of more than 140 million mobile service users (including names, cell phone numbers and addresses). IBGE is the public agency in Brazil, which is responsible for the official collection of statistical information about the country, such as the national census. The data sharing was claimed to be essential in order to allow individual interviews for the development of relevant national statistics, and the reasoning behind it was the impossibility of IBGE’s staff to visit households in person during the pandemic.

The Executive Order MP 954 had been contested (in court) by different political parties and the Federal Bar Association both on the grounds of procedure and substance. Regarding the first one, executive orders are legal acts valid up to 120 days, to be enacted by the President (with posterior parliament approval) in the face of urgency and relevance requirements – neither of which the institutions that pleaded its unconstitutionality thought were met.

As per the substance, they claimed that it did not abide by fundamental legitimacy standards, such as purpose limitation (as it did not establish a clear correlation between the data needed and its alleged use) and transparency, since it did not provide the exact reasons the data were needed and the means through which they would be used. Also, it was claimed that the legal provision failed to address proportionality, as the amount of data required was neither clearly justified, nor accompanied by security measures towards risk of breaches or misuse. In this sense, the measure did not comply with a minimum use principle, according to which the use of data should be restricted to the amount strictly necessary for its purposes.

The Supreme Court decision

By the vast majority of 10 out of 11 justices, the Brazilian Supreme Court held MP 954 unconstitutional and declared its invalidity. Data protection had already been applied by a few other higher courts’ decisions, but this trial is a milestone for the country’s framework because the Supreme Court has now validated the constitutional fundamental right status of data protection. Among other things, this means that future legislation and administrative acts are bound by principles such as purpose limitation, proportionality and transparency. Above all, the decision allows the judicial review of ordinary legislation regarding this new recognised fundamental right.

The meaning of this trial for Brazil can be compared to the 1983 German Constitutional Court ruling, which pioneered the concept of informational self-determination in the country and later influenced international debates on data protection. Both in the Brazilian and in the German case, the collection carried out by state agencies for the production of official statistics shed light on the importance of shielding these processes with guarantees that assure fairness and transparency.

Among other arguments, three central ideas that based the Court’s reasoning came into the spotlight: the need for protection beyond intimate data; the recognition of data protection as a fundamental right and the limitations of the country’s current institutional framework.

Constitutional protection beyond the processing of intimate data

One of the main arguments for the validity of MP 954 was that it only covered “non intimate data” which would be freely available in telephone catalogs. However, the Court recognised that there is no such thing as neutral or insignificant personal data in the current technological context, which would allow for several possibilities of data processing. The case rapporteur, Justice Rosa Weber, has expressly stated that any data that leads to the identification of a person can be used for different purposes and therefore, deserves constitutional protection. It is worth noticing that name and cell phone numbers were the exact sort of data that is reported to have been used in electoral disinformation campaigns that struck Brazil’s last presidential elections.

Fundamental right status

In this context, the Court ruled that data protection is grounded in different constitutional protections of the individuals (such as privacy and due process related guarantees), and therefore, holds a fundamental right status. In fact, different justices have expressly extracted this construction from both the German right to informative self-determination and article 8 of the European Charter of Fundamental Rights.

As such, data protection entails both a subjective right - which must be defended by the state, by protecting individuals from external threats - as well as an objective dimension. According to the latter, it is not enough that the state reacts to data protection breaches. It must also actively promote concrete measures that protect individuals from the misuse of their data, may it be by public or private actors.

Institutional limitations of data protection in Brazil

Justice Rosa Weber also highlighted that the risks entailed in MP 954 – namely, its vague terms, absence of security measures and disproportionate collection of data – are potentially increased by the current institutional limitations of data protection in Brazil. This fragile framework is related, in first place, to the fact that the data protection law, that would come into force next August, has been postponed to 2021. Despite the country having constitutional and other legal provisions that support data protection claims, a sanitary emergency with the potential to impact use of personal data must have strengthened the claim for an organised and coherent data protection regime. Instead, it served as ground for its weakening, depriving the institutional landscape of clarity and legal certainty. Secondly, the lack of a data protection authority leaves it without an expert and independent body that can also contribute to fair and efficient measures involving the use of data.

Even though this Supreme Court decision cannot revert these setbacks, it sends a clear message to the government regarding future initiatives that might come to the Court’s appreciation.

The milestone and the challenges ahead

Besides settling this specific dispute, the Supreme Court endorsed years of debate and initiatives towards the enhancement of data protection regulation. In a time when data protection measures were already being underrated for the (alleged) sake of public health, this decision underpins present and future initiatives of data use in purpose limitation, proportionality and the active adoption of information security measures. Furthermore, the decision establishes relevant boundaries for the executive and legislative branches, which were not clear in the Brazilian Landscape yet.

Even though this decision does not neutralise all the current risks for data protection, it does state an important precedent for lower courts. As adjudication will possibly continue to play an important role in containing initiatives such as MP 954, only the creation of a data protection authority, with its multistakeholder council, would bring more legal certainty for data processing in the country.

Nevertheless, the ruling already provides for clear constitutional standards for legitimate data processing. Hopefully, it will also clear the path for the full implementation of the data protection framework designed in Law 13.709/18.