Diego de Lima Gualda and Laura Aliende Da Matta
The covid-19 pandemic has not hindered the advancement of the privacy and data protection transformation agenda in Brazil. In fact, the use of technology as a tool to monitor and combat transmission of the virus has accelerated discussions about its technical benefits on the one hand and the risks of mass surveillance on the other.
In this context, very relevant institutional changes are being produced in the first half of 2020. Most of them are not yet fully hashed out, but it is already possible to point to a point of no return, in particular with the decision by the Federal Supreme Court (STF) to recognize the constitutionality of the guarantee to the protection of personal data and the right of self-determination.
In this article, we analyze the impacts of the decision and other recent transformations in the public and private sectors, the uncertainties, and the debates that are already beginning to emerge, but first we present a brief history of the subject. Readers already familiar with the facts may proceed directly to the analysis.
In March and April of 2020, the debate on the postponement of the General Personal Data Protection Law (LGPD) gained relevance because of the pandemic: with the perceived absence of the National Data Protection Authority (ANPD) and a context of unprecedented economic crisis, the postponement of the entry into force of the LGPD would be necessary to give the public and private sectors more time for the adjustment process. There was no lack of criticism from control agencies, such as the Federal Prosecutor's Office, and part of scholars, with their dose of reason, denounced the opportunism and leniency of governments and companies with the process of adaptation to the law.
It is in this context that Bill (PL) No. 1,179/20, authored by Senator Antonio Anastasia, initially proposed a 12-month postponement for the law to come into force, that is, to August of 2021. The bill was passed in the Senate, but with a different solution: almost all of the law would take effect on January 1, 2021, while only the administrative sanctions would be extended to August of 2021.
While PL 1,179/20 was still being processed in the House of Representatives and, apparently without further coordination with the Legislature, the federal government issued an executive order altering the entry into force of the LGPD to May 3, 2021. This change came about in the text of Executive Order (MP) 959/20, the scope of which concerned the placement into operation of the payment of the Emergency Benefit for Preservation of Employment and Income and the monthly emergency benefit.
PL 1,179/20 was finally approved by the Brazilian Congress, without postponement of the time limit for the LGPD, which would now be discussed under MP 959/20, taking into account two issues: the postponement of the LGPD administrative sanctions to August of 2021 and a message of dissatisfaction, especially from the Federal Senate, with the handling of the process by the Executive, which was marked by both inaction surrounding the formation of the ANPD and the postponement of the law to a time period different from that which was being discussed in Congress, without any coordination. There were even claims that the Brazilian Congress would have approved the early entry into force of the LGPD, a suggestion that MP 959/20 could lapse or even be rejected with respect to the law's provision for postponement.
Meanwhile, another executive order generated discussion. MP 954/20 mandated the obligatory sharing of registration data by telecommunications companies with the Brazilian Foundation Institute for Geography and Statistics (IBGE) to support official statistical production during the public emergency caused by the pandemic. The problem with MP 954/20 was less the merits and more the form. The sharing of data on consumers of telecommunications services was general and unrestricted, the purpose pointed out relatively indeterminate, and the mechanisms for security and accountability were practically nonexistant. It also drew attention to IBGE's own haste in implementing the executive order, which did not go unchallenged before the STF.
On April 24, Justice Rosa Weber suspended the effects of the executive order in an in limine injunction, alleging that the sharing violated the fundamental rights of intimacy, privacy, and honor recognized in the Federal Constitution. The vote in the en banc session of the Supreme Court took place on May 6, when the Justice again presented her vote to suspend MP 954/20, with almost all the Justices concurring. The only dissenting opinion was that of Justice Marco Aurélio, who defended the public interest in the sharing.
The opinion presented by Justice Rosa Weber was historic due to its recognizing, for the first time, some concepts introduced by the LGPD as a direct result of the fundamental rights provided for in the Constitution. Citing the LGPD, Justice Weger stressed the importance of observing the principles of information self-determination, adequacy, necessity, and transparency in relation to data processing activities. She also referred to the need to respect due process of law in its substantive dimension in public policy-making involving the processing of personal data.
On May 28, there was another relevant debate on the issue of privacy, this time also involving freedom of expression and the right of communication. It was the beginning of Direct Unconstitutionality Action (ADI) No. 5,527 and the Motion to Resolve Breach of a Fundamental Precept (ADPF) No. 403. Both have as subject matter the possibility of blocking services of message applications ordered by judicial decision in cases where companies refuse to share content related to their users, focusing on the constitutional interpretation of the provisions of the Brazilian Civil Rights Framework for the Internet. In the background, there is a relevant discussion regarding the legality of end-to-end encryption mechanisms, which would make it impossible to intercept or provide the content of communications to investigating authorities in such contexts, a rationale supported by applications when not complying with the measure.
ADI 5,527 involved a discussion of the constitutionality of articles 10, paragraph 2, and 12, subsections III and IV, of the Brazilian Civil Rights Framework for the Internet, which have grounded decisions mandating the suspension or blocking of message applications, specifically the blocking of WhatsApp. In turn, ADPF 403 was filed in response to a decision blocking the application WhatsApp due to the company's refusal to provide content that would serve as evidence in a criminal investigation.
In her opinion, Justice Rosa Weber pointed out that end-to-end encryption technology makes direct access to the content of messages unfeasible for the companies themselves, which makes it impossible for them to meet certain legal demands, but that this does not represent any illegality. The Justice was also emphatic in pointing out that the state cannot compel private agents to offer a less secure and vulnerable service, on the pretext that this vulnerability could perchance be used to fulfill a court order. To interpret it otherwise would be to make encryption illegal. In this context, the Justice argued that the provisions of the Brazilian Civil Rights Framework for the Internet were not unconstitutional, but rather the distorted interpretation followed by some authorities in order to use the sanction, the objective of which is protection of the privacy of these users, for the opposite purpose: to force applications to reduce the protection of privacy and communications of users of their services in order to comply with court orders in criminal investigation proceedings.
The next day, Justice Edson Fachin defended the unconstitutionality of orders to block the application WhatsApp blocking entered by trial level judges. First of all, he provided an important articulation of the right to freedom of expression and privacy in the context of the case, emphasizing the primacy of freedom of expression as a structural vector of pluralism and democracy. He carried out a long balancing exercise to assess the relevance of reducing the rights of freedom of expression, privacy and secrecy of communications, considering the requirement by the decisions contested to provide some mechanism to bypass encryption, in view of the potential benefits for public security that such relaxation would represent.
The Justice concluded not only that it was uncertain that there would be any advantage in making encryption more flexible, but also pointed out the contradiction between promoting measures to relax Internet security (making encryption vulnerable) in the name of public security. Finally, Justice Fachin recognized encryption and anonymity as useful tools for the expression of the rights of freedom of expression, communication, and privacy on the Internet, pointed to a restrictive interpretation of the prohibition of anonymity, and emphasized the inapplicability of the sanctions in the Brazilian Civil Rights Framework for the Internet for cases of nonperformance of wiretapping by applications based on end-to-end encryption. The judgment was interrupted by the request for review of the record made by Justice Alexandre de Moraes.
Another initiative worth emphasizing is PL 2,630/20, focusing on combating the spread of false news on the Internet, so called fake news. Discussions about the bill involve quite distinct issues, such as government investment in advertising on fake news sites; the CPI in the Brazilian Congress to investigate the issue, including with the involvement of members of the federal government and the President's family; an inquiry at the STF to investigate crimes committed against members of the Court; and the broader debate on how to develop public policy to combat the spread of false news on the Internet.
PL 2.630/20 was even put to vote, but it was eventually postponed. The text, which can be voted on at any time, lists rules and guidelines to ensure transparency on social networks and messaging services, with the intention of curbing their abusive and potentially harmful use for individuals or the community.
Despite the merits, the bill was received with protests by academic entities and civil organizations. According to them, without the proper process of review by experts in the field and without a response by interested members of civil society, there is a danger of restriction of the rights of freedom on the Internet. In its current form, the bill has profound impacts on the system of freedom of expression proposed by the Brazilian Civil Rights Framework for the Internet.
In the midst of the various debates on freedom of expression on the Internet and the privacy rights of users of platforms and applications, PL 2,630/20 involves "conceptual and technical complexities," as pointed out by the Brazilian Internet Steering Committee (CGI.br), which also recommended broadening and deepening public debates on the topic before approving any final version of the text.
As seen, the agenda surrounding privacy and discussions related to data protection continues to be intense and there is no sign of cooling for the rest of the year. In our analysis of the issue, the first dimension considered is the constitutionalization of personal data protection and the right to information self-determination by virtue of the STF’s decision in the context of the actions for a declaration of unconstitutionality against MP 954/20.
This constitutionalization is an important recognition of the transformation of technological, economic, and social conditions, and overcomes old case law that founded the constitutional protection of data only on the communicative context. It is an important victory for the guarantees of personal data protection.
For the public sector, and for companies operating in the regulated market, this change will produce relevant consequences. If before the LGPD imposed revision of personal data processing practices, especially shared use of data under the law, the constitutionalization of data protection, with reinforcement of the principle of due process in its substantive dimension, will require regulatory review based on proportionality and relevance of the processing and sharing of personal data, even if for the implementation of public policies. The federal government that so feared and did so much to relaxe the requirements of the LGPD in the processing of personal data for public policies and by the public power suffered its greatest defeat, precisely because it failed to provide adequate guarantees for the protection of personal data in the promulgation of MP 954/20.
This constitutionalization will entail an even more lessened interpretation of the legal basis enshrined in article 7, subsection III, of the LGPD, as well as of Chapter IV of the law. The scrutiny of personal data protection processing by public authorities should be taken seriously. On the other hand, legislative or regulatory initiatives in all spheres of government now have a clear need to anchor themselves in concrete personal data protection assurance measures, and not just based on generic declarations of principles. In this context, the private sector operating in the regulated market must redouble its attention, caution, and the need to review current practices in the processing of personal data involving the public authorities, otherwise it will be held liable. Relying on laws and, especially, regulatory acts to support the processing of personal data, without further consideration, is not a recommended strategy.
For the private sector, more essentially, the STF decision relaxes in some sense the debate on the entry into force of the LGPD. This is because the recognition of the constitutional nature of a personal data protection system and the mention even of principles such as necessity and adequacy, which in some way were brought, according to Justice Rosa Weber, from infra-constitutional legislation into the constitutional standard of personal data protection, will have direct implications on the activities of companies as they are today. It must be said that, even if the LGPD were repealed, there is no longer any return to the prior normative reality, in which the protection of personal data was often not a relevant risk factor. The decision is not restricted to the context of the public authority. Companies should necessarily revise their personal data processing processes from the point of view of the transparency of the information given to data subjects, the necessity and adequacy of the processing, the proportionality of the processing of personal data, and the security measures strictly used for the protection of personal data. In view of the opinion issued by Justice Rosa Weber, these provisions enter into the constitutional terrain as principles deriving from equity itself, from the system of rights itself, and not as policy decisions. Thus, the strength of such principles will be felt in the application of infra-constitutional provisions already in force, including, for example, the Consumer Protection Code and the Brazilian Civil Rights Framework for the Internet, which may gain a renewed regulatory burden in the protection of personal data.
Somehow, subsequent votes in the case of blocking applications and encryption (ADI 5527 and ADPF 403) are already samples of this understanding. It is the recognition of a strong vision of privacy and data protection that tends to influence the interpretation of legal provisions in the Brazilian legal system. And if the initial theory of the opinions issued prevails, one can expect a strengthening of the primacy of freedom of expression and privacy in the weighing of conflicting principles.
This process has an important cost, however, in the absence of the ANPD and LGPD in force: legal security. Given the Brazilian context, we can anticipate a high degree of litigation and variation in the interpretation of the practical implications of the standards in the context of the rules that are already in force, which also makes concern with the administrative sanctions under the LGPD a secondary issue. Laws in force already provides very efficient instruments from the sanctions point of view, such as the aforementioned Consumer Protection Code and Brazilian Civil Rights Framework for the Internet. In addition, the possibility of filing public civil actions, in the current context, seems more impactful than the fines to be imposed by the ANPD.
These comments therefore refer us to the debate on the entry into force of the law. Today, it is not possible to determine when the LGPD will enter into force and with what. August 2020, May 2021, sanctions in August 2021, or any other combination seems possible at the moment. The current political climate, however, points to what we classify as the worst-case scenario: entering into force in August of 2020, without the ANPD and with the private sector weakened by the context of the pandemic. As mentioned above, the sum of all the ingredients seems to favor a high degree of indetermination, uncertainty, and legal insecurity.
There are positions, especially taken by academia, control agencies, and rights activists, to the effect that the best thing is for the LGPD to enter into force as soon as possible. It can be argued that, given the constitutionalization of the subject, having the specific rules will in fact bring about an increase in legal security. In addition, the entry into force of the law may be a push for the ANPD to finally be created, getting off of paper. On the other hand, those processing agents who have been lenient during the period of adaptation must in some way suffer the consequences of inaction. The whole process will result in greater protection of the rights of data subjects and more sophisticated legal instruments to deal with issues related to the processing of personal data, especially for companies that have prepared themselves.
For this optimistic view, a counterpoint can be established. The entry into force of the law, without the ANPD, in a context of economic crisis and institutional conflagration, added to the unsuitability of the processing agents and a known litigious environment will generate a profusion of disputes, inconsistencies, interpretative differences, and losses which, after all, will neither do good for the processing agents nor represent a substantive recognition of the rights of the holders. The absence of clearer direction for adaptation processes and the potential dispute between various control agencies over the ANPD vacuum may produce a context of dysfunction in the economic dimension of data protection, threatening the information flow itself, which is a condition of the protection regime.
In that case, two facts are worth pointing out. The first is the routing of PL 2,630/20. The same Brazilian Congress that suggested accelerated the entry into force of the LGPD in the context of the dispute with the Federal Executive is now discussing a bill that, among other measures, suggests the need for checking of government documents for authentication of profiles on social networks. It is curious to contrast some implications of PL 2,630/20 and issues pronounced in the opinion by Justice Edson Fachin related to the blocking of applications. Some aspects of the bill seem inevitably unconstitutional in view of the recognition of the primacy of freedom of expression and even anonymity as a tool for the exercise of rights in the context of the Internet. Even for this reason, the scenario of legal insecurity, at least in the short term, seems more likely than a cycle of positive reinforcement that tends to pacify conflicts in the sphere of privacy and data protection debates.
The second fact concerns the opinion of Justice Edson Fachin himself in the context of the discussion on blocking applications. Although it seems to be a minor issue, the Justice propvides an interpretation that is at least controversial on the fact that the application of the penalties provided for in article 12 of the Brazilian Civil Rights Framework for the Internet would be an attribution of the ANPD. The consequences are not well explored in the opinion, but the impression is that there would have been some kind of tacit change brought by the LGPD to the provision of the Brazilian Civil Rights Framework for the Internet, which, it must be said, has been in the legal system long before the ANPD even existed on paper. The problem is that the sanctions in article 12 of the Brazilian Civil rights Framework for the Internet do not only concern non-compliance with provisions related to the protection of personal data in the strict sense; they also include components such as freedom of expression and the right to communication itself, as recognized by the Justice. Would it make sense for the ANPD to win these assignments based on a STF decision?
This point opens the flank for another rather complex discussion. The Legislature reached the decision to expressly modify the Civil Brazilian Civil Rights Framework for the Internet in only two provisions, subsection X of article 7 and subsection II of article 16, leaving behind a series of unresolved tensions, which include the definition of personal data and processing of personal data, through the applicability of consent and arriving at the very debate of articles 10, 11 and 12 of the Brazilian Civil Rights Framework for the Internet. On this particular point, especially due to his not having included this issue in his opinion, Justice Edson Fachin seems to have contributed little to clarifying the issue, besides adding a scope to the ANPD that, save better judgment, would be beyond his initial proposal.
The above points seem to indicate that the optimistic scenario may not be the most likely. Companies are advised to follow the implications very closely, while already coordinating mitigation plans. It will be difficult to avoid a scenario of legal insecurity from now on, but rather conducting minimal coordination with a risk assessment strategy and prioritization of structuring actions is necessary to protect oneself from unpleasant surprises.
It is essential to observe and recognize this point of no return on the subject of data protection mentioned at the beginning of this article. The guarantees for the protection of personal data are constitutional matters. If anyone still had doubts that the issue of data protection would catch on, the time to resolve them has passed. This is a central topic on the institutional agenda, with clear and concrete repercussions on the design of public policy, public administration, public security forces, and the private sector. And the scenario that lies ahead does not seem to be one of decanting the process, but of increasing complexities and contingencies.
 Opinion by Justice Rosa Weber in the injunction in Direct Unconstitutionality Actions No. 6,387, 6,388, 6,389, 6,393, and 6,390 suspending the effectiveness of Executive Order No. 954/20. The opinion was approved by the STF en banc.