‘Don’t Snoop on Me’
How 9/11 ultimately sparked a movement for privacy and data protection in Brazil
9/11 shocked the world, Brazil included. The repercussions of the terrorist attacks were felt long after that day. The Latin American country was still healing from its recent authoritarian experience, after decades under a military regime, and was torn between the path of public security and mass surveillance, on the one side, and one of reaffirming human rights, especially privacy, on the other.
We show how the aftermath of terrorist attacks a continent away was responsible for, albeit indirectly, precipitating a movement in favor of privacy and data protection that led to the approval of Brazil’s Internet Bill of Rights and the General Data Protection Legislation. Moreover, we underscore an interesting duality that emerged in the country: on the one hand, the creation of a robust regime in terms of data protection and, on the other, a wholehearted acceptance of facial recognition technology.
From a Criminal to a Civil Framework for Internet Governance
In 2007, following a growing movement for Internet regulation in Brazil, Senator Eduardo Azeredo introduced his plan for amending a bill presented by Representative Luiz Piauhylino in 1999. The new text, known as “Azeredo Bill”, was forged to regulate cyberspace from a criminal perspective, creating a series of felonies with sanctions of up to four years of imprisonment for citizens who, for example, intentionally circumscribe the internal protection of cell phones (a practice known as “jailbreaking”).
As noted by Ronaldo Lemos, “with such a broad scope, the bill would have turned millions of Internet users in Brazil into criminals” and hampered innovation in the field of emerging digital technologies by “rendering illegal numerous practices necessary for research and development“. Fearing for the future of Internet regulation, Lemos published an op-ed in the Folha de S.Paulo newspaper suggesting that the “Azeredo Bill” should be replaced by a “Civil Framework for the Internet”, thus pioneering the concept of what would later become the Marco Civil da Internet.
The Marco Civil was Brazil’s first attempt at crowdsourcing the drafting process of a bill of law. Its text was the product of a remarkable multistakeholder effort that came to fruition thanks to an online platform created to host a public consultation on the matter. As Souza et al recollect, “participants could agree or disagree with the proposed wording and suggest amendments” and, moreover, they could “see each other’s comments so that a real conversation could be established among them”.((SOUZA, Carlos Affonso et al. Notes on the Creation and Impacts of Brazil’s Internet Bill of Rights. The Theory and Practice of Legislation, 2017, p. 09.))
The Snowden Revelations and President Rousseff’s Response
However, the Marco Civil did not pick up steam in Congress until 2013, when it was handpicked by President Dilma Rousseff as part of her government’s response to the Snowden revelations. It is well-known that the United States doubled down on mass surveillance following the 9/11 terrorist attacks. Under Section 215 of the Patriot Act – which was backed by then President George W. Bush and passed by Congress with virtually no debate -, intelligence and law enforcement agencies were authorized to request personal communication data from US service providers to identify, monitor, and dismantle terrorist cells and organizations.
The fears of many activists in the US and abroad were confirmed when Edward Snowden leaked classified documents from the National Security Agency (NSA) to former Guardian journalist Glenn Greenwald: Section 215 was being widely used by US intelligence forces way beyond its original intent. But what came as a surprise was the extraordinary scope of its surveillance campaign: it allegedly reached thousands of people outside US borders, including world leaders like German Chancellor Angela Merkel and the Brazilian President Dilma Rousseff. The NSA was able to extend its reach globally with the help of American companies that offered their services to telecommunications providers in other countries, including Brazil.
Denouncing what she perceived as a violation of the country’s sovereignty, President Rousseff cancelled an official visit to Washington D.C. that year, raised the issue of digital surveillance during her opening speech to the UN General Assembly in New York, and even convened an international conference on the matter, called ‘NetMundial’. Moreover, domestically, the Marco Civil would serve as a centrepiece of Brazil’s reaction to the surveillance it had been subjected to, and President Rousseff’s government pushed Congress to approve it. But in order to make a substantial move in that direction, the government suggested a significant change to the text: adding specific provisions on the collection and processing of personal data.((SOUZA, Carlos Affonso et al. Notes on the Creation and Impacts of Brazil’s Internet Bill of Rights. The Theory and Practice of Legislation, 2017, p. 12.))
At the time, Brazil did not have a general data protection law, so the provisions that were added to Marco Civil were the first of their kind. Moreover, article 7 of the legislation upholds a number of Internet users’ rights, including the right to privacy and private life, the right to confidentiality of communications, and the right to non-disclosure of personal data to third-parties without consent. All in all, in the words of Dan Arnaudo and Roxana Radu, the Snowden revelations “became a major catalyst in making the Internet Bill of Rights a priority and cornerstone of Brazilian domestic policy, which brought it to a vote and passage in 2014“.
Building a National Data Protection Law
Consequently, one can reasonably argue that the events that unfolded after 9/11 in the US, especially the indiscriminate use of Section 215 of the Patriot Act by NSA officials and the Snowden revelations, created the perfect storm that ultimately led Brazil towards the development and adoption of trailblazing legal provisions on data protection, which were deeply influential in Latin America at large, as well as in other parts of the world.((See, for example, the overall influence of Marco Civil during the debates leading up to the Italian Internet Rights Charter in 2014.)) But Marco Civil was only the first step in terms of building a truly comprehensive framework for data protection in the country, for it only incorporated high-level rights and principles such as the right to “clear […] information on the collection, use, storage, and processing of personal data”.
Certainly, Marco Civil never meant to become a general data protection law. Article 3, Section III of the legislation states that “personal data protection, as provided by law” is one of the principles that underlie Internet governance in Brazil. That means that a different and specific legislation was always intended to be drafted after Marco Civil to establish a general framework for data protection in the country. That legislation came to fruition in 2018, and is known as Lei Geral de Proteção de Dados (LGPD) or General Data Protection Legislation. LGPD benefitted from the discussions around the General Data Protection Regulation (GDPR) in the European Union, as the text of the bill attests; even the topology of the Brazilian legislation resembles its European counterpart.
According to the first article of the LGPD, the legislation “provides for the processing of personal data, including by digital means, by a natural person or legal entity of either public or private law, with the purpose of protecting the fundamental rights of freedom and privacy and the free development of the per“. Aside from enshrining a number of rights for data subjects and obligations for data controllers, the law also creates the Autoridade Nacional de Proteção de Dados (ANPD) or National Data Protection Authority, a public institution entrusted with the responsibility of monitoring the implementation of the legislation and proposing new guidelines on specific and highly complex issues, such as data protection obligations for small and medium enterprises.
But the LGPD falls short when it comes to public surveillance and related challenges that sparked the movement for data protection and privacy in Brazil back in 2013 after the NSA scandal. Article 4, Section III of the law excludes from LGPD’s scope the processing of personal data done exclusively for the purposes of public safety, national defence, state security, and activities of investigation and prosecution of criminal offences.
Brazil has come a long way since President Rousseff and other Brazilian nationals were allegedly implicated in NSA’s espionage efforts. Nonetheless, the shadow of mass surveillance still looms large across the country.
The Rise of Public Surveillance Tech in Brazil
In the last few years, there has been a considerable increase in the use of public surveillance technology throughout Brazil, especially facial recognition systems built into street security cameras. One of the most memorable examples happened during the 2019 Carnaval in the city of Salvador, Bahia. A man wanted for murder was identified by a facial recognition camera while walking through one of the many checkpoints built for monitoring the street festivities. He was dressed as a gypsy woman and carrying a water gun. After having his identity confirmed by public authorities, he was approached by a couple of police officers and taken into custody. Such examples are often used by authorities to justify the implementation of facial recognition technology in the country.
Nonetheless, it is well known that new technologies powered by facial recognition software carry many risks. The most prominent (and worrying) ones are arguably racial and gender bias. According to a 2018 analysis by MIT researchers, softwares developed by companies like Microsoft and IBM have an error rate of 35% when identifying black women, compared to an error rate of only 1% when identifying white men. It is important to note that the black population is already marginalised in the Brazilian society and, consequently, is disproportionately subjected to punitive measures by law enforcement agents. According to data from 2019, 66,7% of those incarcerated in Brazil are black. Moreover, in 2020 78,9% of the people killed by the police in the country were black.
This is one of the reasons why civil society organizations denounced the government of São Paulo for initiating in 2020 a public bidding process, which was later suspended, for installing an intricate facial recognition network in its subway system. In the same token, in 2021, civil society organizations urged the Governor to veto a new state law that would again authorize the installation of such cameras in the subway without any safeguards and guarantees.
In other places, however, similar bidding proceedings were successful. It is the case with Mata de São João, a small city in the state of Bahia, which implemented a facial recognition system in its public schools to monitor students when they arrive and leave school. When the children are identified by the cameras at the school’s gates, a text message is automatically sent to their parents and to the school staff. As noted by Rest of World, “while much of the world is debating the dangers of biometric surveillance and digital invasions of privacy, Brazilian officials of all political stripes are welcoming facial recognition technology with open arms“.
Overall, the case of São Paulo is a reminder that the gap left by LGPD needs to be filled with urgency. In 2020, a committee of lawyers was formed to draft a bill proposal to regulate data protection in the fields of public safety and criminal prosecution. The bill still needs to be formally presented before Congress, but some innovations are worth mentioning. First, according to article 42 of the proposal, the use of surveillance technology must be preceded by a specific legal authorization that shall be informed by a risk assessment. Second, article 43 bans the use of such technology to identify citizens on a rolling basis and in real time when there is no link to an existing criminal investigation.
All in all, over the last decade or so, Brazil turned from being surveilled by NSA agents to ‘snooping’ on its own citizens through the use of mass surveillance technology. Nevertheless, there is a common thread that extends across these different events: the 9/11 terrorist attacks, albeit only indirectly, sparked a movement in favour of data protection and privacy within the national legal order, making it more resilient to the challenges that the country is facing today.