The Renewed Importance of Data — and Data Protection — in Times of COVID-19
By Natalia Langenegger and Celina Bottino
One of the most pressing issues that Brazil is facing in the context of the global health crisis is the use of data by the government as a strategy to fight COVID-19 in a context where the country still lacks an operational data protection law. Although Brazil has already approved a data protection law, politicians are still debating when it will enter into enforcement. During the COVID-19 crisis, this prolonged debate may have a negative impact on data protection as a whole, as the issue slowly acquires a political contour. In this brief essay we illustrate how the recent measures adopted primarily by the federal government demonstrate inconsistencies and how, considering the crisis, having a robust data protection framework — including a proper data protection authority — becomes even more important.
The Use of Data for Measuring Social Distancing
In early April, Brazil’s Ministry of Science, Innovation, Technology and Communications announced that it would use geo-localization data (provided by the main telecommunication carriers) to measure social distancing with heat maps. One week later, this program was suspended by the Federal Government based on the claim that there should be a higher standard of scrutiny to guarantee data protection. This occurred after the governor of São Paulo, alongside other governors and mayors (e.g. States of Rio de Janeiro, Amazonas, Ceará, Mato Grosso do Sul, Santa Catarina), implemented a monitoring system based on allegedly anonymized and aggregated geo-localization data in order to measure social distancing. While some local governments such as Rio de Janeiro and São Paulo are working in cooperation with telecommunication carriers, others are partnering with a company that collects data from software development kits installed in several consumer apps.
As a reaction to this initiative, right-wing allies to President Bolsonaro have expressed their concern on social media, claiming that the monitoring system implemented in São Paulo was an invasion of privacy and in violation of individual data protection rights. In fact, one of the pandemic’s most heated debates has been the constant disagreement between the country’s president and João Doria, the governor of São Paulo, as they disagree on the potential effects of the pandemic and how to face its social and economic consequences. While the president shows resistance towards social distancing, the governor has extended the state’s quarantine period for the third consecutive time, ending in June. Moreover, the city of São Paulo has imposed stricter circulation measures as the city has prohibited 50% of its population from traveling in the city.
Despite using privacy concerns as an excuse to halt the implementation of the federal monitoring system, his acts do not demonstrate a genuine concern with protecting citizens’ privacy, which is reflected by the implementation of previous policy measures:
(a) In December 2019, the federal government enacted a Decree (N. 10.046/2019) determining the automatic sharing of personal data, among governmental bodies that will be kept within a centralized database and be coordinated by a committee composed solely by government representatives. This raised concerns about the unsupervised use of citizen data by the government and as a reaction, some congressmen, most from the left-wing, were pushing for the suspension of this presidential decree.
(b) More recently, during the public health crisis, President Bolsonaro issued two Provisional Measures: (i) MP №954/2020, that determines, with no specific purpose, that Telecom carriers transfer to the government personal data from all citizens — names, address and telephone number; and (ii) MP №959/2020, that postpones the entry into force of the national Data Protection Legislation (also known as LGPD).
The first provisional measure mandated that all telecommunication carriers in Brazil should share their clients’ data with the Brazilian Institute of Geography and Statistics — IBGE, the leading provider of data and statistics and responsible for the country’s census. This would suggest sharing data for over 100 million people when, in reality, only 200,000 are necessary for the census research.
By request of several political parties and from the Federal Bar Association, the provisional measure was temporarily suspended by the Supreme Court, on the basis of “preventing irreparable damage to the intimacy and privacy of more than 100 million users of fixed and mobile telecommunication services”, and subsequently declared unconstitutional by a majority of votes (10x1). During the ruling, federal government representatives argued that the data is necessary in order to conduct census research during the pandemic and, thus, enable the promotion of social, economic and fiscal policies by municipal and state governments.
The Supreme Court considered that the provisional order did not clearly specify the purposes for which the data would be processed, nor did it demonstrate the inexistence of other less intrusive measures to privacy that could be implemented to achieve the same objective of conducting census research during the pandemic. Moreover, it found that citizen privacy would be excessively exposed due to the lack of an external authority that regulates minimum security measures that must be adopted to ensure such data will not be subject to incidents (as have occurred with data held in several government databases) and supervises the use and deletion of the personal data delivered by the telecom carriers.
Additionally, the second provisional measure issued by the President mandated that the entry into force of the data protection legislation be postponed on the grounds that (i) a Data Protection Authority (DPA), which does not exist in practice as the president still needs to appoint its members, creating insecurity for companies; and (ii) companies will not be able to prioritize investment on adequacy programs during the pandemic.
Brazil’s Data Protection Legislation: When Will It Enter Into Force?
The data protection bill was approved in August 2018 and was supposed to enter into force by August 16, 2020 (its effective date had already been postponed for 6 months). However, because of the economic effects of the pandemic, some private sector representatives were seeking government and congress support to postpone once again the LGPD’s effectiveness.
In this scenario, Congress approved — in both houses — a Bill (№1.179/2020) determining that LGPD’s sanctions enter into force by August 2021, which was recently confirmed by the president. However, while Congress was discussing this Bill of Law, the president issued a provisional measure (№959/2020, mentioned above) to postpone the entry in force of the LGPD to May 2021.
As the postponement was carried out by means of a provisional measure — which produces immediate effects, but has to be approved by the Congress — there is still considerable uncertainty as to when the national data protection legislation will enter into effect: will Congress barr this initiative and restore the effective date to August 2020? Will another effective date be suggested? Or will it approve the President’s order making the effective date on May 2021?
In addition to this uncertain scenario, Brazil’s DPA still awaits the government to appoint its members. Before the outbreak of the COVID-19 crisis, it was expected that the DPA would be formed by March 2020, but its creation was once more halted. Having a DPA would be especially important right now, since part of its duty would be to provide guidance on how to apply the LGPD and to serve as a link between society and government in data protection issues.
Finally, on May 13, 2020, the Federal Government created a working group (made up exclusively of government officials) to coordinate strategic measures of information technology to tackle the impacts of the COVID-19. However, the members of the group were not yet nominated and there is little information on how this group will effectively work.
In sum, the lack of a proper Data Protection Legislation (LGPD) and an active Data Protection Authority (DPA) in Brazil are hampering the potential benefits of using data during the current health crisis. Instead, political groups are using the pandemic to accomplish the opposite, by postponing the enforcement of the Brazilian data protection legislation and intensifying the use and sharing of data by governments.
We will continue to follow closely how the data protection debate unfolds in the midst of the COVID-19 crisis. It would be interesting to connect with other research centers, to understand the role civil society and academia are playing in this scenario and how we can best advocate and show the importance of having a data protection framework in place, particularly in a context of crisis.
Celina Bottino is the Project Director at Institute of Technology and Society of Rio (ITS), affiliated to the Berkman Klein Center e Harvard LLM’10.
Nathalia Langenegger: Natalia Langenegger is a PhD Candidate at São Paulo University and Lawyer at Pereira Neto Macedo Advogados.