The approval of the Brazilian General Data Protection Legislation (LGPD) in 2019 marked a new paradigm in the defence of fundamental rights in Brazil. However, Brazilian society still struggles to enforce LGPD’s rules. One huge challenge has been the difficulty in matching the promotion of public sector efficiency with personal data protection in recent policies of the government to reduce bureaucracy. The following paragraphs will cover some recent episodes where these values have clashed in a false dichotomy.
State efficiency and personal data protection
In an effort to reduce the country’s bureaucracy in the public sector, the federal administration has been trying to enhance data sharing and interoperability between public bodies. A presidential decree from 2019 (Decree 10,046/2019) was a landmark in this regard.
The Decree established rules for data sharing and interoperability among public bodies at the Federal Public Administration based on the creation of data sharing levels. Public agents would establish what databases should be accessed by specific organs, without defining specific purposes for sharing.
Instead, the main parameter for these agents to determine whether datasets should be shared is their "secrecy" level. Therefore, the sensitive nature of personal data is disregarded, as well as the purposes of the transfer, which are the two basic criteria that the LGPD establishes for determining the legality of a data processing activity.
Many experts have considered this framework to be incompatible with the LGPD, which provides that all data processing shall be carried out according to legitimate, specific and explicit purposes. The fact that the Decree permits both non-sensitive and sensitive data, including biometric information, to be shared without adequate protection has been seen as particularly troublesome. Adding to that, the Decree left unclear whether it applied or not to law enforcement and national security agencies.
The gravity of the situation, however, escalated when an agreement between the Federal Data Processing Service (SERPRO) and the Brazilian Intelligence Agency (ABIN) for the sharing of more than 70 million individuals’ data held by the National Transit Department (DENATRAN) was publicised by the press.
ABIN argued that the agreement had been signed in accordance with the Decree’s rules, leading to public outcry, including from civil society, especially considering that the arrangement lacked transparency. Although it may be argued that some national security issues should be legitimately addressed under a veil of secrecy, the indiscriminate massive data sharing sounded an alarm that serious threats to the enforcement of data protection rights could possibly follow.
The Decree’s pitfalls ended up leading to the filing of two constitutional actions before the Supreme Court. The first (ADPF 695) objected to the application of the Decree for national security purposes and requested that the Court nullify the SERPRO-ABIN agreement. The Court stated, in a preliminary ruling, that it would assess the constitutionality of the Decree’s application for national security purposes. The second proceeding (ADI 6,649) disputes the overall constitutionality of Decree 10,046/2019, under the reasoning that the instrument as a whole is a threat to the constitutional right to data protection. In both cases, the Court is yet to deliver a final decision.
It is worth noting that this is not the first time in which the Brazilian Supreme Court is called to decide upon issues related to data processing activities in the public sector. Soon after the outbreak of the COVID-19 pandemic, the Court declared unconstitutional Provisional Measure (MP) no. 954/2020, which compelled telecommunications companies to share personal data, such as names, phone numbers and addresses pertaining to all their clients in Brazil, to the Brazilian Institute of Geography and Statistics (IBGE) to carry out the national census. Under the Justices’ understanding, the initiative failed to provide sufficient safeguards for data protection. It was the first time that the Court recognised data protection as a fundamental right under the Constitution.
Multiplying like gremlins - public-private partnerships for data sharing
Beyond these cases under discussion at the Brazilian Supreme Court, other recent partnerships involving the shared use of data held by public bodies - now with private institutions - have been popping up in the last months.
One of these is a recently announced cooperation between the Ministry of Economy and a Brazilian banks' association, namely the ABBC. According to the Ministry, the initiative aims at allowing citizens to authenticate with their biometric data from a public database when using private services, as an improvement to public efficiency and digital security. According to the Ministry, the agreement is fully compliant with the LGPD.
Nevertheless, criticism of this partnership are manifold. First of all, as far as it is known, the Ministry has not consulted the National Data Protection Authority (ANPD), even though the LGPD requires that public-private data sharing agreements are to be communicated beforehand to the Authority. Concerned with the practice, one Brazilian consumers' association, the IDEC, has filed an inquiry to the ANPD, requesting it to look into the case. A second case to be highlighted is an initiative from the Ministry of Health, labelled as "Open Health". Its objective is to create an open banking-like platform where health data held by public institutions would be shared with health insurance companies in order to promote more efficiency concerning their services and customised health plans.
So far the project is under development, but since its announcement, it has given rise to divided opinions. Health insurance stakeholders are fond of the initiative and believe it will foster competition and bring more efficiency to the field. At the same time, scholars, medical associations and consumer associations have raised numerous concerns about spillover effects, such as the excessive profiling and discriminatory decisions that may take place based on a patient's condition, which are even more critical when dealing with sensitive data and situations regarding life or death.
The sensitive nature of health data is by itself a reason for the Federal Public Administration to think twice before sharing it with health insurance companies. Also, the opacity of what is known so far about this project doesn't help to alleviate current concerns.
Adding to the points above, in Brazil, information security management does not have the same maturity level in all public bodies, and recent events have shown that the Ministry of Health seems to be lagging behind in this field. In November 2020, a data breach exposed health data from 16 million Brazilians on Github, after an error made by a hired technician. One year later, in December 2021, the Ministry fell victim to a hacker attack which resulted in a shutdown of ConnectSUS, the platform where COVID19 vaccination data was stored. Without this service, citizens had problems proving they had been vaccinated in many contexts where proof of vaccination was required.
A third case worth mentioning involves the Brazilian tax revenue agency, Receita Federal do Brasil (RFB), which in April 2022 published a norm authorising SERPRO to share tax-related data with private companies for "complementing public policies". Such a generic purpose has raised concerns not only from civil society organisations but also from the ANPD, which announced that a procedure has been started to investigate the issue. One week later, the RFB publicly declared that its norms in no way disrespect the Brazilian data protection law.
The way forward: Towards a common road to public efficiency and data protection
If Brazil wishes to promote itself as a country that fosters a thorough culture of data protection, it is paramount that data sharing initiatives are reassessed, as soon as possible. The false dichotomy between public efficiency and data protection is a fallacy that needs to be deconstructed. Paving a new way is never an easy task, especially when indiscriminate data sharing looks tempting due to its seeming simplicity. However, oversharing has severe implications for society, which should not be ignored for the sake of agility.
It is also important to acknowledge that the debate on data re-use between public (and private) organisations to promote more efficiency, is not limited to the Brazilian reality. In Europe, it was approved, on May 16th, 2022, the Data Governance Act (DGA), which will become applicable in August 2023.
The Regulation, aimed at making public sector data available for re-use and facilitating data sharing among businesses, was received with some concern not only by civil society but also by European data protection authorities due to inconsistencies with the European General Data Protection Regulation, the GDPR, in particular with the latter’s data minimization principle and the data-sharing goals embedded in the DGA.
In addition to the problematic questions regarding these initiatives between public entities, which can be misused by state surveillance when adequate safeguards are not in place, the dangers of partnerships with private partners are also substantial. Every data sharing agreement between the state and for-profit organisations should have a clearly defined, proportionate public interest purpose which, in the cases herein described, has not yet been made clear. Otherwise, the state informational apparatus can easily become a pool for companies to gather information to serve their own private interests, at the expense of citizens’ rights.