Prosecutors have sent a long list of questions to Serpro in order to understand what exactly was going on. However, the institution never bothered answering them. Instead, the data processing firm released a statement denying any wrongdoing – but not disclosing who its clients are.

If the accusations are proven to be true, it will be the first time in history that a national government has been caught leaking its citizens’ personal data for cash.

Public data available for free

This is by no means, however, the first leak involving Serpro. Back in March, the Federal Prosecution Office asked for the website Consulta Pública to be brought down by the administrator of .BR domains – those operating in Brazil.

The website allowed anyone to access private data – such as social security numbers, addresses, and phone numbers of millions of Brazilians. Both cases might even be linked, according to investigators.

Personal data protection laws in Brazil

Brazil’s Congress has been discussing data protection legislation since 2013. The idea is to create a specific authority that will regulate the extraction and use of Brazilian citizens’ personal data on the internet.

Three bills related to the subject are being discussed, as wrote Frederico Meinberg Ceroy to The Brazilian Report. They are:

Bill No. 4.060/2012, sponsored by congressman Milton Monti, which defines treatment as any operation – with or without automated processes – for storing, ordering, conserving, updating, comparing, evaluating, organizing, selecting and extracting personal data.

On the other hand, Bill No. 5.276/2016 considers treatment of data as any operation with personal data. In the Senate, Bill No. 330/2013, sponsored by senator Antônio Carlos Valadares, used to define treatment of data as any operation related to personal data. The project has been changed by the Senate’s Science and Technology Committee, which updated the concept by defining the treatment of data as any operation with data.

Currently, data protection is regulated by a plethora of laws and norms dealing with the treatment of data, such as the Consumer Defense Code, the law creating a Good Payers’ Database, the Access to Information Act, the Internet Legal Framework, and a decree regulating it.

The Consumer Defense Code grants citizens access to the information gathered about them and their sources.

The Good Payers’ Database laws were passed to facilitate credit in Brazil. The idea was that once banks knew exactly who pays their bills on time, general interest rates could be lowered. The Access to Information Act characterizes the treatment of data as a set of actions related to producing, receiving, sorting, using, reproducing, transporting, transmitting, storing, evaluating, and controlling information.

While citizens are entitled to data from public offices and officials, individual privacy and rights must be preserved. Meanwhile, the Internet Legal Framework talks about the treatment of data several times but it does not define what it is. A 2016 presidential decree regulated the Civil Rights Framework for the Internet, defining personal data as any data related to identified (or identifiable) persons – including ID numbers or electronic IDs, when they are related to a person.