Brazil needs more personal data protection.
personal data brazil breach

Brazil needs more personal data protection.

Federal prosecutors in Brasilia are investigating whether the Federal Data Processing Service (Serpro), a state-owned IT processing firm, has been selling the personal data of Brazilian citizens without their consent. The prosecutors argue that information such as social security numbers, tax return statements, electoral information, date of birth, and the name of citizens’ parents are being sold to other public institutions.

During a three-month investigation, prosecutors found that prices for data ranged from USD 72,000 to 260,000. State Prosecutor Frederico Meinberg Ceroy says that the commerce of personal data was a multi-million dollar business. The list of institutions that allegedly bought this data includes the Comptroller-General’s Office, which is supposed to ensure transparency in government, and the National Justice Council – the Supreme Court’s watchdog.

</span></p> <p><span style="font-weight: 400;">Prosecutors have sent a long list of questions to Serpro in order to understand what exactly was going on. However, the institution never bothered answering them. Instead, the data processing firm released a statement denying any wrongdoing &#8211; but not disclosing who its clients are. </span></p> <p><span style="font-weight: 400;">If the accusations are proven to be true, it will be the </span><a href="https://www1.folha.uol.com.br/colunas/ronaldolemos/2018/06/governo-e-acusado-de-vender-dados.shtml"><span style="font-weight: 400;">first time</span></a><span style="font-weight: 400;"> in history that a national government has been caught leaking its citizens&#8217; personal data for cash. </span></p> <h3>Public data available for free</h3> <p><span style="font-weight: 400;">This is by no means, however, the first leak involving Serpro. Back in March, the Federal Prosecution Office </span><a href="https://g1.globo.com/df/distrito-federal/noticia/site-de-consulta-a-cpf-e-telefones-e-derrubado-da-internet.ghtml"><span style="font-weight: 400;">asked</span></a><span style="font-weight: 400;"> for the website </span><i><span style="font-weight: 400;">Consulta Pública </span></i><span style="font-weight: 400;">to be brought down by the administrator of .BR domains &#8211; those operating in Brazil.</span></p> <p><span style="font-weight: 400;">The website allowed anyone to access private data &#8211; such as social security numbers, addresses, and phone numbers of millions of Brazilians. Both cases might even be linked, according to investigators.</span></p> <h3>Personal data protection laws in Brazil</h3> <p><span style="font-weight: 400;">Brazil&#8217;s Congress has been discussing </span><a href="https://www1.folha.uol.com.br/tec/2017/12/1945134-brasil-deve-ter-lei-de-protecao-de-dados-so-no-fim-de-2018-dizem-especialistas.shtml"><span style="font-weight: 400;">data protection legislation</span></a><span style="font-weight: 400;"> since 2013. The idea is to create a specific authority that will regulate the extraction and use of Brazilian citizens&#8217; personal data on the internet. </span></p> <p><span style="font-weight: 400;">Three bills</span><span style="font-weight: 400;"> related to the subject are being discussed, as </span><a href="https://brazilian.report/2018/03/21/personal-data-treatment-brazil/"><span style="font-weight: 400;">wrote</span></a><span style="font-weight: 400;"> Frederico Meinberg Ceroy to </span><b>The Brazilian Report</b><span style="font-weight: 400;">. They are: </span></p> <p><b><i>Bill No. 4.060/2012</i></b><span style="font-weight: 400;">, sponsored by congressman Milton Monti, which defines treatment as any operation – with or without automated processes – for storing, ordering, conserving, updating, comparing, evaluating, organizing, selecting and extracting personal data.</span></p> <p><span style="font-weight: 400;">On the other hand, </span><b><i>Bill No. 5.276/2016</i></b><span style="font-weight: 400;"> considers treatment of data as any operation with personal data. In the Senate, </span><b><i>Bill No. 330/2013</i></b><span style="font-weight: 400;">, sponsored by senator Antônio Carlos Valadares, used to define treatment of data as any operation related to personal data. The project has been changed by the Senate’s Science and Technology Committee, which updated the concept by defining the treatment of data as any operation with data.</span></p> <p><span style="font-weight: 400;">Currently, </span><a href="https://brazilian.report/2018/03/21/personal-data-treatment-brazil/"><span style="font-weight: 400;">data protection</span></a><span style="font-weight: 400;"> is regulated by </span><span style="font-weight: 400;">a plethora of </span><a href="https://brazilian.report/2018/03/21/personal-data-treatment-brazil/"><span style="font-weight: 400;">laws and norms</span></a><span style="font-weight: 400;"> dealing with the treatment of data, such as the Consumer Defense Code, the law creating a Good Payers’ Database, the Access to Information Act, the Internet Legal Framework, and a decree regulating it.</span></p> <p><span style="font-weight: 400;">The Consumer Defense Code grants citizens access to the information gathered about them and their sources. </span></p> <p><span style="font-weight: 400;">The </span><a href="https://brazilian.report/2018/05/14/brazil-congress-data-privacy/"><span style="font-weight: 400;">Good Payers’ Database</span></a><span style="font-weight: 400;"> laws were passed to facilitate credit in Brazil. The idea was that once banks knew exactly who pays their bills on time, general interest rates could be lowered. The Access to Information Act characterizes the treatment of data as a set of actions related to producing, receiving, sorting, using, reproducing, transporting, transmitting, storing, evaluating, and controlling information. </span></p> <p><span style="font-weight: 400;">While citizens are entitled to data from public offices and officials, individual privacy and rights must be preserved. Meanwhile, the Internet Legal Framework talks about the treatment of data several times but it does not define what it is. A 2016 presidential decree regulated the Civil Rights Framework for the Internet, defining personal data as any data related to identified (or identifiable) persons – including ID numbers or electronic IDs, when they are related to a person.

Read the full story NOW!

PowerJun 07, 2018

Tags: - -

BY Diogo Rodriguez

Rodriguez is a social scientist and journalist based in São Paulo.