We begin this twelfth InternetLab newsletter with the news that the public debate on the Data Protection Draft Bill was extended until the 5th July. According to the Ministry of Justice, the decision took into account the growing complexity of the debates on the platform and the great importance for all Brazilian citizens of the subject.

Check the discussions selected in this week from the platforms of the Marco Civil da Internet regulation and the Data Protection Draft Bill.

Marco Civil da Internet regulation: the boundaries of Article 15 of the Marco Civil

Article 15. The Internet application provider that is duly incorporated as a legal entity and carry out their activities in an organized, professional and with economic purposes must keep the application access logs, under confidentiality, in a controlled and safe environment, for 6 months, as detailed in regulation.

 This article, the result of intense discussions at the time of elaboration of the Marco Civil, seeks to reconcile both the privacy of users and the persecutory and investigative capacity of the state. The records in question, according to authorities such as the Federal Police and the Federal Public Ministry, are essential for the identification of Internet users who are suspected of unlawful activities. Although the wording brought by the Marco Civil requires some detail regarding which application providers are required to keep records identifying users, many suggestions sent to the platform require an even greater detail. This would lead to a decrease in the number of providers affected by the provision, for example.

The application access record keeping and small companies

In her contribution, the participant Joana Varon began by saying that the article is “excessive and controversial” and that it would go in the opposite direction of what has been understood as appropriate in a global perspective. The participant mentioned as an example the case of Directive 2006/24 of the European Union. It established the mandatory data retention and was declared invalid in April 2014. According to Joana Varon, the decision of the European Court, which led to the annulment of the Directive, took into account the lack of proportionality in the relationship between the storage and processing of internet users on the one hand, and the potential damage to the network freedom of speech on the other.

The participant stressed that the provision can cause a disproportionate cost for small companies and new entrepreneurs, as they will be required to keep and maintain secure a large amount of data that would not normally be of interest. The new obligation would divert resources and stifle innovation in the technology sector.

In her contribution, Joana Varon points out that, taking into account the context of the design of Article 15, its initial goal was to create an obligation to preserve records for large application providers that, in general, already perform this type of storage and therefore would not face a hard time keeping data securely and meeting the requirements of the Brazilian authorities.

In view of these problems, the participant believes that the regulatory decree should define in the best possible way which application providers are required to retain access logs:

 “Thus, putting aside disputes over the constitutionality of such a measure, or even compliance with the principles of the Civil Marco itself, it is clear that broaden the scope for any size providers could be even more damaging. It is suggested therefore that, to minimize damage of Article 15, the regulation of Marco Civil attaches at least the purpose of the organization and/or application to the duty of retention and establishes a billing threshold to separate the commercial providers required to keep such records.”

 Record keeping and hosting third-party content

The contribution of the Institute of Technology & Society of Rio de Janeiro (ITS Rio), was also to limit the scope of application of Article 15. This article has even been appointed as internationally controversial by the institute.

For ITS Rio, the legal obligation of record keeping established by Article 15 shall be limited to those providers of Internet applications that host content produced by users. This choice would be grounded on the principles of Marco Civil itself and on the articles regarding the responsibility for damages arising from content generated by third parties (Articles 18-21).

According to the institute, this option would remove of the scope of application of Article 15 a variety of unnecessary and improper storage, causing large amount of resources to be spared:

 “In this way, it would be avoided the unnecessary – and improper – storage of data related to services that do not host content provided by internet users, such as e-commerce sites, financial services, online marketing tools, machine to machine applications (M2M) and sites without interactivity. It is important to note that even with respect to financial services such obligation would not be adequate under the investigation argument of money laundering offenses and other financial crimes, as there is already law that deals with this issue and that requires these companies to send information related to ‘suspected’ financial transactions to COAF [one of Brazilian tax authorities], which would make unnecessary and redundant the keeping of access logs.”

Personal data: consent waiver for research

In the text discussed for the data protection draft bill it is predicted a enhanced protection to certain data considered “sensitive”, that is, data that is strongly linked to the rights of citizens and for which treatment without due caution and special guarantees could cause large losses. Article 5 of the draft bill provides the following definition for sensitive data:

 III – sensitive data: personal data revealing racial or ethnic origin, religious, philosophical or moral beliefs, political opinions, membership to unions or faith-based, philosophical or political organizations, data concerning health or sex life, as well as genetic data;

 These data generally cannot be the target of treatment unless there is a special consent. In these cases, the consent for the processing should be distinct from the consent related to other personal data, and very well informed.

However, in the draft bill, sensitive data may be processed without the consent of citizens in certain circumstances described in the law. One hypothesis in particular has generated debate on the platform: a waiver of consent to the processing of data for “conducting historical, scientific or statistical research” (Article 11, section IV, and Article 12, section II, c).

Many participants believe that there should be a different treatment, more protective for sensitive data, even in the case of conducting research. The participant gabriela martins, for example, commented that “in this case, I believe there should be some restriction, such as it can only be used for research after the person has passed away.”

Also regarding the waiver of consent for conducting research, participants suggested several ways to give more protection both to sensitive data and to  “non-sensitive” data. Among the suggestions there are: compulsory requirement (and not optional, as stated in the draft bill) of dissociation of personal data, control of the research by a public agency, and the express exclusion from the waiver of consent hypotheses of research for purely commercial purposes and targeted marketing.