Privacy, Security and New Technologies: A Brazilian Approach to Privacy Issues in the Public Security Field
Chapter 11
Privacy, Security and New Technologies: A Brazilian Approach to Privacy Issues in the Public Security Field
Mario Viola de Azevedo Cunha and Danilo Doneda
Introduction
In this chapter we will analyse the conflict between the right to privacy and security in the use of new technologies for the fight against crime, with a special emphasis on the Brazilian scenario. Despite the fact that public security is, on the one hand, an important value, privacy, on the other, is a fundamental right recognized by most modern constitutions that needs to be equally protected. The main challenge is, therefore, to establish a balance between the need to ensure public security and the protection of individual privacy.
After the end of the Second World War, and primarily as a response to the use of personal information to identify ethnic groups, the right to privacy was promoted to the status of a human right. The right to privacy, once secluded to matters involving personal communications and expectations of secrecy, ended up being included in several international documents regarding the protection and promotion of human rights, such as the Universal Declaration of Human Rights, the European Convention on Human Rights and the American Convention on Human Rights, which ensured that ‘No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.’1
Nowadays, with the advent of the internet, a new facet of the right to privacy is being threatened, when personal information is – through the use of new technological tools – shared and collected for a wide range of purposes, including the fight against crime.
A good example of this ‘security threat’ to privacy took place after the terrorist attacks of September 11, 2001, in the US, which changed the perception that nations had regarding privacy and data protection, especially when national security issues were at stake. They interrupted the development of the right to privacy (and, consequently, of the data protection regulatory framework), having impact not only in the US, but also in the European Union and even in the Southern Hemisphere – including Brazil, which is the focus of this chapter. Taking this scenario into account, this article will analyse the threats to privacy posed by new technological tools for the fight against crime, with a special emphasis on the experience in the Southern Hemisphere.
After September 11 era: US measures against terrorism, PNR Agreements and other initiatives2
Immediately after the tragic events of September 11, the US Congress approved two pieces of legislation which, to a large extent, imposed restrictions to individual privacy and data protection.
The first one was the US Patriotic Act, of October 2001 (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001),3 which granted unrestricted access to any databases, both private or public, and also the interconnection of such databases to a series of governmental agencies and bodies.4 Moreover, this Act authorized, for example, the access by governmental agencies to the history of phone calls, emails, medical and financial files, amongst many other powers.
Another piece of legislation enacted after the terrorist attacks was the Aviation and Transportation Security Act,5 which imposed upon all air companies operating flights to and from the US the duty to disclose passenger data (PNR Record) to the Customs and Border Protection Administration (CBP) before the departure of airplanes. The Act had an extraterritorial effect, since airlines would transfer personal data of their customers collected outside the US, while they were in the territory of the departing countries, out of the US.6 Such extraterritorial effect led to an international agreement between the US and the European Union, the so-called US-EU PNR Agreement which, apart from the criticism it deserves, tried to ensure an adequate level of data protection for EU citizens flying to the US, as we will discuss in the next topic.
This situation had also produced effects in Brazil. Although Brazil has not yet adopted a general data protection law, as will be examined in a further section of this chapter, the Brazilian government announced in 2005 that it had authorized air companies to send PNR data of passengers flying from Brazil to the US, and that it would start negotiations with the US Government for a US-Brazil PNR Agreement in the basis of reciprocity.7 Nevertheless, such agreement never took place and PNR data from Brazilian passengers has been transferred to the US government without any data protection guarantees.
The US-EU PNR Agreement8
As we have mentioned, the US Aviation and Transportation Security Act, as a consequence of its extraterritorial effects and its impact on individual privacy, sparked lively reactions in many EU member states and led to negotiations between the European Union and the US. The aim of these negotiations was to ensure an adequate level of data protection in the transfer (and further processing) of PNR data, according to EU standards. Following the latter, airlines which share this information with US authorities would be subject to penalties applied by the national data protection authorities, as in most EU member states such practice would violate data protection laws.
The debate of privacy versus security was evident. The negotiations were concluded in 2007 after two previous attempts (one void by the European Court of Justice and the other an interim agreement). This 2007 Agreement, however, was severely criticized, since from a data protection viewpoint it reduced the guarantees already well consolidated at European level. Recently, the Council of the European Union, after the entering into force of the Lisbon Treaty which changed the decision making and law making process in the European Union, decided to send the Agreement for discussion and approval by the European Parliament.9 The latter has thus approved a new agreement which replaced the 2007 agreement,10 giving ‘green light’ to ‘U.S. authorities to collect and use PNR data for the prevention or fight against serious transnational crime and terrorism’.11
The terrorist attacks in Madrid and in London
The debate privacy versus security gained even more importance after the terrorist attacks in Europe (Madrid – March 2004; London – July 2005), and which rendered the exchange of personal data of citizens between law enforcement authorities an essential tool for the international co-operation against terrorism and organized crime. In the European Union the exchange of information by police forces of the member states of Europol12 and of the Schengen agreement13 are just some examples of this new justification for the transnational flow of personal data.
This situation of ‘insecurity’ led again the US Government to require the Society for Worldwide Interbank Financial Telecommunication (SWIFT) to send to US authorities information about international financial operations concluded around the world, fact that motivated new negotiations between the EU and the US. The agreement was initially rejected by the European Parliament, but latter approved, ‘allowing sharing EU citizens’ bank data with the US authorities’.14
New technological tools for the fight against crimes
In the context of these exchanges of personal information, many EU states, at the national level, have implemented new technological tools which, according to them, play an important role in the fight against crime and in the promise of security. CCTV, Body Scanners and DNA databases containing DNA samples of criminals are the most well-known tools adopted by law enforcement authorities around the world, including Europe. Such use, however, is not free of criticism.
Regarding DNA databases, the European Court of Human Rights decided in the Marper case that the storage of DNA samples of two British citizens who were criminally indicted but later considered not guilty (for different reasons), violated article 8 (the right to privacy) of the European Convention on Human Rights and, as a consequence, required the British government to destroy such samples.15
Another technology that has been largely implemented, especially in the UK is the so-called CCTV (Closed-circuit television), used for the purposes of prevention and persecution of crimes and for the maintenance of public order.16 A research published in June 2002 estimated that there were by that time more than 4 million cameras integrated to the main CCTV system in the UK, with 500,000 of them located in London.17 A more recent research, published in 2011, questions this estimate by affirming that there are now ‘only’ 1.85 million cameras in the UK.18 It is not by chance that the UK has the highest number of CCTV cameras per inhabitant in the world.19
Finally, another technology that has recently been tested in airports, with the aim of increasing the security in flights is the so-called Body Scanner.20 This technology is already being tested in Manchester Airport in the UK21 and in Amsterdam Airport in the Netherlands. Nevertheless, the discussions regarding the adoption of these new technologies at the European level are just beginning.22
In Europe, differently from Brazil as we will see in the following sections, law enforcement authorities have to comply with data protection rules when processing personal data for the fight against crime.23
The Brazilian Data Protection Framework
Brazil has no general data protection regulation24 and its data protection legal framework is based mainly on privacy constitutional provisions and sectorial data protection rules. The Brazilian Constitution recognizes in its article 5, X, the rights to private life, intimacy, honour and image as fundamental rights. The same article 5 guarantees the protection of other aspects of privacy (article 5, XI, XII, XIV),25 creating in clause LXXII a new judicial remedy to grant citizens free access to their personal data, the writ of Habeas Data.26 The Brazilian Civil Code adopted a similar position, including in its article 21 the right to privacy as a ‘right of personality’. However, the only rule dealing with data protection, besides the Habeas data, is the Brazilian Consumer Code,27 which articles 43 and 44 regulate the maintenance of databases and consumer files and establish a number of rights for consumers.28 The Consumer Code, firstly, recognizes the consumers’ right to be informed by the data controller29 that their personal data is being processed (Article 43, paragraph 2). This communication has to be made before such data is made available in the public domain,30 in order to allow the consumer to exercise his/her rights of access and rectification and the other rights guaranteed by Article 43.31 Accordingly, if the data controller does not communicate this to the consumer in a reasonable time, he/she will be able to claim damages.
The Consumer Code also recognizes the rights of access32 and rectification,33 giving consumers the possibility to access any personal information stored and rectify it if they find any inaccuracy (Article 43, caption and paragraph 3).34 In cases where the data controller does not allow consumers to exercise such rights, they will be able to claim damages and to exercise them through ordinary proceedings (Article 43, paragraph 4) or to use the above-mentioned Habeas Data writ.35 Moreover, article 43 paragraphs 1 and 5 states that any negative information about a consumer which can restrict access to credit shall not be stored for more than five years.36 Again, if the data controller fails to comply with such an obligation, consumers will be able to claim damages and to request the exclusion of the respective information through ordinary courts.
It is important to note that a Law was recently adopted by the Brazilian Parliament (Law nº 12.414 of 9 June 2011), converting into law the interim measure 518 of 30 December 2010, which regulates the creation and access to databases of information about payments, regarding natural and legal persons, with the aim of creating positive credit history.37 Since the Consumer Code dealt mainly with data regarding unpaid debts, this Act provided for the registration of consumer financial data in general and included a reasonable set of typical data protection principles and procedures.38
This Law establishes that the treatment of consumers’ financial data would be possible only with the consent of the data subject (Art. 4) and, among other issues, regulates which kind information can be stored (Art. 3, §2 and §3), data subjects’ rights (Art. 5), duties of the data processor (Art. 6), supervision of the databases (Art. 17) and liability in case of damages (Art. 16).
Despite the lack of a comprehensive data protection framework, many Brazilian courts have recognized not only the protection of the traditional dimension of the right to privacy (‘the right to be let alone’) but also the protection of the informational aspect of privacy (‘the ability of people to control information about themselves’) and of the right to self-determination (‘the individuals should have the capacity to decide about circumstances that affect them’).39
It is worth noting that the purpose principle, which is one of the core principles of all data protection laws, is not expressly recognized in general terms by the Brazilian legislation.40 However, in a famous Superior Court of Justice case, reported by Justice Ruy Rosado de Aguiar, the purpose principle was used as a limit for the processing carried out by consumer credit databases:
The Credit Protection Service (SPC), which has been set up in several cities by trade organizations of merchants and shopkeepers, has the aim of informing its members about the existence of outstanding debt of a purchaser seeking for new financing.
The benefits deriving from it, in terms of agility and security of commercial transactions, are obvious while it is also difficult to deny the seller the right to find out about the credit status of his client, and to share with others the data he has about him.
This activity, however, because of its social importance and serious effects deriving from it – since even for applying for work in the public sector a SPC negative certificate has been required – must be exercised within proper limits, so that once it reaches its purpose it does not become cause and reason for greater social harm than the benefits it sets out to pursue.41
However, according to the Consumer Protection Code, the compilation (creation) of a database containing personal data is not subject to any authorization from a public authority or from the data subject.42 In this scenario, the Brazilian Ministry of Justice opened in 2011 a public consultation regarding a draft bill of a general data protection law.43 This draft bill follows, in general terms, Directive 95/46/EC.
However, as we will see in the next topic, although not having general data protection rules, or specific rules applying to the use of personal data for surveillance purposes, both private and public bodies in Brazil have been using technology to monitor people and to process their personal data.