An Overview: Data Retention Practices in Brazil

In 2014, following the Snowden revelations, the Brazilian parliament passed the Civil Rights Framework for the Internet, also known as the Marco Civil. The law has since been globally recognized as a key piece of legislation for affirming digital rights. With clearly outlined provisions on the net neutrality, privacy and freedom of expression, Brazil became an international torch-bearer for progressive Internet legislation. However, closer analysis reveals a few issues with the current law and even more threats that may arise from future legislation.

Data retention provision in the Marco Civil

The Marco Civil was developed through a participatory process, inviting the public to submit suggestions on how the new law could enshrine the three pillars of net neutrality, privacy and freedom of expression. Nevertheless, that did not prevent the traditional wheeling and dealing of the legislative process, which resulted in several uneasy compromises.

One of the most damaging concessions, strongly opposed by digital rights groups, was a data retention mandate that required Internet service providers (ISPs) to collect connection logs of all Brazilian citizens and store them for 6 months. Furthermore, the Marco Civil allowed certain authorities — like the police — to request identifying information from ISPs without a court order.

Regulatory Decree of the Marco Civil

This issue was amended in May 2016, when president Dilma Roussef issued a “regulatory decree” on the Marco Civil a day before being suspended from office. The decree protected users’ privacy by requiring law enforcement to provide a motive for the request. In addition, it outlined a few primary principles of data protection, such as the obligation for ISPs to delete the retained information upon expiry of the 6 months mandated by the law.

As a result, the current data retention regime in Brazil can be considered more restrained than those proposed or implemented elsewhere. However, this situation may prove to be temporary, as the Brazilian parliament has spent the better part of 2016 debating new online surveillance bills.

CPICIBER bills

The seven bills were introduced as part of a report by the Brazilian Parliamentary Commission of Inquiry on Cybercrimes (CPICIBER). The inquiry was started innocuously enough in July 2015 to investigate cyber crime in Brazil and provide recommendations on how to defend against it. However, the report ended up proposing a wide range of repressive recommendations that would stifle the privacy of Brazilians online, such as:

• Granting police warrantless access to IP addresses;
• Requiring websites and apps to monitor user content and take down anything considered offensive;
• Allowing judges to block sites and apps that are either used for criminal activities or don’t comply with demands for user information;
• Criminalizing improper computer system access that presents a “risk of misuse or disclosure” of data, even if no misuses or disclosure have occurred.

CPICIBER’s policy-making proposals were widely criticized. Several digital rights groups published their own set of recommendations and guidelines in addition to sending an open letter to Brazil’s Congress. The lower house of the Congress, the Chamber of Deputies, passed the bills on May 4 with some minor changes, but the approval in the upper house has been stalling since.

While these measures are being discussed in the legislature, there are some steps Brazilians can take to protect their privacy, such as using a VPN. VPNs (Virtual Private Networks) are used to secure and encrypt internet traffic, helping protect users’ information and location by hiding their IP addresses. However, it is imperative to use a VPN provider that does not store data or communication logs, like NordVPN.