Evolving threats: The state of personal data protection in Brazil
As local data protection regulations reach a five-year milestone, the need for more resources and an integrated approach persists.
Celio Vikas, a retired public servant from São Paulo, recalls a particularly harrowing incident in January where an imposter, posing as a bank employee over the phone, almost conned him out of his password. Vikas dashed out of his home to change his credentials in the ATM as directed, but the call got disconnected before he revealed his new PIN to the fraudster.
While Vikas got lucky, a series of personal information leaks have rocked Brazil in recent years, making data protection an increasingly complex concern for citizens.
“I know criminals have my personal data and that makes me feel very vulnerable – it’s almost as if I’ve been stripped out of my identity,” said Vikas, who, fearing further exposure, avoids online transactions altogether.
He is not alone: a study published in 2022 by the Regional Center of Studies for the Development of the Information Society has found that 42 percent of Brazilians are “very concerned” about their data when they shop online.
As Brazil reaches the fifth anniversary of its personal data protection regulations, the authority entrusted with enforcing the rules has asked for additional resources and more cooperation to tackle the growing data challenges faced by individuals and businesses alike, including developing a data privacy culture in Brazil and addressing threats to privacy posed by cybersecurity risks and artificial intelligence.
Launched in 2020 two years after the enactment of the General Data Protection Law (LGPD), Brazil’s National Data Protection Authority (ANPD) has, to date, acted in 29 formal oversight processes to ensure compliance with the laws, and recently issued its first sanction: a fine of 14,400 reais ($2,870) and a warning against Telekall Infoservice for offering a WhatsApp contact list for election campaigns to distribute candidate materials.
Since the start of its operations, the authority has received more than 630 security incident reports including data breaches and leaks for analysis, and over 2,300 requests from whistleblowers and petitions.
“These numbers are significant, considering that we have such a small team”, said Waldemar Gonçalves, director-president at ANPD, during his opening speech at an event to mark the five-year anniversary of the law.
With limited resources – the authority’s budget is 36 million reais ($7.4m) for 2023 and is due to decrease by 36 percent next year – ANPD has been focusing on areas such as producing educational materials to raise data protection awareness, promoting the adoption of standards for services and products to enhance individuals’ control over their personal data, and engagement with other public sector bodies.
According to Gonçalves, handling data protection matters for a population of more than 200 million with the ANPD’s current headcount of 150 staff is a tall order.
“The UK has a population of 70 million and its data protection authority has [1044] employees”, he pointed out in comparison.
Despite that handicap, next in line for Brazil’s data protection authority is a public consultation on international data transfer standards, which aim to ensure data protection across borders, facilitating global business while safeguarding privacy.
Data leaks and penalties
Brazil’s data protection regulations have been around for five years but only became effective less than three years ago. Still, there’s a notable shift in how the public and businesses perceive these rules, said Nairane Farias Rabelo, a director at the ANPD, in an interview with Al Jazeera. “People are becoming more aware of their rights, while companies and public entities are gradually investing more in privacy, influenced by competition, reputation, or the dire consequences of neglecting it,” she said.
The biggest leak in the country’s history so far became public in 2020 and involved the exposure of personal data of 243 million Brazilians including full names, addresses and telephone numbers, owing to weakly encoded credentials kept in the source code of the Ministry of Health’s website.
The ANPD should have an initial conclusion this year from the investigations on the case with more details into the incident and the impact of the leak, Rabelo said.
Cybersecurity and data privacy are two sides of the same coin, said Rabelo. “Massive databases, often shared with various enterprises, need adequate protection. Failure to ensure this leads directly to compromised security and a violation of individuals’ rights. In essence, data cannot be truly protected without implementing information security”, she pointed out.
Considering that the data of countless Brazilians have already been leaked, the question is if the ANPD is just chasing shadows.
The numerous data breaches don’t negate the importance of continuing protection efforts, said Renato Opice Blum, a lawyer focused on data protection and digital law. “The [cybersecurity situation in Brazil] is far from ideal, but things would be worse if we didn’t have data protection regulations in place”, he said.
Overall, a blend of legal, technological, cultural, and economic factors is driving change in the intersection between cybersecurity and data protection in Brazil, said Marcos Oliveira, Brazil country manager at cybersecurity firm Palo Alto Networks.
“Strict enforcement of robust data protection laws like the LGPD, with significant penalties for breaches, is prompting companies to invest more in cybersecurity to avoid fines and reputational damage”, he added.
Brazil’s projected cybersecurity investments are set at 8.3 billion reais ($1.7bn) for 2023 and could hit 10.8 billion reais ($2.2bn) by 2026, according to consulting firm PwC. The predictions illustrate the relevance of compliance as LGPD violation penalties can reach up to two percent of a company’s revenue, with a cap at 50 million reais ($10m).
The ability to penalise companies failing to comply will be crucial to move the needle in Brazil’s data protection space, said lawyer Opice Blum. “As the ANPD starts sanctioning more, there will be more protection to people and more compliance from the business side”, he predicted.
That’s easier said than done as there are “challenges in identifying the source” of data leaks, especially in private companies, said Rabelo. A shortage of staff at the ANPD hasn’t helped.
‘Sold my data’
Other challenges for ANPD include the data-selling industry, where individuals working within Brazilian businesses profit from sharing personal information without the consent of individuals.
Some Brazilians have developed their own methods to protect themselves from this widespread practice.
“I can’t tell [which businesses] have sold my data, but I am sure that happens because I’ve provided a false name and a particular email address to certain websites. I then started to receive approaches from businesses I’d never heard of using the false name,” said Bruno Magri, a systems analyst.
Tackling illegal data marketplaces requires ensuring data sharing occurs only when legally justified, ANPD’s Rabelo said. The issue will be addressed more effectively when data protection is seen as part of a national strategy: “Collaboration between different government bodies, both federal and state, is essential,” she said.
One of the primary accomplishments for Brazil in the data protection realm was recognising data protection as a fundamental right, thereby making it a constitutional guarantee. In addition, the transformation of the ANPD into a special autarchy – meaning the body has its own technical, decision-making, administrative, and financial autonomy – was another pivotal step.
However, additional developments, such as a presidential decree, are still needed for the authority to realise its full potential including changing the perception that ANPD is somewhat detached from the common citizen.
“I have a higher level of awareness [about digital rights] because of my profession,” said Magri, the systems analyst. “Still, I wouldn’t know exactly what to do in the event my data privacy has been compromised, let alone people who are vulnerable and have limited knowledge about these things.”