European Data Protection: Brazilian Rollercoaster should make the EU take note
Brazilian constitution for the internet
As promised, in the second part of my blog article on the historical chance for improved European data protection, I would like to cast my gaze beyond Europe’s boundaries in the direction of Brazil. In terms of data protection, there are many parallels between Europe and the fifth largest country in the world, but also a number of differences.
Both in its formation and content, the “Marco Civil da Internet” differs from its European pendant. With the draft law the Brazilians don’t just have privacy protection in view but an “internet constitution” that defines a contemporary order for digital fundamental and human rights in line with the technological, social and cultural peculiarities of the web.
The website “Netzpolitik.Org” „Netzpolitik.Org“ (https://netzpolitik.org) presents the main aims of the “Marco Civil da Internet”: “In the first five chapters individual and collective rights are defined, including the right to internet access, the right to privacy, freedom of speech, and clear internet contracts. The chapter on providers and content providers sets clear principles for web neutrality, prevents the surveillance, filtering or analysis of internet traffic (except for when other laws stipulate it) and strengthens the liability privilege of content distributors. The last chapter deals with state authorities and embeds transparent and participatory decision-making processes, interoperability, open technologies, standards and formats, educational programs and the promotion of culture and society.
The initial idea for this draft law is closely linked to the incredibly restrictive law on computer criminality (“Azeredo Law”). Massive resistance to this law, passed by the Brazilian senate in 2008, spread across the country, supported by the “Getúlio Vargas Foundation’s Centre for Technology and Society” and by “Mega Não!” a merger of digital rights activists and scientists campaigning for an open internet in Brazil and the best possible data protection.
“Mega Não!” organised a petition against the cybercrime law which was signed by over 165,000 people. The government, under the then president Luíz Inácio Lula da Silva, revoked the law. The head of state simultaneously took up the demands of society to first of all define fundamental internet rights before restricting them with other laws.
The subsequent path to achieving a law can, to this day, be seen an unprecedented. The Justice Ministry founded a platform together with the “Lemos Centre for Technology and Society” upon which the entire Brazilian public could discuss principles and content of a “Marco Civil da Internet”. Over 800,000 contributions were received across diverse media channels (internet sites, forums, blogs, email etc.) and formed the basis for the first draft of the law, which was put online at the start of April 2010 to be commented on.
Everything seemed to be on track in Brazil for the world’s most advanced internet law. Then there were new elections in September 2010. Dilma Rousseff, also from the labour party (as with Lula da Silva), became president and the government was newly formed.
Change of government brings new realities
A change of political personnel often unavoidably brings changes in political direction. In Brazil this didn’t affect the presidential office so much or the Ministry of Justice, under whose jurisdiction the “Marco Civil da Internet” lay. The decisive weakening of the Brazilian web community took place at the level of the Ministry of Culture, where the known liberal Gilberto Gil, who throughout his time in office always campaigned for free culture and free software, was followed by Ana de Hollanda, who was repeatedly linked to the copyright industry and quickly moved to stop a number of Gil’s projects. The European Union should take note, because this example shows what could happen to data protection if no quick resolution to the parliamentary bill can be found and new politicians take over leading positions in 2014.
As a Southern Hemisphere country with its dynamic media industry Brazil has long since arrived politically in the North. Lobbyists from various sectors of society formed against the “Marco Civil da Internet”. The powerful unions of the Brazilian content industry, above all the “Brazilian Association of Reprographic Rights” (ABDR), the “Brazilian Association of Phonographic Producers” (ABPD) and the “Motion Picture of America” (MPAA) regularly took up position in front of the Ministry of Culture and the Congress and to this day, with massive political intervention, have managed to prevent the passing of the internet constitution.
Further lobby groups came from the internal security sector and from the police authorities, who just like the banks, insisted on data retention.
“Marco Civil da Internet” turned on its head
In Brazil one thing followed another. As the “Electric Frontier Foundation” (EFF) reports on their website (https://www.eff.org), the initially prevented and discredited “Azeredo Law” on combatting cybercrime was placed back on the legislative agenda at the beginning of August 2012. Parallel to this a second law, commonly known as the “Carolina Dieckmann Law” after unauthorised intimate photos of the actress were placed online, was brought into position. It criminalised the access to emails and other sensitive information without owner’s consent and carried punishments for infringement of up to two years’ imprisonment.
Furthermore, the lobbyists moved the legislator to add two changes to the wording of the law, through which the original point of the law – to establish a constitutional framework for internet usage – is completely lost. If Brazilians can still live with the data retention demanded by the authorities, changes – following the intervention of the large telecommunication multinational companies – towards the abolition of web neutrality and changes following pressure from the content industry, where internet intermediaries can be forced to delete content without legal mandate in the case of copyright infringements by their users, are not acceptable for civil society.
The 7th November 2012 will go down as a black day in the history of the freedom of the internet in Brazil. Whilst the implementation of the “Marco Civil da Internet” was blocked, both the above mentioned laws against internet criminality were fast-tracked through, thereby turning firstly the principle of guaranteeing rights and secondly via additional laws the principle of limiting these, on its head.
NSA wheeling and dealings as wake-up call
It took a whole year, until 14th November 2013, for the draft law for the “Marco Civil da Internet” to be published. The NSA bugging of her mobile phone and the surveillance of top managers of the national oil giant Petrobas probably gave Dilma Rousseff an abrupt wake-up call. The head state responded with the following statement: “Within 40 days the internet constitution law should lead Brazil into the post-Snowden era.”
In the “Marco Civil da Internet” conditions were urgently added that followed two particular directions: Firstly, the authority of the Brazilian government and executives to force internet service providers to either build up or use structures for the storage, management and transmission of data in Brazil. The government sees this approach, legitimately, as a way of achieving better protection against data attacks from foreign providers, authorities and secret services. Anyone who handles data from Brazilian citizens will in future have to do this based on data centres in Brazil. Secondly, the jurisdiction of the law was newly defined: It should already apply if a data processing procedure is conducted in Brazilian territory with an internet enabled device (computer, mobile phone etc.). The law then comes into effect even if those ultimately responsible are outside of Brazil. This extension is clearly tailored to combat large US companies. The parallels to the European data protection regulation are unmistakable.
New approach required
What can Europe take away from this Brazilian genesis for the composition of a future-oriented legal framework for the internet and data protection? The involvement of the public in the creation of a Meta concept in the form of a constitution was exemplary and isn’t practiced in Europe in this form. Furthermore, Brazil and Europe have to ask themselves the same questions and weight their priorities respectively. To what extent is manipulative lobbying for the representation of interests of certain areas of society a valid form of political decision-making and at what point does it lead to massive hindrances in the composition of future-relevant legislation? How can civil liberties and legitimate state protection mechanisms be reconciled in our web-based knowledge society? This central question is posed with good reason: It’s abundantly clear that governments first formulate rights for the state and then for the citizens. A new proportionality needs to be found here.
Renegotiate safe harbour while we’re at it
The conditions of the “Safe Harbour” agreement negotiated with America in November 2000, which defines that data from European companies and citizens in US data centres should enjoy the same data protection as in Europe, also need to be revised. At the moment companies can be subject to Safe Harbour principles by registering their membership to the US Ministry for Trade’s public list. The European Commission is questioning the adequacy of the level of protection. The problem however, is that the respect of these principles in the US is barely monitored. The Commission believes that these adequacy conditions should also be applied in the new data protection package. After the espionage revelations, some countries such as Germany are already applying stricter measures via their respective data protection authorities for the transmission of data from native companies to the US. This effectively refuses article 41, paragraph 8 of the data protection regulation and serves to cement existing differences in Europe despite territorial demand for harmonisation. This web error should be fixed urgently (http://blog.1und1.de/2012/10/09/der-neue-eu-datenschutz-wie-sicher-ist-d...), otherwise the “Marktortprinzip” (effects doctrine), with which European data protection laws become formally effective against providers from foreign states who neither have their headquarters nor operate servers in the EU but who target European users, will be undermined.
The clock’s ticking
The biggest parallel between Brazil and Europe in the in the realisation of an extensive internet law and data protection lies in the abstinence and in the patient waiting of the relevant political institutions. Brazil has now at least improved its draft law. According to Droutsas the reaction in Europe to the NSA affair failed, because there simply wasn’t any. And the realisation of an autonomous European ICT infrastructure, as repeatedly implored by the vice president of the EU Commission, Neelie Kroes, are also falling behind expectations.
So it’s over to the economically shaken Greece, with their council presidency from January 2014, to get things back on track. We need this comprehensive data protection reform as we must build up and expand our infrastructures for internet and data referencing out of, and data storage in the cloud with a greater independence from providers in economically competitive regions such as America or Asia. We have an historic chance to act now. If not, the voting success of 21st October in the European Parliament will remain a Pyrrhic victory that in reality only sets us back.