In the field of protection of personal data Brazil is quite far behind, even in comparison to its neighbors. Argentina, Mexico, Uruguay, Peru and Chile have already developed their own regulatory frameworks. So have Canada and several European nations, following the 1995 EU Directive 95-46. The Ministry of Justice has been discussing a draft for the protection of personal data since January 2013. However, the elaboration of the text is on standby, as all eyes are currently on the Marco Civil da Internet.

By, Pablo Cerdeira

The fact is that, even though there is legislation on the subject in several countries, the current regulatory framework was not sufficient to prevent the abuse that has been revealed recently. Among said abuse are the recent scandals concerning the NSA, and its British sibling: GCHQ, which involved the unauthorized capture of images during Yahoo video conferences, among other examples, and were performed by public entities, using private-sector data, submitted or discovered willingly or not.

The uncovering of these scandals demonstrates not only the inadequacy of the existing frameworks adopted by various countries, when these even exist, but also generates some hostility between public and private sectors. 2013 was marked as a year of great segregation between these sectors with regard to joint action in data analysis projects, even those which may not involve personal data. This can be detrimental for society as a whole.

In the face of great change in this scenario, the Brazilian delay may prove to be beneficial as it could represent an opportunity for the country to discuss an adequate legislative draft for internal and international purposes; be it in the private or public sector.

Personal data protection in Brazil today

Even without a specific law regarding the protection of personal data, it cannot be said that the Brazilian citizen is left completely helpless and without means of protecting his personal data. The Brazilian Constitution considers the right to privacy and intimacy to be uninfringeable and ranks them among the fundamental rights it guarantees. In the public sphere, citizens can avail themselves of the recent Lei de Acesso à Informação (Access to Information Law) in order to request access to government data in the event of any suspicion of personal data storage and analysis. In the private sphere, Article 43 of the Código do Consumidor (Consumer Code) states: “The consumer, (…) will have access to existing information in listings, files, records and personal data which may have been archived concerning them, as well as information about their respective sources.”[1] However, this provision has been applied solely in cases of information used for the purposes of granting loans, even though the law does not oppose its use to gain access to any private-sector databases.

It can be concluded that, even though there is a desire for it, there is no urgency for the promulgation of a law to protect personal data, especially considering that the existing legislation in other countries has proved to be ineffective in the face of the latest scandals.

As such, we believe that Brazil could seize this moment not to accelerate the completion of the current draft, which is based on the existing international framework, but to reflect more deeply and seriously on how to really contribute to the international regulatory arena, and not only to personal protection, but to the data market as a whole.

The data market

The physical world to which we are accustomed is measured in meters, kilos, liters, gallons, etc. The area occupied by the real estate market can be measured in square kilometers. The annual grain production in tons. Oil production in gallons. The standard measuring unit for the digital world is the bit and its derivatives (bytes, kilobytes, megabytes, gigabytes, etc.). Therefore, the “size” of the digital world can be measured by the amount of bits of which it is made up.

Considering that the data which make up the digital world are, for legal purposes, intangible assets, we can determine the existence of a market, similar to the grain market, the oil market, etc., comprised of data and measured by its volume in bits. The concept of market that I am using is the simples possible version: an environment made up of goods with a usable or exchangeable value.

Like any other market, the data market needs to be better analyzed and understood so that its regulation may be better suited the needs of the whole society. Through its understanding, it may be possible to establish limits for the production and use of this data, what kind of data makes up this market, who the real owners of each kind of data are, who the actors are in this field and their responsibilities. The same happened in the intellectual property, oil, electric energy and real-estate markets, among others.

The fastest growing market in the world

Without doubt, the fastest growing market nowadays, in relative and absolute numbers, is the data market. Studies show that the average number of data stored annually will grow by 30.000% between 2005 and 2020. They are estimated to double every two years.

Although unknown to the average citizen, mechanisms for collecting huge volumes of data have multiplied over the years. For regular customers, supermarkets exchange discounts for access to each client’s detailed personal information.  Extracting consumers’ purchase information and even their personal information is far from difficult. People who frequently buy cheese and wine often have a different standard of living in comparison with those who purchase powdered milk and diapers. And even among those who purchase powdered milk and diapers, depending on the brands that are chosen for example, much can be said about their financial situation. Needless to say, an example of this is the case in which Target discovered an unplanned early pregnancy even before the parents.

We create data at every moment, even involuntarily. The restaurants and places we visit, the bills we pay and the information in our credit card history, are good indicators to determine, with great precision, various other elements of our lives. The same information can be extracted, in even more detail, from cellphones’ geotagging history. The same goes for electronic receipts for tolls and parking lots among other things.

Legislation which protects personal data would be essential in this situation. But it would not be enough. The protection of personal data is only a small part of a very large and complex market.

The new Gold Rush

Given the lack of regulation, we are living a new “gold rush”. Public and private sectors alike are looking to generate the largest possible volume of data to “accumulate capital”, or to “make cash”, even if this data has no immediate use.

This was the case with the NSA, as revealed by Snowden. Even though it is currently unable to analyze all the data it has collected, the North American agency tried to collect the widest possible range of information, even if only for future analysis or negotiations. This is the same behavior we have seen in other, equally unregulated, markets in their early years (the occupation of new territory, searches for metals and precious weapons in different countries, etc.).

The same thing happened in the private sector, and on a much larger scale than in the public sector. WhatsApp, purchased by Facebook for $19 billion, is an example of this. This was the acquisition of an application which was free for most of its users and did not include any advertisement. Even if all of its 400 million users paid for the use of the application, and all of the revenue was a profit, it would take Facebook almost 50 years to start to win back its investment. It doesn’t seem to be a very interesting investment.

Unless you consider the circa 10 billion messages exchanged daily to be an asset. And, better yet, an asset in a very poorly regulated market, in which the “invisible hand” can be very easily controlled by the biggest players.

In this scenario, whose regulation is obscure and ineffective in the face of recent scandals, it’s natural, and even desirable, for the population and organized civil society to position itself against this unmeasured growth in the collection of data, especially if there is any kind of collaboration between the public and private sectors.

The use of data and public interest

The collection and analysis of large volumes of data per se, is neither good nor bad. It is important to keep in mind its finality and the transparency with which it is done. The same data collected by government entities and private companies, seen by society with great distrust nowadays, can have very important and noble uses in public administration.

Some examples include:

Urban mobility

One of the most complex issues in the management of every large city is urban mobility. Aside from the billion-dollar damages that result from hours lost in traffic-jams, this sector is also responsible for massive wastes of resources (empty buses circulating in one place, and overcrowded buses on the other side of town) which make public transport more expensive, a waste of fuel and increase in gas emissions and delays in the circulation of police, ambulances and firefighters which can mean a loss of lives, among various other problems

In order to organize mobility in its urban centers, Brazil has mandated that all of its municipalities with more than twenty thousand inhabitants elaborate a mobility plan (Lei 12.587/12). One of the most important elements in this process is the so-called “origin-destination matrix”, or OD matrix. This charts how people move with the city.

The traditional method of elaborating OD matrixes is based on very limited and expensive sample studies. For the capitals alone, creating these matrixes is estimated to cost more than 1 billion Reais.

However, nowadays Brazil has over 270 million cell phones, for a population of 190 million. Almost every inhabitant of its large cities, even those less privileged, normally carries a cell phone in their commutes. And the location records of each of these devices can be obtained from the telephone companies through their CDRs – Call Detail Records, which are listed for collection purposes, reciprocal compensation between companies for the use of antennas and for improvements in cell coverage.

With these records, even if they are made anonymous, it is possible to create OD matrixes which are more precise that those made using sample studies, and cost one hundred  times less. These matrixes are also significantly more precise, allowing for the creation of OD matrixes for specific events, such as large sporting events, Carnival, New Year’s, etc.

Epidemiological predictions

Governments are already testing the tracking of key words, such as “dengue, fever, nausea, sickness” etc., on social networks in order to create more precise, faster types of epidemiological prediction models. Practical tests have been carried out which demonstrate that, along with other indicators, prediction models based on the tracking of social medias can anticipate classic epidemiological predictions, based exclusively on laboratory tests, in up to a week and with greater accuracy.

As well as creating detailed OD matrixes like the one previously described, it is even possible to anticipate how disease will spread through a city.

Other cases

There are various other cases in which the public and private sectors can collaborate, by exchanging data, to benefit society. The partnership between the city of Rio de Janeiro and Waze, for example, has supplied city managers with important information about the occurrence of traffic-jams, accidents, problems on streets, etc. The city’s actions in combating priority flooding points have taken into consideration the traffic information provided by citizens themselves through Waze. The exchange of data between the public and private sectors can help strengthen the democratic participation in public administration, as seen in this case.

On the other hand, any traffic alterations that occur in the city are notified on Waze and other such applications, so that the best possible routes are offered to their users. For example, the changes in the Center of Rio, which are a result of the closing of the Elevado da Perimetral; the detours in Copacabana on New Year’s; the detours and closings of routes in accordance with the schedule of parades in Carnival , were all informed so that these applications would recommends the avoidance of these areas.

Data collected by cameras which capture vehicles’ license plates have also been used, in preliminary tests, to identify stolen and unrecovered vehicles, with a 40% finding rate. A very high number at a very low cost.

Conclusion

As we have seen, the data market is very new and has been growing at a rate incomparable to any other sector of the economy. Its regulation on the other hand, still doesn’t exist in Brazil, and the discussions on the topic ate still at a relatively early stage.

Perhaps the most important point to be discussed is the creation of a law that protects personal data. Although it is essential, the existing models have shown themselves to be ineffective in preventing abuse. Especially for territorial reasons, considering that the largest databases are usually amassed by American companies, and are therefore out of the reach of Brazilian jurisdiction. The need to protect personal data exists, but must be addressed on an international level, so that the necessary efficiency can be achieved.

On the other hand, very little or nothing has been discussed with regards to the possibility of the governments use of data amassed by the private sector, for the creation of public policies and solutions. This discussion has evolved more in other areas, such as the use of underground resources, the occupation of urban spaces, the financial sector; but still hasn’t reached the topic of data use. The discussion needs to broach the issue of the public interest in accessing private sector data and, especially, the limits for both sectors in matters of private data.

Brazil, because of a series of coincidences, has found itself in a privileged position to assume a leadership role in this arena. If on the one hand we are behind on the creation of a law to protect personal data, on the other we have the opportunity to learn from the mistakes of others for the creation of a more effective regulatory framework. At the same time, the recent protagonist role played by Brazil international forums in the face of the international violations of national data, also places us in an ideal position for innovative suggestions.

Therefore, the path to be followed will have to include the protection of personal data. But it cannot be limited to the internal aspect of the issue. The data market must be treated not only as another market, but as an issue of public policy.