Brazil’s Policy Battleground: Anti-Disinformation and Data Protection Policies
Cover photo by Chris Boland (www.chrisboland.com/london-wedding-photographer)
Introduction
Over the past few months, many tech giants, politicians, and individual users have expressed outrage against the pending vote on the Brazilian Congressional Bill No. 2360 (Brazilian Law on Freedom, Responsibility and Transparency on the Internet). Deemed the “Fake News Bill” and “Censorship Bill” by its opponents, this legislation seeks to increase regulation of online platforms. The bill would also require social media networks to prevent the publication and dissemination of disinformation. This bill, which is currently under review by the National Congress of Brazil until July 12, has garnered controversy across the country and strong pushback from many social media companies. If passed, Brazil could become the first democratic country to formally implement a law that implements punishes parties found guilty of spreading online disinformation.
This is not the first time Brazil has taken significant legal steps in the regulation of technology. For instance, the country is leading the charge in Latin America to enforce user data protection. Today, we take a virtual trip down to South America to analyze how data protection is enforced in Brazil.
The GDPR of South America
In August 2020, Brazilian policymakers approved the General Data Protection Law (LGPD). As the first national policy to implement thorough data protection regulations, the LGPD set a legal precedent for the collection and processing of personal data. Specifically, this policy allows Brazilian citizens to have increased control over their data and requires companies to obtain explicit user content prior to the use of this information. Brazil’s LGPD, which was influenced by EU’s General Data Protection Regulation (GDPR), has a total of 65 articles outlining how organizations that process consumer data online must protect that information.
This policy is enforced by the Brazilian National Data Protection Authority (ANPD). The ANPD is an autonomous government agency that comprises members from various institutions, including National Council for the Protection of Personal Data and Privacy (CNPD), Federal Prosecutor’s Office, General Coordination of Information of Information Technology, General Coordination of Technology and Research, and Secretary General.
So what happens to violators of the LGPD? According to Article 52 of the policy, data processors who do not comply can face up to fines of R$50 million and be compelled to partially or completely shut down their operations. Additionally, under Article 6 of the LGPD, Brazilian companies must meet specific data processing requirements to maintain compliance with the policy.
Contextualizing the LGPD in Brazil
The creation of LGPD was largely inspired by Brazil’s rapid digitalization and consumption of technology. A key strength of this law is that it applies to both public and private sector entities. The LGPD states that both types of entities will be subject to the same treatment as required by law. Additionally, the LGPD enforces a culture of stringent data protection practices in Brazil and overseas. The requirements under the policy are applicable to Brazilian companies headquartered abroad, provided that their data processing operations occur in Brazil. Brazil is home to a large ecosystem of international business and trade, so it is crucial to enforce secure data usage both at home and abroad.
Since its adoption, the LGPD has been used in Brazilian courts to set important legal precedents for foreign companies operating in Brazil. This has been especially notable in the prosecution of WhatsApp in the country. While the tech company had been under legal scrutiny in Brazil prior to 2020, the enactment of the LGPD promoted more large-scale regulation of WhatsApp’s privacy practices. In August 2021, WhatsApp agreed to make changes to its privacy policies in Brazil in compliance with the LGPD. Researchers also assert that the LGPD can be used to strengthen election integrity in the country. Brazil, a country with a complex political framework, has faced issues of disinformation and voter data abuse in previous election cycles.
Conclusion
Brazil is certainly making significant strides in codifying stringent data protection policies. The LGPD has facilitated a culture of more stringent data protection practices in the country (and arguably, in neighboring countries as well). And as far as combatting disinformation and fake news goes, the world’s big tech companies will have to continue to wait to find out what’s in store.
Approved for Public Release; Distribution Unlimited. Public Release Case Number 22-02304-11. ©2023 The MITRE Corporation. ALL RIGHTS RESERVED.