Ericson Scorsim. Lawyer and Consultant in Communication Law. PhD in Law from the University of São Paulo (USP). Author of the book collection on Communication Law, with a focus on Technologies, Media, and Telecommunications.

The European Union, under the leadership of France and Germany, is carrying out the project called GAIA-X for data infrastructure. The aim is to strengthen the European Union’s sovereignty over data to encourage the creation of a digital ecosystem.  According to the program’s official documents: “data sovereignty in the sense of complete control over stored and processed data and also the independent decision on who is permitted to have access to it”.[1] And also on data sovereignty: “sovereign data services which ensure the identity of source and receiver of data and which ensure the access and usage rights towards the data”.[2] In the text, one of the stated objectives is: “protection against non-European extra-territorial regulatory: protection again t abuse of national regulations that allow to access data stored in cloud infrastructures or services is an essential part of the European federated data infrastructure“.[3] The data infrastructure is a federative infrastructure that consists of components and services that make it possible to access, store, exchange, and use data according to pre-defined rules.

The digital ecosystem is the network of developers, providers and users of digital products and services. In short, the aim of the GAIA-X project is to provide incentives to European cloud computing companies, ensuring the competitiveness of European Union countries. It is categorically stated that the project is a geostrategic response by the European Union to the passing of the Cloud Act by the United States. It is also a reaction to the competitiveness of the U.S. companies IBM, Microsoft, Google, and Amazon, which are leaders in the infrastructure as service market.   There is only one global Chinese competitor in this segment: Alibaba.

The project is set in the context of the unique data market and the strengthening of the European digital economy. For the European Union, there is the public policy of defending the data of European industry. Starting in 2021, the project is expected to be completed with the installation of cloud computing infrastructures. One of the main points of the project is to ensure interoperability between systems to enable migration to European cloud computing companies. Another goal is to ensure control over data on European territory. This European Union geostrategy for strengthening data infrastructure capacity can serve as an inspiration for Brazil. In this respect, a national policy of incentives for data infrastructure capacity is needed, aligned with an industrial policy and digital trade policy, and including national defense policy. These public policies are essential for the country’s adaptation in the 5G technology and  Internet of Things scenario, allowing for the best economic use.  After all, the country that controls the 5G digital infrastructure controls its digital economy. In Brazil, the main telecommunication companies present here have European headquarters (Tim and Telefonica, except for Mexico’s América Móvel, and Oi and Algar Telecom).

These telecommunications companies have the fundamental role of deploying connectivity in Brazilian territory. Thus, they have the ultimate responsibility for defining how best to provide 5G technology. Also, the main suppliers of 5G technology are European: Ericcson (Sweden) and Nokia (Finland). In Asia, there’s South Korea with Samsung. Thus, Brazil has other interesting geostrategic options regarding 5G technology that go beyond those offered by the United States and China. The best thing for Brazil is to maintain neutrality in this conflict for global leadership between the United States and China. But the country can take advantage of the opportunities in redefining the global 5G technology supply chain, with incentives to attract foreign investments in this production chain here in Brazil, attracting investments in microchip factories and installation of data centers. It is essential for Brazil, like the European Union, to reflect on the risks of abuse in the application of U.S. legislation (Cloud Act), which allows access to data located in other countries. It is key for Brazil to affirm its sovereignty in cyberspace, strengthening its capacity for cyber defense against possible risks of abuses in the application of foreign legislation in an extraterritorial manner. 

In the coming decades, 5G, IoT, artificial intelligence, and big data will be the driving forces of the digital economy, which is why it is essential for the country to prepare itself for this global scenario.

[1] Project GAIA-X. A Federated Data Infrastructure as the Cradle of a Vibrant European Ecosystem. Federated Data Infrastructure. Federal Ministry for Economic Affairs and Energy and Federal Ministry of Education and Research.

[2]Work cited.

[3] Project GAIA-X. A Federated Data Infrastructure as the Cradle of a Vibrant European Ecosystem. Federated Data Infrastructure. Federal Ministry for Economic Affairs and Energy and Federal Ministry of Education and Research.

Ericson Scorsim. Lawyer and Consultant in Communication Law, with a focus on Technologies, Media, and Telecommunications. PhD in Law from the University of São Paulo (USP). Author of the Communications Law eBook Collection.

The Brazilian government is about to define its geostrategic position on Huawei’s 5G technology. It seems the decision will be postponed till 2021, as reported in the media. In other articles, I have explained the context of this controversy between the United States and China related to 5G technology .[1] In this article, the focus is on explaining the geopolitical risks for Brazil on the subject of its own national security and its national economy. Now, 5G technology is related to the risks of interference by both the United States and China intelligence services, which aim to collect data and communications. Therefore, Brazil and Brazilians can become targets of the intelligence services of those countries.

For Brazil, the federal, state, and municipal governments, and Brazilian companies, there are geopolitical risks in relation to the United States. Currently, the global North American technology companies are shaping Brazil’s digital ecosystem and communications networks. Google, Microsoft, Amazon, YouTube, WhatsApp, Twitter, Apple have defined new forms of relationships in the digital[2] environment. However, these U.S. technology companies are subject to U.S. law and U.S. agencies. There are even systems of cooperation between these companies and the United States Department of Defense. For example, Google is required to sign a cooperation agreement with the U.S. Department of Defense regarding the installation of a submarine cable connecting the United States and Hong Kong to allow inspection of the cables.

            The central issue in relation to 5G technology relates to the ability to collect intelligence signals, which is why the United States has imposed restrictions on the Chinese company Huawei, on the grounds of risk to its national security. According to the United States, Huawei must collaborate with China’s national intelligence services, as required by China’s National Intelligence Act. For the US government, there is a risk that Huawei will supply covert telecommunications equipment, with backdoors that will allow for espionage. So some experts argue that the Huawei equipment are actually Trojan Horses, just like the gift given by Athens to the Trojan people. It turns out that inside the statue of the horse were Athenian soldiers who attacked the Trojans. That is why trojan horse became known as a trap given to the enemy.

But one of the central objectives of U.S. foreign policy is to contain China’s advance in 5G technology.

The irony is that the United States also has legislation with the capacity to force technology companies to collaborate with its national intelligence services, as well as with the Department of Defense. In addition, there is the extraordinary ability of the National Security Agency to intercept communications anywhere on the globe, as well as to conduct electronic espionage against anyone anywhere in the world. As US economist Jeffrey Sachs explains: “Ironically, though predictably, U.S. complaints partly reflect America’s own surveillance activities at home and abroad. Huawei’s Chinese equipment could make it more difficult for the U.S. government to covertly monitor it. However, illegitimate surveillance by any government should end. Independent monitoring by the United Nations (UN) to restrict these activities should become part of the global telecommunications system. In short, we should choose diplomacy and institutional safeguards, not technological warfare”.[3]

            In summary, 5G technology is directly related to the ability of governments to collect intelligence signals. This method of intelligence refers to the extraction of data, by hardware, software, Internet networks, telecommunications networks, submarine cables, satellites, mobile phones, televisions, electronic devices. The United States is able to collect intelligence signals, as the history of National Security Intelligence (NSA) shows. Moreover, for the time being, the United States is the global leader in microchip technology, essential inputs for technology in the central and peripheral areas of the 5G network. Huawei owns both central and peripheral 5G technology. The other competitors are Ericcson and Nokia. Now, the company and/or intelligence agency that is able to collect intelligence signals can also extract data, infiltrate electronic surveillance devices, analyze data, decrypt data, and store data, as well as retain and delete data. It can also modify the data flows carried over the Internet, as well as change the traffic route of the data packets. This is what the US government suspects in relation to China Telecom and China Mobile, accused of diverting the route of US communications into China. Faced with this, there is the proposal to revoke the licenses of these Chinese companies.

For the United States, China is considered an adversary country because it threatens its global leadership. Thus, Huawei is deemed a company with ties to the government of an opposing country. For Brazil, China is not an opponent, on the contrary there are good trade relations between the two countries. So, at first, there is no reason to be suspicious of Huawei. On the contrary, for decades Huawei has been the main supplier of 4G technology for telecommunications companies in Brazil.

            But there is another factor in this story not yet properly clarified. It is the context of the United States and of applying its legislation in an extraterritorial manner, with the exercise of its jurisdiction almost universally, especially when it comes to its national intelligence services.

The current policy of the Brazilian government of automatic alignment with the current government of the United States ignores this fact, something that is detrimental to Brazilian interests. However, the Brazilian government cannot ignore this reality with potential for collateral damage to Brazil’s national economy and our national security. Brazil’s proximity with the current US government may produce positive effects for our national economy, but one cannot ignore the geopolitical risks for Brazil, its sovereignty, and its jurisdiction.

Thus, for Brazil, its government, and Brazilian companies, citizens, and institutions, there is the geopolitical risk of extraterritorial application of U.S. legislation: Leadership 5G Act (the U.S. law that sets technical standards for 5G), Build Act (Better Utilization of Investments Leading to Development Act of 2018[4]), Foreign Intelligence Surveillance Act (FISA, allows U.S. intelligence services to conduct electronic surveillance of foreign governments and authorities and businesses), National Intelligence Law (application by the National Security Agency of measures to intercept foreign nationals’ electronic communications, as well as requiring U.S. companies to provide data and metadata on users of applications, social networks, fiber optic submarine, and satellite cable network infrastructures, among others), Communications Assistance for Law Enforcement Act (CALEA – technical requirements for telecommunications manufacturers to facilitate interception of communications), Cloud Act (Clarifying Lawful Overseas Use of Data Act – authorization for U.S. authorities to access the content of private communications stored by companies[5]), Cyber Intelligence Sharing and Protection Act, Agriculture Improvement Act of 2018 (incentives for Internet installation in rural areas, data collection system for crops, geospatial technology standards, etc.).[6]), National Defense Authorization Act (rules for control of arms sales as well as military training for Brazil, with provision for reporting of human rights abuses by Brazilian security forces), US Patriot Act (measures to combat terrorism), Geospatial Data Act (law dealing with the collection, processing, storage of geospatial data)[7],International Cooperation Treaty on Intelligence Sharing (Five Eyes), and Foreign Corrupt Practices Act (U.S. anti-corruption law with potential application on Brazilian[8]companies), Foreign Investment Risk Review Modernization Act of 2018, Export Control Reform Act of 2018[9], among others.

There is a list of numerous authorities of U.S. federal agencies that can act and impact Brazil’s national interests: United States Presidency, Department of Defense[10], Department of Justice[11], Department of Energy[12], National Security Agency (NSA[13]), Central Intelligence Agency (CIA[14]), FBI[15], Defense Advanced Research Projects Agency (DARPA[16]), National Geospatial-Intelligence Agency (NGA[17]), National Reconnaissance Office (NRO[18]), National Oceanic and Atmospheric Administration (NOAA[19]), Committee on Foreign Investment in the United States (CIFUS[20]), Federal Telecommunication Commission[21], Security Exchange Commission, Foreign Intelligence Court[22], Securities on Exchange Commission[23], Bureau of Economic and Business Affairs, Cyber Infrastructure (CISA), Southern Armed Forces Command (U.S South Command[24]), among others.

I also believe it is in the interest of telecommunications companies operating in Brazil to assess the geopolitical risks of the Brazilian government’s position on 5G technology.  Any wrong move by the Brazilian government may compromise the level of investments in 5G technology in the country. Likewise, companies supplying 5G technology to telecommunications companies must assess these geopolitical risks, related to Brazil’s position. Any company with global operations has a responsibility to its investors, which is why it is necessary to analyze the political risks related to the Brazilian government, the United States, and China regarding 5G technology.

In short, given its domain of technological evolution, the United States can access data outside of its territory, including for the purposes of extending its jurisdiction almost universally (via intelligence and/or other services). Thus, it is up to Brazil, grounded on its sovereignty, to adopt national self-defense measures, preventing itself from being entirely subordinated to the foreign policy of the United States to the detriment of Brazilian national interests.

Brazil has other interesting geostrategic options regarding 5G technology that go beyond the United States and China. Brazil could establish partnerships with the European Union to encourage the production of 5G technology within the Brazilian territory, after all, the main suppliers of this technology are European. Also, Brazil could partner with Asian countries for the development of technology here, having as potential partners: Japan and South Korea, among others. Finally, Brazil could become a great international leader in 5G technology if it enters partnerships with the appropriate partners and knows how to preserve national interests, with a clear position of national defense against espionage from either the United States or China. Brazil cannot be held hostage to the geostrategic interests of the United States and/or China or any other country. The defense of national sovereignty is essential, ensuring the protection of personal and non-personal data (industrial data, financial data, commercial data, data of national wealth, geospatial data, etc.), as well as the protection of critical national digital infrastructures essential to the connectivity of the country.

[1]Scorsim, Ericson. A tecnologia de 5G da Huawei nas redes de comunicações: o alvo geoestratégico da lawfare imposta pelos Estados Unidos contra a empresa e China, published on the website: www.direitodacomunicacao.com, June 8, 2020.

[2] As an example, Petrobras refused to supply fuel to two cargo ships with Iranian flags on the grounds of economic sanctions imposed by the United States against Iran through the Office of Foreign Assets Control (OFAC) and the Countering America’s Adversaries through Sanctions Act. One of the ships was carrying urea, the other maize. The companies in charge of the ships went to court in Brazil. In the end, the Brazilian Supreme Court ruled that the Iranian ships did not have their names on the U.S. Treasury Department’s “blacklist,” which lists the targets of their economic embargoes. It should be noted that the United States uses lawfare mechanisms against Iran, i.e., it uses its legislation to achieve strategic objectives similar to the results of a war.  In another case, Petrobras, accused of having violated the Foreign Corrupt Practices Act, made a deal with the U.S. Department of Justice. Under such agreement, the company was forbidden from invoking the national sovereignty clause to breach the agreement.

[3] Sachs, Jeffrey. A guerra contra a tecnologia chinesa. Valor Econômico, November 14, 2019.

[4] Law authorizing the U.S. government to finance activities of U.S. interest abroad. The U.S. Ambassador to Brazil stated the possibility of using the Build Act to finance 5G technology in Brazil, subject to the imposition of a ban on Huawei participation.

[5] For example, access by US authorities to email content, social networks, and/or applications stored on servers abroad.

[6] Risk of potential collection of Brazilian agriculture data by US federal agencies.

[7] Potential for the collection of geospatial data from the Brazilian territory by US federal agencies.

[8] The Foreign Corrupt Practices Act provides for punishment of any company that uses U.S. infrastructure (banking or communications system) to pay a bribe to public officials. And, as a historical reference, over the last decades, Brazilian companies experienced a period of ascension, performing infrastructure works all over Latin America. However, they were shot down by the Lava Jato investigations. Harvard professor Matthew Stephenson denies the possibility of geopolitical use of the FCPA by the United States. But suspicion remains about the instrumentalization of the FCPA for US geopolitical purposes.
See: Kall, Kevin, Herdy, Thiago e Amado Guilherme, Ex-diplomata revela a visão dos Estados Unidos sobre a Lava Jato e projeto de poder do PT. Época Magazine, July 8, 2019.
In addition, U.S. Democratic congressmen questioned in a letter to the Department of Justice the collaboration of U.S. authorities with Brazilian authorities in the Lava Jato investigations.

[9] The current government of President Jair Messias Bolsonaro has encouraged the installation of weapons factories in Brazil, which is why it has made legislation more flexible. Now, when it comes to US companies that will be set up here, there is the potential application of US export control and arms transfer legislation. On that matter, the National Defense Authorization Act provides for the assessment of the impact of U.S. military equipment and training for Brazil’s security forces and the risks of human rights abuses.  And also, by way of illustration, the Wassenaar Arrangement Agreeement deals with the control of the exports of so-called dual-use technologies, arms and products. The objective of the agreement is to contribute to the regional and international security and stability of the countries. The United States is part of this treaty, but Brazil is not.

[10] United States National Security Authority.

[11] Can investigate Brazilian companies accused of committing crimes under US law.

[12] Can map the energy capacity of Brazil.

[13] National Security Agency that can perform electronic surveillance and interception of electronic communications anywhere on the globe.

[14] Intelligence Agency that can promote covert actions in social networks, applications, etc.

[15] Federal crime investigation agency.

[16] Agency developing intelligence and defense products.

[17] With satellite capacity to collect images from land, sea, and airspace.

[18] Can recognize ships, aircraft, objects, surfaces, vehicles, facilities, etc..

[19] With satellite capacity to promote “scans” by images of the Brazilian territorial sea, which happened in that episode of oil spill on Brazilian beaches.

[20] Federal agency to assess foreign investments in the United States.

[21] Federal telecommunications agency.

[22] Federal Court responsible for examining requests for electronic surveillance of foreign nationals.

[23] Federal agency responsible for the supervision of securities transactions (shares traded in stock markets and other assets).

[24] A Brazilian General was appointed to the United States Armed Forces Southern Command. A recent video from the U.S. South Command attested to the subordination of the Brazilian General to the command of the United States General. The episode narrates the collaboration of Brazilian authorities in the fight against drug trafficking, together with the United States.

Ericson Scorsim. Lawyer and Consultant in Communication Law, in the areas of Technologies, Internet, Media and Telecommunications. PhD in Law from the University of São Paulo (USP). Author of the Communications Law eBook Collection.

In an interview given to the Brazilian newspaper Folha de São Paulo on June 11, 2020, Ambassador Todd Chapman of the United States declared that the financing of 5G technology for Brazil is of interest to U.S. national security. According to the representative of the U.S. government, it is in the interest of the United States to finance 5G technology, through the International Development Finance Corporation, for companies allied to North American interests, such as Ericsson (a private company originating in Sweden with global operations) and Nokia (a private company originating in Finland with global operations).  In fact, the legislation called the Build Act (Better Utilization of Investments Leading to Development Act of 2018) authorizes the IDFC (International Development Finance Corporation) to finance projects abroad with U.S. public funds. This legislation is a direct response to China’s action on emerging countries.

The goal of U.S. foreign policy is to stimulate investments in 5G for companies competing with Huawei. According to the U.S. Ambassador, Huawei’s 5G technology represents a risk of access to data and information, as there is a link between the company and the Chinese government. Thus, the company is obliged to share information with China’s intelligence services. Still, according to him, the U.S. State Department has adopted a 5G Clean Path program, which prohibits U.S. embassies from adopting the services of telecommunications operators that use equipment from high-risk 5G suppliers.[1] According to the Ambassador, it is unlikely that anyone will make investments in countries where their information is not protected.

Given this interview by the U.S. Ambassador, the question remains: why is there so much interest in 5G technology in Brazil? According to the Ambassador’s statement, there is U.S. national security interest in the issue. But the question remains: why this interest by the United States? Is the United States concerned about American companies operating in Brazilian territory and that may end up using Huawei’s 5G technology? Or, is the United States concerned about Brazilian companies using Huawei 5G technology? In an article published in the Communication Law Portal, I explained this issue of 5G technology and the dispute between the United States and China. In theory, there is a risk that Huawei will be forced by the National Intelligence Law of China to share data/information with the national intelligence service of that country. 

However, it must be noted that this type of risk may also exist in relation to U.S. telecommunications companies, which are obliged to collaborate with the U.S. national security intelligence, as determined by CALEA – the Communications Assistance for Law Enforcement Act. Moreover, global technology companies (Facebook, Twitter, YouTube, Microsoft, Amazon, among others), providers of Internet applications, may also, in principle, be required to collaborate with intelligence and national security services in cases of risks to national security and public safety. In sum, the current U.S. government accuses Huawei and China of conducting electronic espionage and unauthorized access to data/information, which is the reason for the ban on Huawei’s 5G technology in U.S. territory. But who can guarantee that American government agencies do not conduct these types of electronic espionage either? After all, in 2013, it is public and notorious that Brazil was the target of espionage carried out by the National Security Agency of the United States, a fact proven by the Parliamentary Commission of Inquiry of the Brazilian Congress. The European Union and the United Kingdom have put forward solutions for mitigating cyber security risks from qualified high-risk supplier technology by imposing partial restrictions on Huawei.[2] Finally, it is up to Brazil, as a sovereign nation, to carry out the protection of the communications of Brazilian citizens, companies and institutions, in the face of any risks of electronic espionage, whether from the United States or China. If the Brazilian government and Congress do not respond to the challenge of protecting the infrastructure of communications networks regarding 5G technology, they may be held accountable for this omission to their institutional responsibility.

International strategic alliances are dangerous because they represent the risk of unconditional and uncritical adherence to the priority agenda of the country that is strongest in the relationship.  Hence the care required in the formulation of Brazil’s foreign policy in relation to the 5G theme. And Brazil’s automatic alignment to a foreign power has the potential to cause serious damage to its international relations. 

Automatic alignment can be the fruit of a colonized leadership; a colonized mentality submissive to the colonizer. Brazil’s national security policy regarding 5G communication network technology cannot be submitted to either the United States or China. A policy of submission is an attack on national sovereignty. Maybe it’s time to proclaim: Brazil First!

[1] According to the U.S. State Department: “The 5G Clean Path is an end-to-end communication path that does not use any 5G transmission, control, computing, or storage equipment from an untrusted vendor. A 5G Clean Path embodies the highest standards of security against untrusted, high-risk vendor’s ability to disrupt or deny services to private citizens, financial institutions, or critical infrastructure”.

[2]See: Scorsim, Ericson. A tecnologia competitiva de 5G da Huawei nas redes de telecomunicações de 5G: o alvo da geoestratégia da lawfare imposta pelos Estados Unidos contra Huawei e a China. Estudo completo do caso de repercussão sobre o Brasil. www.direitodacomunicacao.com

On May 15, the President of the United States issued the Executive Order on Securing the Information and Communications Technology. The decision was grounded on the International Emergency Economic Powers Act, National Emergencies Act, and the United States Code. According to the justification of the Executive Order, foreign adversaries are increasingly creating and exploiting vulnerabilities in information and communications technology and services, which store and communicate vast amounts of sensitive information, facilitate the digital economy, and support critical infrastructure and vital emergency services. Foreign adversary means any foreign government or foreign non-government person engaged in a long‑term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons. There are risks of malicious actions, including industrial espionage against the United States and its people There are threats caused by foreign adversaries to the national security, foreign policy, and economy of the United States. Hence, the Executive Order forbids any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service (transaction) by any person, or with respect to any property, subject to the jurisdiction of the United States, where the transaction involves any property in which any foreign country or a national thereof has any interest, from the date that this order is issued.

The presidential act has the purpose to ensure the control by the North American government of commercial transactions that involve information and communications technology or services designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary; transactions that pose an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States; transactions that pose an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy of the United States; or otherwise poses an unacceptable risk to the national security of the United States or the security and safety of its citizens.

The presidential act grants powers to the Secretary of Commerce, in consultation with other authorities (the Secretary of the Treasury, Secretary of State, the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the United States Trade Representative, the Director of National Intelligence, the Administrator of General Services, the Chairman of the Federal Communications Commission) to design or negotiate measures to mitigate concerns related to the risks described in the Executive Order. Such measures may serve as a precondition to the approval of a transaction or of a class of transactions that would otherwise be prohibited pursuant to the Executive Order. The Secretary of Commerce, in consultation with other authorities, is authorized to take such actions to cease the transactions prohibited by the Executive Order, adopting the appropriate rules and regulations.  The Secretary, in consultation with the other federal authorities, is authorized to submit a final report to the Congress on control of such activities. The Director of National Intelligence shall continue to assess threats to the United States and its people from information and communications technology or services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.   The Secretary of Homeland Security shall continue to assess and identify entities, hardware, software, and services that present vulnerabilities to the United States and that pose the greatest potential consequences to the national security of the United States.

The Executive Order does not mention any specific countries or companies. However, it is known that the Trump administration is targeting the Chinese company Huawei. This measure is being adopted in the context of the trade war between the United States and China. The dispute is for the market that supplies equipment for telecommunications networks and the 5G market. The United States government wants to bar the Chinese company Huawei and its partners from purchasing American components and technologies without prior government approval. So the US authorities will prepare a list of companies and products deemed harmful to the interests of the United States, as they are promoted by foreign adversaries. According to information published by Reuters, Huawei is not able to manufacture servers for telecommunications networks, relying on third-party products such as the ones from American suppliers. However, Huawei is independent when it comes to the mobile phone market, as it owns all the components of these products (chips and software). The Chinese company is seeking to develop high-end technology to reduce its dependency on imported components. 

Publicado no portal Jurídico Migalhas Internacional em 21/05/2019 

• 
  português

CategoriasARTIGOS

The United Kingdom discusses new rules to regulate online content to protect user safety

15/04/2019compartilhar:

• twitter
• facebook
• email

The British government, through its Department for Digital, Culture, Media & Sport (DCMS) has presented measures to deal with online harms against users of digital platform services – the Online Harms White Paper. The measures were presented to the British Parliament. According to the document, the British Digital Economy needs a new regulation to improve the online security of citizens, given the online abuses that exist. The instrument mentions that self-regulation by global technology companies is not enough to prevent harms to users related to abuses and illegal online content. Thus, it recommends regulatory measure to establish the duty of care of digital platforms towards the protection of their users, for the purpose of inhibiting illegal and harmful content.

The regulation covers social media networks, websites, public discussion forums, messaging services, and search engines. It proposes that an independent regulatory authority should monitor the responsibility of the technology companies that mediate online content. Amongst the issues in debate are problems with abuse against children (cyberbullying), online disinformation campaigns, terrorist content shared on social media, pornography, hate crimes, inciting violence and crimes (there are online gangs that promote violence), encouragement to self-mutilation and suicide (protection of the mental health and wellbeing of youngster), drug trafficking, anonymous online intimidation, interference in legal procedures by disseminating online content, amongst other issues. Among the justifications for such regulation is online abuse of public figures; the example given are abuses committed against female journalists. Another matter under debate is online advertising and the regulatory asymmetry in dissemination of content in different services (for example: the regulation of broadcasting and the deregulation on content published on digital platforms: Youtube, Netflix, Prime Video, amongst others).

The document also speaks of the duty of care regarding interference in legal proceedings by disseminating online content throughout communities. According to the report, the technology companies must help users to report interference in legal proceedings, in the case of anonymous offenses. And as for online content that interferes with legal proceedings, the information on the occurrences must be updated in relation to the updating of the such information. Companies providing content distribution services must ensure immediate removal of illegal online content, as soon as determined by the proper authority.

Technology is part of the solution to promote education and digital awareness. The United Kingdom is seeking to build a new regulatory framework for online content, by holding technology companies accountable for the content they distribute and promoting the duty of care with regard to protecting the users of digital services. Amongst the sanctions stated in the regulation are fines, service blocking (geo-blocking of websites and applications), and the individual liability of the managers of the online content intermediary companies.

Artigo publicado no Portal Jurídico Migalhas Internacional em 15/04/2019

On March 12, 2019, the European Council and European Commission presented the joint strategic outlook of the European Union on China. This text is based on the main aspects of that official document, focusing on the matter of cybersecurity in the 5G networks. China is recognized as the EU’s second-biggest trading partner, behind only the United States. Hence, the challenges and opportunities presented by the relationship with China must be identified. China is a global player with leading technological power; however, this leads to greater responsibilities for upholding the international order, as well as greater reciprocity, non-discrimination, and openness of its system. It is a cooperative partner, but in some cases also a strong competitor. Thus, the need to find a balance between the political and commercial relationships. In a near future, China will no longer be seen as a developing country.

With regard to competitiveness and leveling the playing field, the document mentions measures to be adopted by the EU regarding the distortive effects of foreign state ownership and state financing of foreign companies on the EU internal market. It also mentions the need to build a strategy related to artificial intelligence to foster investments, with a human-centric and trustworthy approach, a key condition for acceptance of the use of technologies.

Another theme is strengthening the security of critical infrastructure and the technological base. There are concerns regarding the risks to the EU’s security represented by foreign investment in strategic sectors of the European economy through acquisitions of critical assets, technologies and infrastructure, as well as the supply of critical equipment. We highlight the matter of 5G digital infrastructure, used to provide mobile and wireless communication services. 5G has the potential to connect billions of objects and systems, including sensitive information and communication technology systems. Hence, the European Union has several legal instruments, such as the Network and Information Security Directive, the Cybersecurity Act, and the European Electronic Communications Code, for protection against cyberattacks. The EU will support multilateral efforts to promote free and secure data flows based on strong privacy protections for personal data.

On the other hand, the new Regulation for foreign investments will enter into force in April 2019 and fully apply from November 2020 Therefore, the Member States must apply the rules of such Regulation on foreign investment to control the security risks posed by foreign investment in critical assets, technologies and infrastructure. To avoid the distortions resulting from foreign state ownership and state financing of companies, the European Commission must identify such distortions by the end of 2019. Given the potential risks to the security of the digital infrastructure, there must be a strategy for the security of the 5G networks. Thus, the European Commission will issue a recommendation to be followed by the European Council. As for the security threats caused by foreign investments in critical assets, technologies and infrastructure, the Member States must ensure the effective implementation of the Regulation of direct foreign investments.

Artigo publicado no Portal Jurídico Migalhas em 05/04/2019

The company Huawei has filed a lawsuit against the United States government due to the legislative ban contained in the National Defense Authorization Act (NDAA), which forbids the company from supplying telecommunication equipment to federal agencies. The law also bars federal loans for the purchase of such products.

The case was filed before a federal district court in Texas, against the United States Government, the U.S. General Services Administration Administrator, the Secretary of Labor, the Secretary of Health and Human Services, the Secretary of Education, the Secretary of Agriculture, the Secretary of Veterans Affairs, and the Acting Secretary of the Interior.

According to the complaint filed, the 2019 NDAA, more specifically its Section 889, is unconstitutional as it directly forbids federal authorities from signing procurement agreements with Huawei to purchase telecommunication equipment or federal or granting federal loans for such purpose.

In short, Section 889 is not only contrary to the economic interests of the United States and its citizens, and ineffective at advancing U.S. security interests, it is also contrary to the Constitution of the United States.

Injuries to the U.S Constitution

The first injury to the U.S Constitution is the violation of the Bill of Attainder Clause, which prohibited that legislature impose punishment, without hearing the other party or trial.

The second unconstitutionality relates to the violation of the Due Process Clause, that prohibited legislation that would single out particular persons or deprivations of liberty. In this case, the legislative act affects business freedom.

The third unconstitutionality is the violation of the principle of the separation of powers, as Congress must not act as prosecutor, judge, and enforcer of the sanction of prohibition against the company, without any evidence of it having business connections with the Chinese government, as well as of threats to cybersecurity.

The company also claims that Section 889 of the National Defense Authorization Act bars Huawei from doing business with the federal government even as to agencies that have no significant connection to defense, information security, or national security.

It further argues that the U.S. law causes significant damages to Huawei’s business by creating unfair conditions amongst competitors.

Thus, the U.S federal government may purchase telecommunication equipment from Nokia, Ericsson, and other competitors, but cannot purchase products from Huawei.

Finally, Huawei requests that Section 889 of the 2019 National Defense Authorization Act be declared unconstitutional, as it violates the Bill of Attainder Clause, the Due Process Clause of the Constitution’s Fifth Amendment, and the Constitution’s Vesting Clause and resulting separation of powers.

Artigo publicado no portal jurídico Migalhas Internacional em 15/03/2019

The Internet of Things, known as IoT, is a market trend in internet applications.

IoT is the infrastructure of physical or virtual connection between objects, mediated by devices, based on information and communication technologies. This network allows the collection, processing, treatment, and sharing of data referent to physical and/or virtual objects.¹

This article presents the challenges for regulating this matter in Brazil, stressing the public consultation held by Anatel in September 2018 on IoT-related issues.

Such public consultation dealt with issues related to the rating of IoT applications, licensing and award rules, use of the spectrum frequencies, taxation, and others, to be examined further on.

IoT Applications

There are IoT applications in houses and buildings. IoT products for smart homes – controlling temperature, lights, security, and energy consumption, such as Alexa, a virtual assistant sold by Amazon². In buildings, IoT applications are used for security, such as biometric control of entrance, as well as vehicle control in the garage.

In the industry, there are IoT projects for digitalization and robotization of factories, manufacturing of self-driving cars, etc. The so-called 4.0 Industry uses sensors with wireless networks to improve productivity in factories, control inventory conditions, monitor product transportation, as well as the environmental conditions of factories.

In the trade sector, IoT applications are used to monitor vehicle fleets, track containers in ports and ships, among others, control inventory in logistics distribution center, among other uses.

In agriculture, it is present in smart irrigation, controlling agricultural equipment, tracking plantations with drones, and monitoring climate conditions. IoT is also used to monitor cattle grazing.

IoT is present in the health sector allowing for remote monitoring of chronic patients, tracking high-cost medication, sensors can control the temperature of equipment such as surgical drills used in hip-replacement surgery, among other applications.

In the public sector, with have IoT projects for smart cities: public lighting networks with smart sensors, traffic-based traffic lights, etc.

In the financial industry, one of the applications of the Internet of Things is machine to machine communication. For example, electronic payment companies, through mobile apps, on small devices.

New business models for IoT applications that perform financial services through machine to machine communication require knowledge of the sectoral regulation adopted by Anatel (the Brazilian Telecommunications Regulatory Agency). This is because the business may rely on a virtual network of a mobile communications operator, or not. The IoT application’s business model may or may not use frequencies of the spectrum.

In other words, IoT applications rely on the telecommunications infrastructure network. Hence the need to examine the IoT business model to know if it may require a permit as an added-value service of the telecommunications network or authorization to the frequencies of the spectrum. Hence the regulatory role by Anatel in clarifying the regulatory framework applicable to IoT applications.

IoT: Security and Privacy Risks

The Internet of Things has the potential to collect the personal data of millions of people. There are possible risks to the security of personal data and privacy, with the remote monitoring of people’s consumption patterns, their location, behavior, preferences, and others by the technological devices.

Society must be aware of the hypervigilance risks caused by IoT networks, as well as the possible risks to digital freedom. Then, legislators can define in the proper laws the limits to IoT applications.

IoT Applications and the Demand for Connectivity Using the Telecommunications Infrastructure Network.

The Internet of Things requires digital communications networks infrastructure. It needs high-speed data transportation networks and access networks.

The 5G internet network, a high-speed network (the average speed is 10 Gbps, in comparison to the current 100 Mbps) is vital for IoT. This 5G network requires mobile telephony antennas and fiber optics, and cloud-based software solutions.

Challenges to the Regulation of IoT Applications.

In Brazil, IoT is not yet regulated.

The law must regulate the matter, through laws and decrees, along with self-regulatory measures by the companies that offer IoT devices.

In addition to regulation, the government must also provide incentives for the private sector to make investments in IoT network infrastructures.³

In Brazil, the Internet of Things is only mentioned in Decree No. 9.319/2018, that institutes the national digital transformation system.

This Decree deals with matters such as internet access and data transportation networks by mobile and landline broadband, the digital transformation of the economy, professional education and training, data-based economy, new business models.

Decree No. 9.319/2018 only mentions the following: “by recognizing the transformative potential of the Internet of Things applications, actions and incentives must be set to allow for the continuous evolution and dissemination of such devices and the associated technologies.

Anatel: Public Consultation on the Regulation of IoT Applications

Anatel recently opened Public Consultation No. 31, of September 2018, to reexamine the regulation to expand IoT applications.

The regulatory agency presented the following themes for assessment of regulatory impact: a) granting of IoT services based on new business models; b) rules for providing IoT services; c) the matter of taxation and licensing of IoT services; d) numbering to meet the demand of IoT devices (used to address and identify these devices in any network in the world); e) the cyber security of IoT devices (certification and approval of IoT devices); f) the spectrum band available for IoT (and, also, non-monetary bids for new frequencies; g) broadband infrastructure to support IoT services; h) domestic roaming agreements, given the offering of IoT services based on global connectivity providers.

Anatel mentions the National IoT Plan, and the IoT Chamber, established in the form of Decree No. 8.234/2014, as one of the grounds used to open the matter to public consultation. This Decree regulates Article 38 of Law No. 12.715/2012, which deals with the taxation of machine to machine communications. According to that norm, the Ministry of Communications (currently, the Ministry of Science, Technology, innovation, and Communication) will create a chamber to manage and monitor the development of machine to machine communication systems. Under this Decree, Anatel will regulate and monitor compliance with its provisions.

According to Anatel, the purpose of the IoT Chamber is manage and monitor the development of machine to machine communication, to apply Article 38 of Law No 12.715/2012, which deals with the taxation of machine to machine applications. Note that the law refers solely to the issue of taxation of IoT applications.

Still, according to Anatel, some Iot/M2M (machine to machine communication) business models do not fit the typical features of telecommunications services, as per the current regulations. Hence the need to adjust the regulation of IoT/M2M services.

The regulatory agency also points out the lack of flexibility of the regulation for personal mobile services (SMP), through virtual networks for IoT applications.

According to Anatel, some IoT applications use as support personal mobile telecommunication services.

Telecommunication services are regulated based on the obligation burden of providing communication between people, hence the requirements of consumer protection and quality.

However, such consumer and quality obligations from telecom regulations do not make sense for IoT applications. Thus, one of the possible paths is establishing a differentiated scheme for IoT applications, with the possibility of the matter being defined in contract.

Also, the Mobile Network Operator (MNO) registration model requires being bound to a provider at the origin. However, this requirement does not make sense for IoT applications. Amongst the alternatives is establishing a differentiated scheme for IoT applications, through virtual networks, based on personal mobile services.⁴

Discussion on the Legal Qualification of IoT Applications

There is a discussion on the legal qualification of the Internet of Things.

The tendency is to qualify it as an added-value service of the telecommunications network. The concept of added-value service is in Article 61 of the General Telecommunications Act. However, it is distinguished from the concept of telecommunications services, which traditionally comprehends landline and personal mobile telephony services.

So, if the Internet of Things is qualified as an added-value service, it may be subject to the ISS municipal service tax.

However, if IoT is qualified as a telecommunications service, it will be subject to the ICMS State sales tax.

Bills for Tax Exemption of Machine to Machine Communication to Promote the Development of IoT and Application Business Models

There are some bills to remove taxation from IoT stations.⁵ Such is the case of Bill No. 7.656/2017.

The bill grants to Anatel the power to define the concept of machine to machine communication to apply the rule of tax exemption of the Contribution to Promote Public Radio Broadcasting and Contribution for Development of the Cinema Industry.⁶

It’s hard delegating to the regulatory agency the definition of the concept of machine to machine communication for taxation purposes. The law must define this concept. This is required under the principle of strict legality. Otherwise, this leads to legal uncertainty in the practical application of the concept within the regulation of the Internet of Things, with the risk of judicialization of the matter.

The public consultation held by Anatel registers the issue of the application of the licensing fees for stations (TF1 – fee for inspection of installation and TFF – fee for inspection of Operations) that may make the IoT/M2M business models unfeasible.

There is a discussion regarding the alternatives, in the sense of exempting or applying zero rates to the licensing fee of IoT/M2M terminals, waiving the licensing of such terminals or taxation based on a percentage of the revenue of the business and not by device.

The Issue of Net Neutrality

Another regulatory challenge is the issue of Net Neutrality, stated in the Internet Regulatory Framework. With the implementation of IoT networks, there will probably be a demand for flexibility of net neutrality. For example, the Internet of Things related to communication between vehicles, giving priority to ambulance services, is cited as one such demand for flexibility of net neutrality.

For example, in the United States, given the legal ambiguity of the Communication Act, there is a controversy regarding Internet neutrality. Initially, the Federal Communication Commission, during the Obama administration, qualified internet connection services as telecommunication services to guarantee the obligations regarding net neutrality. Later, in the Trump administration, the regulatory agency removed net neutrality.

In Brazil, however, the concept of net neutrality is defined in the Internet Regulatory Framework.

Frequencies of the Spectrum

Another issue related to the regulation of IoT applications is defining the range of the frequencies of the spectrum to be used, the licensed and unlicensed range, to be decided by Anatel. For example, the Internet of Things depends on wireless communication networks.

Privacy and Security Standards of IoT Applications

Another regulatory challenge of IoT is defining the privacy and security standards of the data collected through landline and mobile devices. Regulation is also vital to protect the personal data of users of IoT application.

In this regard, it must be highlighted that Brazil recently passed Law 13.709/2018 that deals with the protection of personal data, with rules for private companies and the public sector. There are also rules on the international transfer of personal data between companies.

If the IoT network’s architecture is not built correctly, there are severe risks to the security and privacy of the data transported by the networks. For security reasons, the digital identification of physical and virtual objects is essential.

International Scenario on Cyber Security and IoT

The matter of the Internet of Things is directly associated with the issue of cyber security.

In this regard, Anatel’s public consultation opened to the discussion on the issues of certification and approval of the IoT devices.

For example, the United States passed the Internet of Things (IoT) Cybersecurity Improvement Act of 2017.

This North American legislation holds the standards for IoT devices purchased by federal agencies. Thus, the suppliers and operators of IoT equipment (such as the design of the microchips used in machines and networks) for the USA government and its agencies must adjust to the cyber security guidelines.

Also, recently, California passed Senate Bill – SB 327 to protect the privacy of information in connected devices (IoT).

According to the California Bill, the manufacturer of connected devices must follow reasonable security standards, according to the following aspects: appropriate to the nature and function of the technological devices, appropriate to the information collected, stored, and transmitted; designed to protect the device and any information stored from unauthorized access, destruction, use, alteration or opening, among other rules. If the Governor of California sanctions the bill, it will come into effect in January 2020.

According to its critics, the bill is the first step, even if it contains superficial and incomplete definitions of security. The critics say that the bill does not indicate the security measures such as device certificate, code signature, and firmware safety audits, purchased from IoT suppliers that buy them from suppliers abroad. The bill also does not define liability in case of unauthorized access through coded encryption keys.⁷

Thus, the matter of the Internet of Things is directly associated with the issue of national cybersecurity in light of external threats. Cyber-attacks to public and private networks by hackers present challenges to national security.

Finally, in the United States, there are rules for IoT security set by the National Congress that must be followed by the industry. Over there, they are also debating whether there should be mandatory certification of IoT devices.

To better understand the context, the United States has adopted measures to prevent China from buying American technology companies (mobile phone and computer chip manufacturers). In addition to the issue of international competitiveness, there are allegations of risks to national security. The United States are concerned with the 5G network, specifically with it being dominated by foreign companies, overall Chinese companies. Hence the trade war between the United States and China in this cyber security realm.

The matter must be seen from the context of the big picture, as characterized by the trade war between the United States and China for technological leadership.

China has a program called Made in China 2025 with clear objectives to obtain its technological independence by manufacturing cell phone chips, robots, and the digitalization of its industry. Hence the international discussion around intellectual property, technology transfer, cyber security, etc.

Opportunities in IoT Applications

IoT holds tremendous opportunities for telecommunication companies, internet connection providers, and for the companies that explore this type of business. It creates demands for the creation of data centers and implementation for more networks of cellular antennas.⁸ There are even credit facilities for IoT startups through the Brazilian Development Bank – BNDES (via Finep).

IoT applications present challenges and opportunities for device manufacturers, network operators, and startups with new business models.

In sum, the regulation of the Internet of Things has significant repercussions in the present and near future.

_______________________

1 According to the International Telecommunications Union, the internet of things is: “a global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies (ICT).

2 Problems have been reported regarding the security and privacy of people due to the use of technological devices that can record all conversations held close to the equipment. There are even cases of baby monitors that monitor children and homes being hacked. Hence, in the United States, consumers are demanding security and privacy measures for IoT products. The United States Senate, through its Committee on Commerce, Science, and Transportation, held a public hearing on the matter of guarantees to protect consumers’ privacy. It called representatives of the companies AT&T, Amazon, Google, Twitter, Apple, and Charter. In sum, the technology companies support a federal bill to protect the consumers’ right to privacy, to avoid having the North American States passing laws on the same matter. Amazon’s representative gave a statement on Alexa, a cloud-based voice service. According to him, when Alexa is activated, the consumer is informed that the cloud-based audio streaming service is in operation; also, that the device can be turned off through Echo/Alexa’s microphone button; and, finally, that the Echo hardware and Alexa’s service were designed to allow control by the consumer.

3 Google has announced that it will invest USD 140 million to expand its datacenter in Chile. It is the first Google datacenter in Latin America that will operate as infrastructure to offer cloud computing services. According to the press, Chile was chosen given the favorable environment for foreign investments, a clear regulatory framework, and renewable energy sources.
Brazil lost the opportunity to attract this type of investment from a global company, that would create jobs and generate income in the country. This fact attests to Brazil’s delay in establishing a policy to promote investments in datacenters in Brazilian territory and, accordingly, to compete in the international market.
India, in its turn, has recently passed a law requiring foreign technology companies to store their users’ personal data in Indian territory. The law has an impact on companies such as Facebook, PayPal, Mastercard, and others.

4 Anatel, in July 2018, authorized the company Safra Telecomunicações to operate as a Mobile Virtual Network Operator (MVNO).

5 Article 38. The value of the Fee for Inspection of the Installation of Mobile Stations of Personal Mobile Services, Cellular Mobile Services or any other telecommunication service, as per Law No. 5.070, as amended, that integrate machine to machine communication systems, as defined in the regulation to be issued by the Executive Branch, is set at BRL 5.68. (Regulation) Sole paragraph. The Fee for Inspection of Operations will be paid annually, by March 31st, and its value corresponds to thirty-three percent of the Fee for Inspection of the Installation.

6 In its turn, Decree No. 8.234/2014, which regulates Article 38, of Law No. 12.715/2012, defines the following: “Article. 1. For the purpose of the provided in Article 38, of Law No. 12.715, of September 17, 2012, machine to machine communication systems are deemed to be the devices that use telecommunication networks to transmit data to remote applications, without human intervention, with the purpose of monitoring, measuring, and controlling the device, the environment around it, or the data systems connected thereto through such networks”.

7 The press recently announced a security breach by Amazon that allegedly leaked the access code to the company’s system.

8 Thecountry was due to its political stability, the regulatory framework to attract private investments and economic stability press recently published that Google is expanding its data center in Chile. The choice to invest in that .

Artigo publicado no portal jurídico Migalhas Internacional em 09/10/2018.

Brazil has passed Law 13,709/18 on personal data protection.

It contains rules for both the public and private sectors regarding the collection, processing, treatment, and sharing of personal data.

However, recently, the President of the Republic indicated several vetoes to the bill passed by the National Congress. Among these vetoes: the creation of a regulatory agency for personal data protection (Articles 55 to 59), the rules of data sharing by the public sector and private companies (Articles 23, item II, 26, item II, paragraph 1, and Article 28), sanctions of complete or partial suspension of the operation of the database and suspension of the exercise of personal data processing activity, and partial or complete prohibition of exercising any activities related to data processing (article 52, items VII, VIII, and IX). We shall examine these vetoes further on in this text.

The law on the protection of personal data is adapted to the context of the evolution of the technologies based on digital platforms, big data, artificial intelligence, machine learning.

The legislative regulation of this matter is critical because corporate self-regulation is not enough to resolve the complex issues related to personal data protection.

As an illustration of the above, we have the scandal between Facebook and the company Cambridge Analityca regarding the improper collection of the data of millions of users of that social network, as well as third-party personal data.

In the United States, there was also news about a lawsuit against Google due to the illegal monitoring of millions of iPhone and Android users. According to such lawsuit, Google does not disable the user’s location history. This business practice violates the privacy laws of the State of California, according to the plaintiff. This is a typical case related to the protection of personal data and privacy.

Also, the media often reports on the invasion of personal databases and the leak of such data, under the responsibility of public authorities and private companies.

In Brazil, for example, a security breach was reported in the E-Health application of the Ministry of Health, with the exposure of the personal data of thousands of Brazilians that use the Unified Public Health System (“SUS”), with the display of the patient’s medical information, medication use history, and appointments in the public health service.

This theme is inserted in the context of the risks of cyber-attacks by hackers, with threats to personal data security and privacy. Therefore, the law is intended to prevent this kind of abuse against the rights to personal data protection.

Personal data is information on your private life (ID, image, location, and health, among others), financial life (existence of bank or credit cards debts, etc.), among other aspects.

Currently, personal databases are a source of economic value to private companies. For the public sector, they are essential to the implementation of public policy in several areas, such as public health.

According to the law mentioned above, in its Article 5, sensitive personal data are those related to ethnic or racial origin, religious beliefs, political opinions, affiliations to trade unions or religious organizations, health-related data, genetic or biometric data, sexual orientation.

The foundations of the Brazilian Data Protection Act are laid out in its Article 2: the respect to privacy, informative self-determination, the freedom of expression, information, communication, and opinion, the sanctity of privacy, honor, and image, economic and technological development and innovation, free enterprise, free competition, and consumer protection, human rights, the free development of personality, dignity, and the exercise of citizenship by individuals, among other things.

The law is applicable to personal data processing operations, regardless through what means, the country of the processor’s headquarters, or where the data is located, provided that the processing operation take place in Brazilian territory, the purpose of the data processing activity is the offering or provision of goods or services or the processing of data of individuals located in Brazilian territory, or the personal data being processed was collected in Brazilian territory (article 3, item II and III. Also, the personal data whose subject is in Brazilian territory at the time of their collection will be deemed as having been collected in Brazil (art. 3, paragraph 1).

This Personal Data Protection Act impacts several companies from industries such as telecommunications, internet applications, such as social networks, search engines, video sharing websites, financial institutions, e-payment companies, startups in the technologies and government sector (govtech), digital marketing companies, hospitals, among others.

For example, in the financial sector, there is a trend towards the opening of banking data (open banking) to increase competition in that sector. So, if the Brazilian Central Bank regulates the issue appropriately, the traditional banks will have to share the account-holders’ personal information with credit and financing companies, such as the startups known as fintechs.

In the business realm, the application of this law creates demands for the hiring of executive professionals for database management. It also creates a need for the creation of compliance rules with the companies and the respective bodies of enforcement.

This federal law also applies to the public sector, containing rules on the sharing of personal data in databases administered by government agencies. Example: the data from people registered in the public health system.

The law, however, does not apply to personal data processing performed by an individual for private and non-economic purposes, carried out exclusively for artistic and journalistic, or academic purposes, or held for the sole purpose of public safety, national defense, data security, criminal investigation and repression activities, article 4.

In the context of international regulation, Europe has the General Data Protection Regulation (GDPR). Each European country has an agency that regulates personal data protection.

There are questions as to the application of the European legislation. Online advertising companies that use personal data such as the location of the users of applications on mobile phones are concerned with the compliance rules to be adopted. On the other hand, media companies are seeking alternatives to address the dispute with technology companies, focused on digital advertising.

The United States, in its turn, does not have a general personal data protection law. There, the Federal Commerce Commission, the American regulatory agency responsible for enforcing loyal trade practices between businesses and consumers, regulates the issue of consumers’ personal data and applies sanctions against potential abuses committed against consumer rights. For example, the Federal Commerce Commission has entered into several settlements with Google and Facebook concerning consumer privacy protection.

The law referenced above holds the requirements for personal data processing, upon consent by the data subject. In other words, the permission of the owner of the personal data is a condition for its valid use, according to the law.

According to the law under examination, in its article 5, item X, personal data processing is the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, information assessment or control, modification, communication, transfer, dissemination, or extraction of such data.

The principles of personal data processing activities laid down in Article 6 include: the purpose (identification of the legitimate and specific purpose informed to the owner), fitness (compatibility of the processing with the purposes informed to the subject), need (limiting the minimum processing required to achieve its purposes), free access (guarantees that the owners will have easy and free consults regarding the form and duration of the processing), data quality (assurance of precision, clarity, relevance, and updating of the data, as needed and to achieve the purpose of the processing), transparency (assurance of clear, precise, and accessible information to the owners on the performance of the processing, respecting business and industrial secrets”.

Personal data may be processed to comply with legal or regulatory obligations. For example, employees’ personal data, such as name, address, vacation periods, benefits, leaves, of mandatory registration before public authorities (known as e-social). Another example is the sharing of the personal data of users of telecommunications and internet services, between private companies and Anatel (the Brazilian Telecommunications Regulatory Agency) for the purpose of public policies on communications.

The public administration may also process personal data required to enforce public policies. Example: public taxation policies, by sharing the personal data of citizens for tax collection purposes.

Personal data processing is also allowed for credit protection. Example: the Brazilian Credit Protection System (Serasa and SPC), used in by the trade, industry, and service sectors.

Another permitted use is in the regular exercise of rights in lawsuits or administrative or arbitration proceedings. Given the current context of electronic proceedings, there is a demand for proper processing of personal data to protect rights before the Judiciary and/or the Public Administration.

Article 11 of the Law deals specifically with the processing of sensitive data.

For example, in this respect, the following rule is stated in Article 11, Paragraph 3: “The shared use or communication of sensitive personal data between controllers with the purpose of obtaining economic benefits may be subject to

prior authorization or regulation by national authorities, upon hearing the proper sectoral agencies.”

This legal provision may be applied, for example, by the Brazilian Agency of Supplementary Healthcare (“ANS”) to restrict the sharing of sensitive personal data, such as using personal data in medical records and clinical history that may be used by healthcare plans to check for pre-existing diseases.

The processing of the personal data of children and teenagers requires specific consent by one of their parents or legal guardians, as per Article 14, Paragraph 1. For example, children and teenagers will need one of their parent’s consent to have access to YouTube.

The data subject has the right to obtain confirmation of the existence of the processing of their data, access to their data, correction of incomplete, inaccurate and outdated data; and de-identification, blockage or erasure of unnecessary or excessive data, or of data processed in breach of the provisions of the law, portability of personal data to another product or service supplier, elimination of personal data treated with the data subject’s consent, as per article 9 of the law.

Regarding the processing of personal data by government, the law states that the shared use of personal data must be consistent with specific ends associated with the execution of public policies and duties by public bodies and entities, according to the personal data protection principles established in Article 6 of the law.

However, the government is forbidden from transferring personal data stored in databases under their management, or to which such entities may have access to private entities, except in those cases in which processing is outsourced to private entities, as per Article 6, Paragraph 1, item I. Sharing is also authorized in the case of legal provision and when the transfer of personal data is based on contracts, agreements or similar instruments.

But, according to the presidential veto, the cumulative requirement (legal and contractual provision) hinders Public Administration, because “several procedures related to the transfer of personal data are detailed in normative acts, such as the processing of the public servants’ payroll by private financial institutions, the collection of fees and taxes, and payment of social security benefits, among others”.

Also, in the event of public access to personal data, sharing is possible, within the limits of the law.

According to Law No. 13.709/18, in its article 5, item XVI, shared use of data is the disclosure, dissemination, international transfer, interconnection or shared processing of a database by public bodies or entities, when in fulfillment of their obligations, or among public agencies or entities and private entities, with specific authorization, for one or more classes of processing assigned by such public entities, or between private entities.

According to the presidential veto, the prohibition of sharing information identifying the personal data of the subject applying to have access to information hinders the functioning of the Public Administration.

The veto cites, as an example, the sharing of the Social Security database and the National Registry of Social Information. The veto claims the hindering of activities related to the administrative power of police, such as investigations within the National Financial System.

The disclosure and shared use of personal data between public entities and private entities require the data subject’s consent, except for the legal waivers of consent in the cases of shared data use, with extensive publicity, as per article 27 of the law.

However, according to the presidential veto, unrestricted communication or advertising of shared personal data use among government agencies can make hinder the regular exercise of some public actions of surveillance, control, and administrative police.

Under the law, the processing of personal data by notarial registry services must follow the rules applicable to the public sector. The bill also provides that these notarial and registry services must provide access the public administration with access to such data, by electronic means.

State-owned companies and quasi-public corporations which operate in a free competition environment will be bound by the same rules as those enjoyed by private entities. For example, public banks must follow the provisions of the law under examination.

There is a specific chapter on the international transfer of personal data, starting with Article 33. The international transfer of personal data will only be allowed to countries that afford a level of personal data protection equivalent to that of the law.

The international transfer is also allowed when the data controller offers sufficient guarantees of compliance with the general principles of protection and with the rights of the data subjects, presented on contractual clauses approved for a specific transfer. Likewise, when the international transfer of data is necessary for international judicial cooperation between public intelligence and investigation agencies, under international rules and laws. Or when the transfer of data is required for the protection of life or the physical safety of the data subject or a third party.

In the specific chapter on security and best practices for protecting data confidentiality, there is a provision on security incidents, in which case the data controller shall notify the competent public body within a reasonable term. If necessary, the relevant public body may order a broad disclosure of the fact in the media and/or measures to revert or mitigate the consequences of the damage.

There are also legal provisions on the liability and compensation for damages caused by personal data controllers and/or processors. The data controller and data processor are jointly and several liable for damages caused to the data subject and the cases of waiver of such legal liability, according to Article 42 of the law.

As for the supervision of the personal data processing activities, Article 52 provides several administrative sanctions to be imposed by the competent public body: warning, simple or daily fine up to 2% of the billing of the private legal entity, limited to BRL 50,000,000.00; publication of the violation after it has been adequately verified and confirmed; blockage of the personal data subject of the breach until its regularization; erasure of the personal data subject of the breach; total or partial suspension of operating databases, for a period not exceeding 6 months; suspension of personal data processing operations, for a period not exceeding 6 months; total or partial prohibition of data processing related activity.

The President of the Republic vetoed the sanctions of complete or partial suspension of the operation of the database, suspension of the exercise of personal data processing activity, and partial or complete prohibition of exercising any activities related to data processing.

According to the veto, these administrative penalties of suspension or prohibition of the operation/exercise of data processing activities can lead to “uncertainty for those responsible for this information, as well as make it impossible to use and process databases essential to various activities, such as those used by financial institutions, among others, which may jeopardize the stability of the National Financial System.”

The law creates the National Data Protection Authority, a federal agency bound to the Ministry of Justice.

There is undoubtedly a need for an independent regulatory agency specialized in personal data protection. The specialization of the matter requires the creation of a regulatory agency. By the way, this is the European model, where each country has a regulatory agency for personal data protection.

However, the President of the Republic vetoed this provision that creates the regulatory agency for personal data protection, on the grounds of formal unconstitutionality, given a flaw of initiative in the matter, which is reserved for the Head of the Executive Branch.

According to media reports, the President of the Republic will submit a new bill or even a provisional measure to create of the National Data Protection Agency.

Note that the lack of regulatory agency undermines the effectiveness of the law and its enforcement.

It is clear that the absence of an independent authority to supervise the law will leave personal data unprotected.

Also, the law provides for the Personal Data and Privacy Protection Council (Articles 58 and 69).

However, these legal provisions have been vetoed by the President of the Republic.

Finally, Law N. 13.709/18 alters the Internet Regulatory Framework in two aspects.

On the one hand, it provides for the right of permanent deletion of the personal data provided by users to a particular internet application at the end of the relationship between the parties, except when the law requires mandatory storage of records.

On the other hand, there is the right to permanent deletion of personal data that are excessive in relation to the purpose for which consent was given by the data subject, notwithstanding the legal caveats.

“Law N. 13.709/18 will come into force in 2020, 18 months after its official publication” (Article 65). Therefore, there is a reasonable time for adjustment to the legal regulations.

In conclusion, there are several challenges for the effectiveness of the Brazilian Personal Data Protection Act. Among them, the veto to the creation of the National Agency for Personal Data Protection. The international best practices, as set out in the European model, is in the sense of the existence of independent and efficient regulatory agencies, committed to public interest. Hence the urgency in solving this severe problem regarding the lack of a regulatory agency for Personal Data Protection.

Publicado no portal jurídico Migalhas Internacional em 03/09/2018.