SUMMARY REPORT
by Paulo Henrique Atta and Thiago Moraes
On May 26th and 27th, 2020, the Brazilian Federal Supreme Court (STF, in pt) started the judgement of the following constitutional lawsuits: The Unconstitutionality Direct Action (Ação Declaratória de Inconstitucionalidade – ADI) nº 5.527 and the Request for Non-Compliance of Fundamental Principles (Arguição de Descumprimento de Preceito Fundamental – ADPF) nº 403. While the requests were relatively different, both actions intended to discuss the interpretation of articles 10 and 12 of the Brazilian Civil Rights Framework for the Internet (Marco Civil da Internet – MCI), in light of the fundamental rights of communication and freedom of speech, granted by the Brazilian Constitution (Constituição Federal – CF), article 5, number IX [1].
These cases were motivated by successive events of service suspension of the Instant Messaging Application Whatsapp, as ruled by different state judges. In one of the most notorious cases, in 2016, a judge from the state of Sergipe ordered the company to release the conversation logs exchanged between defendants of criminal investigation, therefore breaking the secrecy of their communication. The company denied the request and, based on the MCI, Article 12, Number III [2], the district court decided for the suspension of its activities in Brazil for 72 hours.
During the current trial, the company Whatsapp Inc. alleged that blocking the mobile app in all the Brazilian territory would harm citizens on their freedom of communication and freedom of speech. Furthermore, it claimed that it is unable to access the data from the messages exchanged between its users, due to the implementation of end-to-end encryption on its communication services. Thus, complying to the court order was not possible.
Assisted by the Laboratory of Public Policy and Internet – LAPIN, the Instituto Beta para Internet e Democracia – IBIDEM, figured as amicus curiae on the present case. During the trial, it stressed that the sanctions established in the MCI should be applied only if the defendant company acts against its users’ rights to privacy and data protection. Therefore, punishing a company for not assisting with a criminal investigation was beyond the scope of the discussed norm.
Justice Rosa Weber, reporter of ADI nº 5527, praised the MCI for its mechanisms of protection to the fundamental rights of privacy and data protection. She highlighted the pivotal role of network communications and smartphones on contemporary life, and the relevance of the protection of privacy in this context. Thus, an attempt to violate users’ privacy without legal safeguards (e.g. by sending this data to public officers without due legal process) may harm the safety of their personal information, exposing them to malicious users.
Moving on, the Justice explained that the right to privacy protected by the Brazilian Constitution should not be interpreted solely as the right to be left alone, a negative aspect of this right, allowing one individual to limit his personal life from the eyes of the others. The protection of privacy is an essential factor of contemporary society and any unjustified intrusion must be prevented and punished, even if this intrusion originates from the State.
Furthermore, the secrecy of private communication is strictly connected to the right to privacy. This right to secrecy only being temporarily diminished after a court order is in accordance with the due process of law. And even then, the data subject’s fundamental rights and technical limitations of the company that process personal data of the defendant must be respected when suiting the court order.
According to Justice Weber, article 10 of the MCI [3] grants a normative framework to secure the fundamental right of privacy according to the Constitution. However, if the company that provides the service of instant messaging cannot access content data because of techniques it has put in place to provide security and privacy to the user, such as end-to-end encryption, the impossibility to comply with a court order does not mean acting against the law. Furthermore, demanding these companies to implement backdoors to allow compliance with the court order means exposing these data to unnecessary data breach risks.
Finally, Justice Weber ruled that, according to the MCI, the sanctions of suspension and prohibition of service must be applied only if the company act against the rights to privacy and data protection and not if it disobeys a court order from a criminal investigation, as long as there is a justified reason for the non-compliance.
By its turn, Justice Edson Fachin, reporter of ADPF nº 403, structured his vote posing the following question: does the public risk related to the implementation of encryption justifies its prohibition, or yet, the creation of exceptional means to access users’ data (i.e. backdoor), thus reducing the level of protection on communication services?
In an elaborated 76 pages-long vote, the Justice stated that all rights granted to citizens offline must equally be protected online. In other words, digital rights also are fundamental rights. On the Internet, privacy is not only about intimacy, but also a safeguard tool for freedom of speech. Therefore, any attempt to reduce this right of privacy, even if momentarily, must be soundly based and follow the due process of law. Any invasion that does not follow these steps is, thus, illegal. Referring to LAPIN and the Instituto de Tecnologia e Sociedade – ITS-Rio (another amicus curiae of the case), he highlighted that the MCI was aimed to enforce data protection rights.
The encryption technology emerged as a response from the citizens to protect their privacy from intrusions. It is true that implementing this technology creates some risks, such as extra costs of criminal investigations. This occurs because encryption reduces the capacity of monitoring and interception, measures vastly applied during these inquiries.
However, Justice Fachin warned that any attempts to bypass this technology by implementing backdoors or “man in the middle” attacks create mass security breaches. Therefore, the risks related with the use of encryption are outmatched by the risks related with the implementation of bulk interception. Any prohibition of end-to-end encryption is unconstitutional, because such order would disproportionately harm the most vulnerable citizens.
The trial, even though not finished, already poses a significant benchmark in the history of Privacy and Data Protection in Brazil. One fundamental statement has already been pronounced: encryption is a fundamental ally in the enhancement of digital rights, and so, any attempt to reduce it would be against democracy and institute a state of surveillance.
REFERENCES
[1] Article 5. All persons are equal before the law, without any distinction whatsoever, being insured to Brazilians and foreigners residing in the country the inviolability of the rights to life, to liberty, to equality, to security and to property, on the following terms:
IX – the expression of intellectual, artistic, scientific, and communications activities is free, independently of censorship or license; (free translation)
[2] Article 12. Without prejudice to other civil, criminal or administrative penalties, the violation of the rules laid down in Articles 10 and 11 shall be subject, as appropriate, to the following sanctions, applied individually or cumulatively:
III – Temporary suspension of activities involving the acts specified in Article 11 and; or (free translation)
[3] Article 10. The retention and release of connection and access logs to Internet applications, of which this Act refers to, as well as of personal data and the content of private communications, must meet the protection of intimacy, private life, honor and image of the parties directly or indirectly involved.
§ 1st The provider responsible for the retention will only be required to provide the aforementioned logs, alone or combined with other information that may contribute to the user or the device identification, upon court order, as set forth in Section IV of this Chapter, respecting the provisions of Article 7. (free translation)
