14 May THE GOVERMENT’S DIGITAL STRATEGY AND ITS POSSIBLE IMPACT TO DATA PROTECTION IN BRAZIL
On April 29, 2020, Decree No. 10.332/2020 was published, which sets forth the Goverment’s Digital Strategy (“Strategy”) for the period from 2020 to 2022, within the scope of the bodies and entities of the direct, autarchic and foundational federal public administration.
The Strategy resulted from a public consultation process carried out in November, 2019. According to the Federal Government, there were three hundred and twenty (320) contributions and engaged over one hundred and fifty (150) participants from thirty-two (32) different public and private organizations.
The policy provides for the creation of a Digital Governance Committee (“Committee”) in each of the bodies and entities of the federal public administration, to deliberate on matters related to the implementation of digital government actions and the use of information technology resources and communication.
Among the members, the Data Protection Officer (“DPO”)[1] from each agency must necessarily be appointed and participate.
The Strategy also determines that each entity of the federal public administration prepare a Digital Transformation Plan, which should contain, at least, a description of public services digital transformation actions, the unification of digital channels and interoperability of the system.
This guideline meets the main objective of the Digital Government Strategy, which is to guarantee the transformation of all public services that can be digitized by 2022. This is the policy’s main goal.
Furthermore, there must be prepared by the institutions two (2) other documents, which are: (i) an Information and Communication Technology Master Plan; and (ii) an Open Data Plan, under Decree No. 8.777/2016 that instituted the Federal Executive Branch’s Open Data Policy.
Decree No. 8.777/2016 and Decree No. 10.332/2020 do not specify whether personal data and sensitive personal data of citizens, eventually collected by Public Administration bodies, are included in the Open Data provision and whether they will be susceptible to the availability measures, granting free access by interested parties from the society in general and by other public bodies, and to the sharing and interoperability between Federal Public Administration bodies.
The Strategy also carries other relevant changes in terms of data protection and to the privacy of Brazilian citizens who may have their data collected and processed under this new policy.
First, it is important to highlight the changes promoted to Decree No. 10.046/2019, which establishes, among other measures, the Citizen Database Registry.
The Citizen Database Registry was an extremely criticized measure at the time of its edition for establishing the centralization of information of millions of users of public services in a unified database registry under the government’s control, without having a clear definition about the purposes of the use or, still, limitations provided for in the standard to the processing of personal data and sensitive personal data.
It has been inserted in the Decree No. 10.046/2019 definitions of some of the legal concepts provided for by it, such as: “information and communication security requirements”, “data requester” and for the concept of “database registry” (as per the Decree).
A 10th article was also inserted to Decree No. 10.046/2019, which establishes: (i) the disclosure by the “data managers” of the data sharing mechanisms and database registries under their responsibility and (ii) the possibility to public entities and agencies of creating new ones, only when the possibilities of using existing base records have been exhausted.
Notwithstanding the changes may limit the scope of the agencies’ activities, many of the central prerogatives of the Citizen Database Registry remain unchanged, such as, for example, sharing and free access between Federal Public Administration bodies to data collected from citizens. It is important to highlight that the access right remains, even if the data are protected by secrecy or is not available in an “open frame”, in addition to reaching the Citizen Database Registry, which, as mentioned, will gather the information that will allow the identification of millions of citizens for purposes that are not fully clarified, nor delimited.
Besides, there are other several solid initiatives and goals established by the Digital Government Strategy. These initiatives can result in positive impacts on the digital transformation of public services, for example, the objectives of:
(i) Simplifying and optimizing the opening, modification and extinction of companies in Brazil, so that these procedures can be carried out in a single day, until 2022;
(ii) Integrating all States to the Gov.br Network, by 2022;
(iii) Consolidating in one Federal Government account all mobile applications available in stores, until 2020;
(iv) Expanding the use of the gov.br single login for one thousand (1000) digital public services, by 2022;
(v) Implementing means of digital payments for at least thirty per cent (30%) of digital public services that involve billing, by 2022;
(vi) Implementing artificial intelligence resources in at least twelve (12) federal public services, by 2022;
(vii) Making available at least nine (9) data sets through blockchain solutions in the federal public administration, by 2022;
(viii) Implementing a mechanism to personalize the offer of digital public services, based on the user’s profile, until 2022;
(ix) Providing two (2) million biometric validations monthly for federal public services, by the end of 2020; and
(x) Making available a digital identity to the citizen, with the expectation of issuing forty (40) million of them, by 2022.
In terms of data protection, the Digital Government Strategy foresees as an objective the implementation of the LGPD within the scope of the Federal Government through two specific initiatives, namely:
(a) Initiative 10.1.: Provide conformity methods with the requirements of the Brazilian General Data Protection Law, by 2020.
(b) Initiative 10.2.: Provide a platform for managing the privacy and use of citizens’ personal data by 2020.
Initiative 10.2, at first glance, may offer a useful tool to the Federal Public Administration bodies for assuring some of the data subjects rights, provided for in article 18 of the LGPD, such as confirmation of the existence of processing, access to data, correction of incomplete, inaccurate, or outdated data, among others, and also to the principle of transparency (article 5, VI).
However, the absence of previous limitations in the Digital Government Strategy for the processing of personal data and sensitive people data creates risks in several of initiatives provided and a legitimate insecurity sensation regarding possible policies that will be developed based on data collected from millions of Brazilian citizens.
It is worth noting that the public policies developed under the Digital Government Strategy will have access to the data from the Citizen Database Registry, which is even, inclusively, one of its declared initiatives “to increase to twenty (20) the number of parameters in the Citizen Database Registry, by 2022”.
For this reason, it is legitimate to raise a flag on these initiatives, which at first can have positive effects, but also have the potential to violate fundamental rights, such as privacy, as well as major LGPD devices.
In this panorama are mainly inserted the initiatives that may be associated with the processing of personal data (items i, ii, iii, iv and v, hereinabove) and sensitive personal data (items ix and x), as well as the initiatives that provide for the implementation of artificial intelligence tools (vi), data aggregating technologies (vii), or methods user’s profiling (viii).
[1] The DPO is the person appointed to act as a communication channel between the data controller, the data subjects and the National Data Protection Authority (“ANPD”), as provided in article 5, VIII of the Brazilian General Data Protection Regulation (“LGPD”).
This article is intended exclusively to provide information and does not contain any opinion, recommendation or legal advice from KGV Advogados concerning the matters here addressed. Copyrights are reserved to Kestener, Granja & Vieira Advogados.
No Comments