** This post is one section of a more extensive piece on Brazil’s platform accountability and regulation debate. Click here to read the entire content.
Given the new obligations PL 2630 sets to providers, including specific rules for crisis situations, it's important to make it explicit that none of its provisions will imply changes in platforms' systems to introduce security vulnerabilities or undermine privacy protections by design. This is particularly crucial to preserve the features of end-to-end encrypted applications and avoid intents to weaken encryption's fundamental principles and protections.
In this sense, the 2016 Joint Declaration of Freedom of Expression Special Rapporteurs addressing government efforts to combat violent extremism underlines that States should not adopt, and should review, laws and policies that involve measures weakening existing digital security tools. Article 8 of PL 2630 already stipulates that measures providers implement in compliance with the bill should preserve information security and personal data protection. This is good, but the provision should go further to explicitly repel applications of the law seeking to introduce vulnerabilities in platforms' systems or make internet applications adopt any other measures that can systematically increase the risk of security incidents.
Moreover, the bill contains rules that expand existing data retention obligations. On this point, the 2015 Joint Declaration about crisis situations states that "requirements to retain or practices of retaining personal data on an indiscriminate basis for law enforcement or security purposes are not legitimate. Instead, personal data should be retained for law enforcement or security purposes only on a limited and targeted basis and in a manner which represents an appropriate balance between law enforcement and security needs and the rights to freedom of expression and privacy."
The most problematic language related to data storage obligations is found in Article 46 of PL 2630. The text requires internet applications to preserve metadata associated with all content that was removed or disabled in compliance with PL 2630 rules or judicial orders. Although it may seem, at a first glance, a "targeted" measure related to potentially offensive content, the volume of restricted content will likely be massive by the very nature and dynamic of user content creation on big platforms. If it makes sense to store the restricted content for a specific period, the bill's language is overbroad on the related metadata that applications would have to store along with such content.
As per Article 46, the storage obligation includes "any related data and metadata removed" along with the content, as well as the respective IP address, access logs, networking ports, subscriber information (e.g. name and address), "telematic data," and "other records and user information that can be used as probative material, including those related to the form or means of payment, if any." The storage period is 6 months, which can be extended.
Brazil's Data Protection Authority (ANPD) issued a statement criticizing the vague nature of provisions in the bill establishing the collection of personal data for criminal investigation purposes, with specific references to the language of Article 46. According to ANPD, "PL 2630/20 establishes data storage obligations for criminal investigation purposes using vague and imprecise expressions, which can lead to a disproportionate expansion of personal data collection, or even to abusive tracking and surveillance of personal data subjects." The Brazilian data protection authority highlights that government authorities must observe the need for setting the specific purposes for the processing of personal data, limit such processing to what is strictly necessary to achieve these purposes, adopt security measures proportionate to the risks involved, and ensure wide transparency of personal data processing operations. In this sense, ANPD recommends lawmakers review the bill's text to expressly and explicitly indicate which data may be collected.
Building on the principles of purpose, necessity ("data minimization"), and prevention of Brazil's Data Protection Law, the standard storage of metadata related to restricted content in the bill should not go beyond Marco Civil's data retention rules. With Marco Civil's retention of "access to application logs," which includes the user IP address, authorities can start an investigation and, within its proceedings, may request additional information or conduct further examinations as needed and depending on each case.