PRIVACY

The Massive Brazilian Data Leakage and International Human Rights Law

By the end of January 2021, Brazilian news outlets were announcing a major data leakage of the CPF (Código de Pessoa Física, in Portuguese, the Brazilian equivalent to a Social Security Number and Tax Identification Number). 

By Julia Cirne Lima Weston

February 28, 2021

The Leakage

Two leakages have been registered, one of them containing 223 million CPF numbers, as well as full name, gender, date of birth, and vehicle registry, circulating on the internet freely; and the other including information on social benefits, which is being sold to criminals.  As the number of CPFs transcends the total number of the Brazilian population, now estimated to be around 212 million people, it is likely that information belonging to the deceased has also been made public.  This event has, of course, major repercussions on the Human Rights of the Brazilian population. It is important to understand which of those are seen as having been affected, in order to make the affair notable internationally and to call upon best practices for safeguarding said data. 

This problematic situation of data leakage comes not so long after the creation of the Brazilian General Law on Data Protection (LGPD), which was homologated in 2018. The law, among other issues, regulates the usage, transfer and storage of data by public and private actors alike.  In terms of content, it does not deviate much from the basics of its international predecessor, the notable European Union General Data Protection Regulation. 

A noteworthy aspect to keep in mind for this brief article can be found on the foundations of the Brazilian LGPD, one of which is that of Human Rights, including “free development of the personality, dignity and the exercise of citizenship by natural persons”.  As such, Brazil has a national regulation which protects personal data, both in private and public settings, in a legislation guided by Human Rights. With such a leak, we have a breach of Brazilian Law. But how about the international law aspects, if any, of such a leakage?

The Applicable International Human Rights 

As we speak of data, we speak of personal information and, consequently, of privacy. As such, this article, with basis on General Comments from the Human Rights Committee and a General Report of the High Commissioner for Human Rights, argues that there is a breach of the International Covenant for Civil and Political Rights (ICCPR). The ICCPR’s article 17 foresees that there shall be no unlawful or arbitrary interference with one’s privacy, something which shall be protected by law against interference and attacks. Brazil, among other Latin American States, is also a party to the American Convention on Human Rights. A similarly worded provision to the ICCPR is also contained in this document, on its article 11. 

The Report of the Office of the United Nations High Commissioner for Human Rights on the right to privacy in the digital age specifically applies said ICCPR article to the issue of technology and data transfer, among other situations brought forward by digital platforms.  General Comment number 16 of the Human Rights Committee applies this to attacks and interference emanating both from State authorities or other natural or legal persons, and requires States to adopt legislation and other measures to increase protection and give effect to the prohibition in question.  A relevant excerpt from General Comment 16 to this issue reads as follows: 

"Effective measures have to be taken by States to ensure that information concerning a person’s private life does not reach the hands of persons who are not authorized by law to receive, process and use it, and is never used for purposes incompatible with the Covenant. "

As such, according to the understanding of International Human Rights Law, effective measures should have been taken by Brazilian authorities to prevent said exposure of its citizens’ private information. As this is a rather recent event, there are no conclusive investigations on the matter and on the measures to be taken by authorities. However, it is important that Brazil considers these dispositions when investigating and remediating said occurrence. It is also important that this is taken into consideration when formulating better policies for data protection in the future within the Brazilian legislative, as another occurrence of the sort can harm Brazil’s reputation globally in terms of data protection.

Julia Cirne Lima Weston is an LL.M graduate in International Law from University College London and is a qualified lawyer at the Brazilian Bar Association.