Knowledge Commons believes that the successful passage of a progressive Marco Civil will not only benefit Brazilian citizens and businesses but will provide an international precedent and a world’s best practice Internet policy framework that protects privacy, fights surveillance and guarantees freedom of expression and net neutrality. Such a document will inspire other governments attending the Global Multistakeholder Meeting on the Future of Internet Governance in Sao Paulo 23-24 April to agreeing to international and domestic reforms.
We therefore acknowledge and appreciate that the House of Representatives discussed and passed the Marco Civil Bill on March 25, 2014.
However, we have enduring concerns about the issue of mandatory data retention.
We believe there is a strong case for rejecting data retention
Data retention provisions in the Marco Civil radically and unnecessarily privilege national security concerns over the privacy and civil liberties of Brazilians – who are citizens first with basic rights and protections, and not merely suspects. While it is the government’s role to promote collective protection against identity theft, online crime and acts of political violence, Brazilian citizens have a legitimate expectation that the government will defend their democratic right to privacy, freedom of expression and freedom from arbitrary acts of state surveillance or coercion.
As technologists, we know that metadata is not trivial either in the quantity or quality of information contained. It would be misleading to minimize the significance of what can be learned through metadata because it could include information about telephone calls made, emails sent, information accessed online, or the location of mobile telephones. This information can be used to deduce very intimate details about a person’s associations, interests and activities. For example, one wouldn’t need to hear the conversation to make deductions about a phone call between a private individual and a divorce lawyer, or a cancer clinic, or a journalist.
Courts in Romania, Germany, and the Czech Republic have ruled that national data retention laws based on the 2006 European Data Retention Directive, are unconstitutional. A court in Ireland has referred a data retention case to the European Court of Justice and questioned the legality of the entire EU Data Retention Directive.
The vast amounts of data that would be retained poses a security threat because it would be vulnerable to theft and hacking by non authorized persons or governments, private entities or criminal actors.
There are legitimate surveillance activities and actors, and proper procedures provide them with license to act with proper oversight and warrants based on reasonable suspicion of wrong-doing.
Data retention is different from data preservation. Data preservation can be flagged on persons of interest by law enforcement and intelligence agencies, whereas data retention is wholesale on all citizens, who are treated as suspects, reversing the doctrine of “innocent before proven guilty”. Data retention should not be used to address inefficiencies in the data preservation mechanisms, rather, the large human and economic resources that would be required to enact data retention should be diverted to address any problems in the data preservation and warrant system. Warrants not only protect citizens from the abuse of power by the State, they also provide legitimacy and authority to police or intelligence agencies carrying out their functions by ensuing that their actions are both necessary and proportional.
Data retention seriously erodes the right to privacy and other associated rights as established through international legal standards, including in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights and the Human Rights Committee general comment 34 (on personal data being held by public authorities see para 18). Data retention goes well beyond the permissible restrictions to these human rights – recognized as national security issues, but that are necessary and proportional.
Data retention creates burdens for ISPs, including the expense of collection, storage and maintenance/transference of data onto new or evolving systems. These costs are likely to be the hardest on small companies, so this has a competition and market impact. ISPs are forced to pass on some of the costs to users – it costs everyone.
Knowledge Commons believes that companies and governments should avoid storing large amounts of unnecessary personal data because of the vulnerability of that data to theft or misuse. The German term “datensparsamkeit”, which means “data reduction” or “data austerity” describes the practice of storing only data that is necessary, rather than collecting everything that might be useful. Germany has evolved laws, such as the Federal Data Protection Act (2009), which embrace the principle of data minimization and data reduction, not least due to former regimes that have carried out extensive mass surveillance programs.
Standard operating procedures that apply ‘datensparsamkeit’ require agencies or companies to determine not only why certain data is being captured and stored, but also what comprises the minimum required data. The burden is on companies and governments, at least in theory, to demonstrate a need for the data they store. They must make the case for sharing their data, rather than routinely collecting and storing it for policing, intelligence, or commerce. For example, “datensparsamkeit” recognizes that an IP address is very revealing and not necessary to count hits on a website. It also recognizes that some data is private; storing it poses risks to the rights of freedom of expression and association.
We accordingly call on the Senate to consider amending the relevant provisions of Marco Civil to ensure wholesale data retention is made illegal and only relevant data is preserved based on principles of proportionality and necessity.