Undercutting Internet Governance in Brazil

On June 30, 2020, the Brazilian Senate approved Draft Bill No. 2.630 of 2020, also known as “The Fake News Bill”. After this approval, the bill must now be voted on by the Congress before being presented to president Jair Bolsonaro for either veto or final ratification. This bill applies to internet platforms with over 2 million users and seeks to address the warranted concerns presented by the recent spread of online disinformation and defamatory content. As it currently stands, the bill does little to address the individuals and organizations who finance the spread of fake news across social media platforms in Brazil. It also poses threats to user privacy, access to the internet, and freedom of association.

Data collection and political manipulation

In 2014, a data profiling company named Cambridge Analytica gained access to the private data profiles of 50 million Facebook users. Through a seemingly innocuous offer that paid these users to take a personality quiz, the company was able to obtain personal data from users’ profiles and those of their Facebook “friends”. Unaware that their data had been hijacked, they were also unaware that their information would be sold to Donald Trump’s 2016 presidential campaign and allegedly used by that campaign to manipulate their voting interests.

Because Facebook records its users’ browsing histories, the amount of illicit data collected in this exercise is troubling. Also troubling is that while this data was apparently used to influence the US presidential elections, data obtained in a similar fashion may have also influenced the 2018 Brazilian presidential elections. After disclosure of the US breach, Brazilian prosecutors revealed that they were opening an investigation into whether Cambridge Analytica improperly harvested personal data from millions of Brazilians. Considering that this improperly obtained data was apparently used to aid Trump’s presidential bid, and also by the winner of Brazil’s 2018 presidential elections – the far-right Bolsonaro – Cambridge Analytica’s data harvesting and any corresponding political manipulation that occurred in these countries is sure to have a profound and lasting impact.

The backstory: Internet governance in Brazil

While the Cambridge Analytica anecdote relates specifically to the global salience of data privacy in social media use, it also speaks to the broader issue of transnational internet governance. In recent years, the Brazilian government has taken measurable steps to address these data privacy and internet governance concerns. Indeed, concern over the privacy of Brazilian internet users was merely one of the motivating factors that led to the adoption of its landmark “Internet Bill of Rights”, the Marco Civil da Internet (MCI) in 2014, the same year of the Cambridge Analytica breach. Based upon democratic principles meant to mitigate inequality in the online realm, the MCI protects net neutrality – the principle that all internet traffic should be treated equally – and provides the right of internet access to all Brazilians.

While the MCI provides the principles necessary to guide the country in the domain of internet governance, more specific regulations concerning data privacy have recently been adopted. In 2018, the Brazilian government adopted the Lei Geral de Proteção de Dados Pessoais(LGPD), a comprehensive data protection law that provides a framework for sharing, collecting, storing, and handling personal data managed by various organizations. Modeled after the EU’s General Data Protection Regulation (GDPR), the LGPD seeks to provide clarity in Brazil’s data protection realm, which is currently experiencing great legal uncertainty. Because Brazil is a current hotspot in reported COVID-19 cases, there has been great debate regarding the use of personal data for digital contact tracing. Brazilian privacy experts and other industry stakeholders view the LGPD as a legal mechanism that could help ensure the responsible use of personal data by the Brazilian government and other organizations in relation to the COVID-19 pandemic. Despite the current need for this regulatory framework, it appears the LGPD will not go into effect until May 2021, because of a provisional measure that delays the law’s applicability.

The Fake News Bill: Facilitating rights violations and fueling inequality

Against this laudable backdrop of internet governance legislation, and those concerns presented by the Cambridge Analytica example noted above, comes Brazil’s so-called “Fake News Bill”. It is the country’s most recent attempt at internet legislation. While Article 2 of the draft legislation notes that it must remain in compliance with both the MCI and LGPD, the bill’s ambiguity and overbreadth challenge the freedom of expression and privacy safeguards enacted by its internet governance predecessors.

For instance, the bill contains provisions that require platforms to monitor users’ identities by requiring that users provide identification and a valid mobile phone number. Linking mobile phone numbers to social media accounts provides the potential for the unauthorized surveillance of internet users. Moreover, Brazil’s vulnerable populations rely heavily on mobile phones to access the internet. These populations often lack the financial resources to maintain uninterrupted mobile phone service. By preventing users without mobile phone accounts from using social networks, the bill would likely hinder internet access for Brazil’s vulnerable populations. Such requirements run counter to the principles of the MCI – which promote privacy, democracy, and universal internet access – and also to the safeguards of the LGPD, which seek to advance data minimization and risk prevention in processing and storing personal data. This ID provision was met with much uproar from civil rights organizations, academia, and even the social media platforms themselves, yet it remains in the Senate-approved version of the bill.

Other provisions are just as troubling. For example, the Senate-approved bill orders social media platforms to track and store the chain of forwarded communications of Brazilian internet users. These messaging chains became a major issue in Brazil’s 2018 election cycle. During this time, messaging chains on WhatsApp – the Facebook-owned messaging application – became a powerful tool for spreading misinformation, most notably among Bolsonaro supporters. The bill’s monstrous data collection requirement, which would affect millions of Brazilian internet users, could easily be misused for political gain, to track reporters or journalists, or to reveal the sensitive communication details of individuals, groups, and their various associations.

Missing the target

The bill’s critics have lobbied for substantive changes that would protect the values of user privacy, freedom of association, and universal internet access embedded in both the MCI and LGPD. However, as it currently stands, the bill overlooks these concerns and does little to address those individuals and organizations who finance the spread of fake news across social media platforms in Brazil. This failure suggests that Brazil’s Fake News Bill will likely prove unsuccessful in curbing the spread of misinformation by organizations like Cambridge Analytica.