Matheus Rosa and Victor Barbieri Rodrigues Vieira
Nowadays, with the advent of the Internet, discussions about data privacy have been occuring on a regular basis. The rise of countless ways of online interaction, such as forums and social networks, alongside technologies that keep us connected to the web all the time, allowing each and every one of us to be tracked via GPS technology (present in our smartphones, tablets, computers etc.), makes the public debate over themes related to data protection essential to the improvement of the Internet.
Though, at first glance, it would be natural to imagine that this kind of worry has arisen only recently, in the context of the Internet becoming mainstream, it is interesting to note, in reality, this is not the truth. For example, an article from Harvard, dated from December of 1890, reports the concern of the American society as a whole about the invention of photographic machines, which people claimed to pose a great threat to people’s privacy, since their pictures could easily be published in newspapers.
It is possible to note, therefore, that the human being, since long ago, shows concern about the exposure of its privacy. That problem, however, has undeniably become way more relevant in the 21st century, given that the Internet is present in the majority of our daily activities.
Emblematic cases involving privacy and data protection before the invention of the Internet
The right to privacy and data protection, as shown above, is a concern that dates back to way before the Internet or the social networks, a fact that can be analysed in several cases of jurisprudence all over the world. To illustrate the issues involving privacy and data protection, two emblematic cases of the German Constitutional Court (Bundesverfassungsgericht) are presented below: the Lüth case, dating from 1958, and the Lebach case, from 1973.
The Lüth case
Eric Lüth, a Jewish German citizen, a Hamburg press club movie critic, started to boycott Veit Harlan’s first movie released after the Second Great War. Harlan had undeniably supported the Nazis during the war. His new movie, which did not contain any kind of reference to Nazism, was a total failure, and the film-maker decided to file a lawsuit against the movie critic. In the first couple of instances, Harlan won against Lüth, who, if convicted, would be sentenced to a fine and prision. But Lüth appealed to the third instance, in which the German Constitutional Court ruled in his favor, arguing that his right to freedom of speech was more relevant than Haler’s right to privacy and to be forgotten. This decision is fantastic because of its complexity, besides having established in the legal doctrine the principle of weighting assets. Lastly, it is important to say that this is considered the Bundesverfassungsgericht’s most important decision, being compared even to the Merbury vs Madson case, from the US Supreme Court.
The Lebach case
In 1069, in the city of Lebach, western Germany, two men were given a life sentence for murder, and a third man who participated in the crime got sentenced to six years in prision. When this last man had served most of his time and was about to be released, the German television network ZDF (Zweites Deutsches Fernsehen), one of the biggest in Europe, decided to produce a documentary about the crime and the lives of the criminals. As the documentary was to go on air on the day before the said man was released, he filed a lawsuit on the German Constitutional Court, claiming that it would be prejudicial to his resocialization. The Bundesverfassungsgericht was in charge of hefting two basic fundamental rights: information vs privacy and personality. The Court considered that the resocialization of the soon-to-be free man was more important than the citizen’s’ right to information, prohibiting the exibitiondisplay of the documentary and decided in favour of the rights to privacy and to personality.
Therefore, we can conclude that cases involving privacy and data protection are complex and subjective, not having defined answers. However, as it will be presented next, in the Information Society that is in construction today, data and information from Internet users need protection guaranteed by law, so that they are not at the mercy of courts, that, most of the times, do not have much information about digital mechanisms.
Privacy and data protection on modern days
As previously said, nowadays, practically all the activities we carry out involve providing data to some person or entity. Examples vary from the simplest purchase using a credit card to more complex situations, such as a medical appointment – almost everything we do result on personal information being sent to databases all over the world.
Databases are servers responsible for grouping and systematizing data and personal information collected. It was with the creation of these databases that the society’s concern about breach of personal privacy increased, since that infrastructure allows, for either companies that own the databases or individuals with enough technical knowledge about them, unrestricted access to such data, which, in a society governed by digital information, means that these people can have total control over the individual.
In the Information Society in which we live, personal content stored in databases represents, ultimately, people’s own personalities, which grants to those who gain access to it the ability to literally dominate these people’s lives. With that in mind, some National States, such as Germany and France, started to develop laws to protect the users’ data – laws that were improved over time.
In the context in which these first laws were conceived, technology was seen by everybody as a potential menace to society, in a Luddite conception, that resulted in laws that guaranteed the government’s monopoly over usage and control of the databases, without any user participation. The first examples of laws that abandoned such negative perception of technology can be found in Germany and France, respectively in 1977 and 1978, when, in these countries, citizens were given rights over their own personal information.
From the 90’s on, citizens increasingly started to take notice of the importance of their data, with the rise of principles that apply to laws about the protection of personal information. Said principles, named “Fair Information Principles”, were created in the Strasbourg convention, in France, during the 80’s, and are four in total: Principle of Publicity, of Accuracy, of Purpose and of Free Access.
The Principle of Publicity says that the existence of a database that contains personal data should be public knowledge; the Principle of Accuracy, that stored data should match reality; the Principle of Purpose ensures that data is used exactly the way it was announced to be before its collection; finally, the Principle of Free Access allows individuals to have access to databases in which they have stored personal data.
One could say, therefore, that the Strasbourg Convention set a new paradigm that shaped how the relationship between the user’s personal data and the National State or the companies which store them. The principles established in the convention influenced numerous laws all over the world, including the Brazilian one, which will be presented next.
From the moment that Brazil started to crawl back to Democracy, in 1985, made true with the 1988 Constitution, people started to discuss privacy and data protection. The Article 5 of the Constitution, in its items X, XII and LXXII, deals with themes such as the inviolability of private life and intimacy; the interception of phone calls, telegrams and data; and the establishment of the habeas data (initially established as a tool for the requirement of personal data in possession of the National State, but that, with the advent of the Law 9.507, of 1997, started to also allow access to personal data stored in databases in possession of private entities, following, therefore, the Principle of Publicity that was mentioned above). It can not be said, however, that the Law 9.507, of 1997, was very efficient in a practical way, due to the excessive bureaucracy that the process of requiring the data involved, since a lawsuit was necessary for that, which resulted in the request taking a very long time to be fulfilled.
Complex situations involving privacy and data protection
In present days, social networks are the most used online services around the world. With such a massive user base, that is constantly sharing personal information, it is safe to say that social networks represent the largest source of controversy involving privacy and data protection.
Such controversies happen, primarily, because the social networks’ dynamic demands users to provide real information about themselves. That highly valuable information represents the source of profit for social networks, which use this data to attract advertisers. By analyzing the data, social networks can identify what each user would be prone to purchasinge, and then directs the advertisement of a specific brand to its target audience.
The social network is, in its essence, a place in which people trade information, but since it works as a “bridge” between users, a lot of times – though not always, as will be presented later – it takes that non-public information for itself, storing private conversations in its databases. A lot of users, knowing about their lack of privacy, started to request that companies that stored their information and their own National State took better care of it. This attitude basically resulted in a change of paradigm – from the Paradigm of Privacy to the Paradigm of Open Society, in which users have the knowledge that their information is not really private and, therefore, require rights over how that information is treated. Thus, the users request, for example, the right to have their information forgotten in case they someday decide to leave the social network, having the social network completely erase all this information from their databases.
Recently, Whatsapp, which belongs to the Facebook group, was involved in a controversy involving personal data protection of its users. The Brazilian court required access to some user messages, in hope that they could aid an investigation about pedophilia, but, in addition to what was said above, not every social network stores the information their user base shares – it all depends on the architecture used by the service. In this case, Whatsapp makes it clear that its system works based on an end-to-end architecture, which means that people’s conversations are encrypted, to prevent interception by hackers, and are not stored in databases. Thus, the company stated that it was impossible to provide such information, causing the angerrevolt atof the claimants, that argued they did not believe in said impossibility of the social network keeping a backup of the conversations had in its app, resulting in the blockage, even if for a short time, of the Whatsapp service in Brazil.
But problems related to the theme do not always happen in social networks. Also recently, we saw a big legal dispute happen in the United States between Apple and the FBI. In this case, the FBI asked Apple to create a modified iOS, that would guarantee backdoor access to the confidential information stored in the iPhone of one of the shooters involved in the San Bernardino attack, to aid investigations. Known worldwide for being one of the electronic manufacturers that cares the most about its users’ data security, Apple, naturally, denied to design such operating system.
Both cases above, along with several others, resulted in a long discussion about up to what point personal information, even if private, should be protected. It is a fact that most people support the idea of social networks that store user data in their databases providing that data in order to help with important investigations – what would be similar to when the police is given permission to break into the house of someone involved in an investigation. However, there is no denying that there is a big – and fully justified – concern about the National State being arbitrary in this regard, resulting in the usage of the data for purposes that do not correspond with what is important for society as a whole.
Other controversies that comprise the theme is the fact that, many times, the companies involved in cases like the ones presented above are not native to the country in which the legal issue happens, and that results in doubts about whether these companies do or do not need to follow the country’s laws. These issues involving jurisdiction are linked to International Law and still demand to be studied and discussed in depth in order to be appropriately settled.
About the authors
Matheus Rosa is an undergraduate Law student at Universidade Federal de Minas Gerais (UFMG). He is a member of the Group of International Studies on Internet, Innovation and Intellectual Propriety. (GNet-UFMG).
Victor Barbieri Rodrigues Vieira is undergraduate Law student at Universidade Federal de Minas Gerais (UFMG). He is a member of the Group of International Studies on Internet, Innovation and Intellectual Propriety. (GNet-UFMG).