Processing of personal data for public security purposes

The processing of personal data for public security purposes triggers the application of various provisions outlined in the Brazilian Data Protection Law (“LGPD”). Analogous to the European General Data Protection Regulation (“GDPR”), the LGPD excludes the processing of personal data for specific purposes, wherein public interest is pronounced, from its purview. These include national defense, state security, and the investigation and prosecution of criminal offenses (Article 4, item III).

Nevertheless, this should not imply that in these cases, agents are allowed to process personal data without adhering to the principles set forth in the LGPD. Beyond the constitutional recognition of data protection as a fundamental right (Art. 5, LXXIX of the Brazilian Federal Constitution), compliance with these principles is explicitly mandated in Article 4, § 1º of the LGPD. The Brazilian Data Protection Authority (“ANPD”) has clearly expressed this interpretation in official recommendations. Furthermore, according to the law, the ANPD shall, in these cases (i) issue its opinion or recommendations on the processing of personal data and (ii) request a Data Protection Impact Assessment (“DPIA”) to the responsible party (Article 4, § 3º of the LGPD). 

In this regard, last October, ANPD’s Supervision Coordination released a Technical Note on the cooperation agreement between the Ministry of Justice and Public Security (MJSP), the Ministry of Sports (ME), and the Brazilian Football Confederation (CBF). The agreement regulates the transfer of personal data collected from stadiums to the public administration with the aim of (i) apprehending individuals with outstanding arrest warrants or that are subject to restrictive criminal measures; (ii) recovering stolen vehicles; and (iii) preventing the illicit sale of sports event tickets, encompassing the use of data related to deceased individuals to combat scalping.

The ANPD reaffirmed its competence on the matter and emphasized that Decree No. 10.046/2019, which governs the transfer of personal data within the federal public administration, is applicable in the case on a subsidiary basis. Moreover, the entity stated, among several recommendations, that the sharing of personal data within the scope of intelligence is contingent upon adhering to the due process of law. This involves following a set of procedures necessary to formalize the sharing activity, as outlined in the Technical Note.

Although the LGPD provides general boundaries for such activities, there is no specialized law in Brazil detailing the delicate balance between individual’s privacy and the public interest, in a similar fashion to the so-called European Law Enforcement Directive (“LED”)[1].

Recently, the new Brazilian General Sports Law introduced a provision stipulating that stadiums with a capacity exceeding 20,000 people must implement image monitoring devices at entrances, as well as biometric identification of the public. As the processing of personal data to curb criminal activities has been garnering increasing attention, it is time to delve into a more comprehensive discussion regarding the regulation of this matter.

[1] The Law Enforcement Directive addresses the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences.