Brazil: Joint letter on the nomination of members of the Armed Forces as directors of the Data Protection Authority

European Commission
Bruno Gencarelli, Head of Unit on International Data Flows

Council of Europe
Sophie Kwasny, Head of Data Protection Unit

Global Privacy Assembly
Chair Elizabeth Denham, UK Information Commissioner


10 November 2020

Re: Notification on the nomination of members of the Armed Forces as directors of the Brazilian Data Protection Authority

Dear Mr Gencarelli,
Dear Mrs Kwasny,
Dear Mrs Denham,

We, Access Now [1] and the Direitos na Rede Coalition [2] , are writing to you regarding the recent nomination of members of the Armed Forces [3] as directors of the Brazilian Data Protection Authority (DPA). This nomination has serious implications, not only for how Brazil’s data protection law will be implemented, but also for any adequacy determination, the advancement of global data protection standards, and the guarantee of independence of the data protection authority

Brazil’s Data Protection Law, enacted on 18 August 2018, is considered an example of modern legislation for Latin America. It was built through a democratic process that took more than six years in Congress and many public hearings with multiple stakeholders. The law is largely aligned with the EU General Data Protection Regulation and the OECD Privacy Guidelines. Nevertheless, before it was enacted, Brazil’s President vetoed the articles related to the creation of the DPA. After months of negotiations, a DPA was established through a provisional measure decree, although the authority will be under the control of the presidency. This decision puts into question the authority’s independence [4]. 

According to the Brazilian legislative framework, the DPA is responsible for interpretation of the law and for the application of sanctions. The DPA has a head – the “Conselho Diretor” – and five directors that are appointed by the President and approved by the Senate. Each director is appointed for different terms of up to six years. On 15 October, the President appointed the five directors; five days later, after a rush vote and no open discussion, they were approved by the Senate [5]. On 5 November, all of them were nominated [6].

Among the five new directors, three of them come from the Armed Forces. They were approved for individual mandates of six, five, and four years, while the two other directors who complete the DPA will be in office for two and three years. The head of the DPA is Waldemar Gonçalves, a retired colonel from the Armed Forces, who has been the president of the state-owned telecommunication company Telebras. Another elected director is Arthur Pereira Sabbat, a lieutenant-colonel who has been serving in the Institutional Security Office of the Presidency. The last director is Joacil Basilio Rael, a former military officer who studied artillery and computer engineering and science, and has been in charge of data protection issues in Telebras. 

Although the structure of the DPA became compromised at the moment it was conceived under the presidency office, the nomination of officials from the Armed Forces and former representatives of state companies raise additional concerns in terms of independence. This decision has been portrayed as an act of favoritism toward the government which has been heavily criticised in the past for its massive personal data processing [7].

Coming from military backgrounds, where it is common to listen to and build arguments creating a false dichotomy between national security and privacy, none of these directors have a proven track record in applying legal and human rights standards related to privacy and data protection, and that is worrying [8]. This puts at risk all the future interpretation and guidance to be delivered by the DPA and could undermine the function of the DPA itself, which is to protect people’s rights, instead turning it into a national security agency. 

It is worth remembering that the Brazilian DPA has a Council on Privacy and Data Protection (CNDP). This multi-stakeholder advisory body is tasked with proposing guidelines in preparation for the National Data Protection and Privacy Policy, issuing annual reports regarding the implementation of the law, and preparing studies on the importance of data protection and privacy. In this context, it is of utmost importance that the DPA and the Brazilian President respect and ensure public participation at the Council. In particular, the DPA should refrain from influencing the Council’s stakeholder groups appointees which should ensure diversity and a qualified participation. 

Although the European Union, the Council of Europe, and the Global Privacy Assembly are diverse actors, each contributes to setting high global standards for the protection of personal data around the world. 

In light of the developments described in this letter, we ask the European Union, when engaging with the Brazilian Government on data protection matters, to emphasise the importance of an independent and autonomous DPA. While Brazil’s law is a positive step forward, the current structure of the DPA and its composition is deeply flawed and may not constitute an adequate avenue for people to exercise their right to remedy. The Brazilian government must work to transform its DPA into a truly independent authority as provided by law in the next two years – including through budgetary allocation – and respect the upcoming nomination of CNDP members by each sector, ensuring multi stakeholder participation. 

On the grounds of ensuring independence and autonomy to the Brazilian DPA, we further ask the Global Privacy Assembly to assess its cooperation with the authority. The GPA is an important forum for international convergence on data protection and has strongly reaffirmed the need for authorities to be independent. 

Finally, we call on the Council of Europe to monitor the implementation of the Personal Data Protection Law in Brazil. The work Committee of the Convention 108 is central in advancing global convergence on data protection rules based on human rights standards and applied by an independent authority. 

Significant progress toward global convergence on data protection has been made in the span of the last few years, thanks to the role that you and your institutions play internationally. We look forward to continuing working with you toward this goal. We will continue our efforts to ensure the advancement of robust data protection measures in Brazil and we hope to count on your support in addressing the dangerous precedent set by the flawed structure of Brazil’s DPA.

We remain at your disposal for any questions you may have.

Best regards, 

Veronica Arroyo and Estelle Massé
Access Now

Fabricio Solagna
Direitos na Rede Coalition – Brazil

  1. Access Now is a global civil society organisation dedicated to defending and extending the digital rights of users at risk around the world.
  2.  The Direitos na Rede Coalition is a network of more than 40 academic and civil society organisations in defense of digital rights in Brazil.
  3. The Brazilian Armed Forces is the unified military organisation comprising the Brazilian Army (including the Brazilian Army Aviation), the Brazilian Navy (including the Brazilian Marine Corps and Brazilian Naval Aviation) and the Brazilian Air Force.
  4. The OECD has recently recommended reviewing the constitution of the DPA to assure its full independence from its creation. OECD. A Caminho da Era Digital no Brasil. 26 October, 2020. p.12
  5. Senado Notícias. Senado confirma primeira diretoria da Autoridade Nacional de Proteção de Dados. 10 October, 2020.
  6. Diário Oficial da União. Decretos de 5 de novembro 2020.
  7. MIT Technology Review. Brazil is sliding into techno-authoritarianism. 19  August, 2020.
  8. Coalizão Direitos na Rede. ANPD militarizada: risco para a proteção de dados pessoais. 16 October, 2020.