data protection – ubisurv

On the ‘Right to Be Forgotten’

While Viktor Mayer-Schönberger is arguing today both that there’s really not a lot new to the European Court of Justice decision to order Google to adjust its search results to accommodate the right to privacy for one individual and that it really won’t be a problem because Google already handles loads of copyright removal requests very quickly, the decision has also sparked some really rather silly comments all over the media, usually from the neoliberal and libertarian right, that this is a kind of censorship or that it will open the door to states being able to control search results.

I think it’s vital to remember that there’s really an obvious difference between personal privacy, corporate copyright and state secrecy. I really don’t think it’s helpful in discussion to conflate all these as somehow all giving potential precedent to the other (and I should be clear that Mayer-Schönberger is not doing this, he’s merely pointing out the ease with which Google already accommodates copyright takedown notices to show that it’s not hard or expensive for them to comply with this ruling). State attempts to remove things that it finds inconvenient are not the same as the protection of personal privacy, and neither are the same as copyright. This decision is not a precedent for censorship by governments or control by corporations and we should very strongly guard against any attempts to use it in this way.

Google algorithms already do a whole range of work that we don’t see and to suggest that they are (or were) open, free and neutral and will now be ‘biased’ or ‘censored’ after this decision is only testament to how much we rely on Google to a large extent, unthinkingly. This is where I start to part company with Mayer-Schönberger is in his dismissal of the importance of this case as just being the same as a records deletion request in any other media. It isn’t; it’s much more significant.

You are sill perfectly free to make the effort to consult public records about the successful complainant in the case (or anyone else) in the ways you always have. The case was not brought against those holding or even making the information public. What the case sought to argue, and what the court’s verdict does, is to imply that there are good social reasons to limit the kind of comprehensive and effortless search that Google and other search engines provide, when it comes to the personal history of private individuals – not to allow that one thing that is over and one to continue to define the public perception of a person anywhere in the world and potentially for the rest of their life (and beyond). Something being public is not the same as something being easily and instantaneously available to everyone forever. In essence it provides for a kind of analog of the right of privacy in public places for personal data. And it also recognizes that the existence and potentials of any information technology should not be what defines society, rather social priorities should set limits on how information technologies are used.

Personally, I believe that this is a good thing. However, as the politics of information play out over the next few years, I also have no doubt that it’s something that will be come up again and again in courts across the world…

PS: I first wrote about this back in 2011 here – I think I can still stand behind what I though then!

Death to the ICO?

Chris Parsons draws my attention to a blog posting on the very swish and refurbished Privacy International site (nice job BTW – I will check in regularly). Simon Davies argues in this post for the ‘assisted suicide’ of the UK Information Commissioner’s Office (ICO) because it has become a ‘threat to privacy’. The bases for this argument are several, namely that:

“the legislation that underpins the Office is narrow and in places regressive”;
the ICO is “a quasi judicial regulator that sees its role as protecting data rather than people”, which leads to timid decisions;
the ICO is sometimes “ill-informed… and almost always out of step with the more proactive and advanced regulators overseas” especially when it comes to technology;
its complaints procedure is slow and frequently pointless;
there are too many surveillance-related commissioners in the UK (the Surveillance Commissioner, the Interception of Communications Commissioner, the Equality & Human Rights Commission etc.)
it is disconnected from “an information environment dominated by companies which appear to be largely exempt from local protections for citizens.”

Now, I’ve done some work on commission for the ICO, and therefore you might expect me to defend it from these criticisms. But in fact, I find much to agree with here, as well as some points with which I disagree, and much to ponder.

On the side of agreement,the ICO, like much of government, is undoubtedly technologically rather backward. When, in the Report on the Surveillance Society, we wrote about the way in which governments were behind the times, this was as much a message for them as for parliament or the executive. Maybe it is down to funding, maybe to institutional inertia, maybe deliberate choice, but the ICO has still has not taken serious steps to remedy this as Simon points out, and relies largely on occasional external reports, many of which are in any case general rather than specialist, to update it.

I also agree with the charge that the ICO has been relatively powerless in the face of the rise of corporate surveillance. This is not surprising given its origins as an arm’s-length regulator of government, and some of the particular issues of concern – like whether it took the Google wireless hacking episode seriously enough or made the correct decisions – are far from obvious. But one can clearly contrast the relatively activist stance of even quite bureaucratic Privacy Commissioners like the federal Canadian body over Facebook, with the ICO. It has in the recent past taken some serious actions against illegal private sector surveillance – for example the bust of a notorious blacklisting firm – but this direction appears to have fizzled out. Not being privy to internal policy discussions, I am not sure why.

Then there are some areas in which the criticisms are valid, but which may not be directed at the right target.

The first of these is the proliferation of Commissioners of various kinds – and incidentally, we have thankfully been spared the birth of yet another one with the cancellation of the ID Cards scheme. I have also been arguing for the merging of all the various surveillance-related quangos for a long time. The reason so many of them exist is partly because of the piecemeal way in which British legislative process occurs. There are rarely comprehensive Acts covering broad areas, instead existing institutions, however inappropriate to the job needed, are often merely supplemented or modified. The other reason is of course the ongoing effort to protect certain parts of the state from serious scrutiny, in particular the intelligence services and political police.

The second is that, fundamentally, it seems clear that British data protection and privacy legislation is generally archaic and not up to the job. Neither is its Freedom of Information legislation, even though it was a massive advance on the culture of secrecy that preceded what in retrospect may have been one of New Labour’s most important measures.

However, I am not sure that either of these points are in themselves a criticism of the ICO but rather of the legislation which created it, and the governance environment in which it has to operate. The way in which the ICO came about, through a rough fusion of old Data Protection and newer Freedom of Information functions produced a lumbering Frankenstein’s monster made of parts and bits, kept going on a drip-feed of limited funding, something that was never going to be capable of what campaigners expected of it. The same could be said partially of the critique of the complaints procedure, itself is a widely shared opinion and one with which I would not take issue. However, how much of this is down to the limited funding and staffing, and once again, the foundational legislation which hampers as much as empowers the ICO to do much of what we outsiders would want them to do?

Then, some of the criticisms are more personal opinion, with which I am sure many in the ICO would disagree, particularly the idea that the ICO does not care about people. Both Simon and I know many people in the ICO personally and whatever our political differences with them, the idea that they are heartless data bureaucrats with no interest in people is a rather unhelpful and hyperbolic caricature, as is the idea that the ICO is an ‘enemy of privacy’. The ICO had a legally mandated job to do first and foremost and it needn’t, legally, go beyond that at all. Yet it has. The interventions that the previous Information Commissioner, Richard Thomas, made on surveillance in particular were absolutely vital in adding a new level to a debate that had previously, despite the best efforts of activists, campaigners and researchers, been of more marginal concern. One could argue that surveillance and privacy would never have become such a topic parliamentary debate, let along an election issue, without his advocacy. Certainly it hasn’t gone far enough, but is has hardly, during this period at least, acted as a stereotypically uncaring bureaucracy.

So what of the solutions?

Simon advocates only one: that the government “scrap the data protection functions of the ICO and building a new Privacy Act that creates a true watchdog with a broad mandate.” It is hardly surprising that Privacy International see the ‘privacy’ element as the most important one here. Simon will also not be surprised to discover that I disagree with him on this. In fact, my argument for a while has been that privacy cannot justifiably be prioritised over other forms of human informational rights. In addition, the concept of ‘human rights’ in general does not deal with everything about information relationships, positive or negative, and the many elements of those information relationships between state, citizen and corporation cannot be so arbitrarily separated.

I would therefore argue that a comprehensive Information Act, which covered citizens’ rights to information (their own, and that generated by government and corporations), their rights of privacy and the more general parameters of what the state and companies may know of those who information this is and how they are allowed to do so (i.e the limits of surveillance). I agree that ‘data protection’ is an out-of-date concept. But ‘privacy’ does not, and cannot, replace it, at least not alone. Privacy Commissioners, where they exist, find themselves dealing with a lot more than privacy and end up becoming ‘surveillance’ or ‘information commissioners’ in practice or by stealth, and in some cases an emphasis on privacy over all else can hamper legitimate needs to know (as has been true in the case of family members of elderly patients with dementia in Canada for example).

My conclusion about what a new Information Act would contain in terms of the regulatory bodies has something in common with Simon’s view, but I have two options. One is the creation of a single mega-regulator – a real Information Commissioner that covered all the areas of our information relationships with the state and corporations that would be able to go after corporations, local and national government over issues of their secrecy, transparency and accountability, and our privacy and informational needs. It wouldn’t just merge the existing ICO, Surveillance Commissioner, Interception of Communications Commissioner and so on), but start with new legislation and a new structure.

The other option would be a merge all the existing bodies but create two new ones to replace them: a Surveillance and Privacy Commissioner, to cover all of the areas of state and corporate intrusion into the lives of citizens, but also a Freedom of Information Commissioner, to cover the equally vital areas of state and corporate transparency and accountability. Privacy without FoI, whether together in one organisation or separate, is altogether too defensive an approach to what we can expect from the state.

And whichever route one took, the organisation(s) should have a wider range of powers built in and required – research (including technological foresight), advocacy, assessment, response and enforcement functions – with protected funding and legally binding decision-making capability. I think we would all be in agreement on that…

Facebook forced to grow up by Canadians

Wel, Facebook has finally been forced to grow up and develop a sensible approach to personal data. Previously, as I have documented elsewhere, the US-based social networking site had pretty much assumed ownership of all personal data in perpetuity. However it has now promised to develop new privacy and consent rules and ways of allowing site users to chose which data they will allow to be shared with third parties.

So why the sudden change of heart? Well, it’s all down to those pesky Canucks. Yes, where the USA couldn’t bothered and where the EU didn’t even try, the Canadian Privacy Commissioner, Jennifer Stoddart, had declared Facebook to be in violation of Canada’s privacy laws. And it turns out that in complying it was just easier for Facebook to make wholesale changes for all customers rather than trying to apply different rules to different jurisdictions.

This suggests an interesting new phenomenon. Instead of transnational corporations being able to always seek out a country with the lowest standards as a basis for compliance on issues like privacy and data protection, a nation with higher standards and an activist regulator has shown itself able to force such a company to adjust its global operations to its much higher standard. This is good news for net users worldwide.

However, we shouldn’t rejoice too much: as Google and Yahoo have shown in the case of China, in the absense of any meaningful internal ethical standards, a big enough market can still impose distinct and separate policies that are far more harmful to the interests of individual users in those nations.

Private sector data loss in Japan

I’ve blogged a fair bit in the past about state and private data losses in the UK. In Japan too this has been a big problem, and is a reasons given by central government for the need to centralise databases and by opponents talking about the risk of such centralisation.

The latest major data loss, just the other day, was by the giant banking combine, Mitsubishi UFJ Nicos, which accidentally ‘threw away’ personal data on almost 200,000 customers from 1993 to 2001. Of course MUFJ Nicos say there is no security or financial risk, but then organisations in these situation always say something like that…

Not all of these data losses are accidents however. Back in April, another part of the Mitsubishi keiretsu (a Japanese term for a loosely-connected ‘family’ of companies), Mitsubishi UFJ Securities, fired one of its managers, Hideaki Kubo, who is alleged to have stolen personal data on almost one and and half million customers, and had allegedly already sold data on 49,000 to data brokers for the rather unimpressive sum of just 32,0000 Yen (around $3200 US). He is believed to have had considerable debts.

In short, it doesn’t matter how strong your firewalls are, or how good your computer security is, if there is an employee, or a government bureaucrat with access to sensitive data, who is in financial difficulty or who is simply aggrieved or greedy, then data will leak out. The risks are not small, in fact it seems almost inevitable, and I believe that the number and scale of such losses are probably significantly under-reported by both private firms and government. Of course, it is also significant just how many supposedly reputably companies are prepared to pay for stolen data. This trade is certainly not taken seriously enough by regulators in most countries…

At the IT Strategic Headquarters

Yesterday we visited the Prime Minister’s IT Senryaku Honbu (IT Strategic Headquarters). (This has actually been the only national-level government agency that has agreed to speak to us, and some of the reasons for refusal have been rather telling, not least that of Houmusho (the Ministry of Justice), which claimed that they had nothing to do with privacy and so on, which betrays a level of ignorance about the effects of their own policies that is probably more the result of bureaucratic sectionalism and literalism than anything else but is nevertheless interesting!). The IT Strategic HQ is responsible for developing the ‘i-Japan’ strategy, the latest incarnation of what has at various times been called ‘Information Society Japan’ and ‘e-Japan’ policy. They are also the agency that wrote the most recent Japanese data protection laws, which I wrote about a couple of weeks ago.

We were treated to a prepared presentation on the latest incarnation of the i-Japan strategy, in which the ‘i’ seems to stand for ‘inclusion’ and ‘innovation’ but not apparently for ‘interactive’, which one might expect from its use elsewhere in computing. However it was the brief interview we had afterwards that was more enlightening.

In short, the government has acknowledged that what they originally wanted out of juki-net has failed due to opposition, despite the supreme court victory that ruled that the current cut-down version was constitutional. However, as Kanshi-no! argued, they are not going to back down that easily. The movement towards the creation of centralised government databases will continue, and there most likely will eventually be a fully configured identification system (and card) and rather alarmingly, the new i-Japan strategy makes it quite clear that laws that currently prevent this from happening will simply be changed or removed. They do not want opposition groups, nor indeed the current global recession, to be able to hold up or change these plans.

However the main thrust of development of centralised databases has shifted away from juki-net and the jyuminhyo (residents’ registration) system, towards national insurance, health and pensions. This is, as the agency than runs juki-net, Lasdec, suggested to us – and I am now beginning to think that this suggestion was rather more of a loaded hint than I had first thought – by far the most data-rich area of government records and therefore in many ways more suitable for being the basis of an architecture of central registration and identification. The database that the government intends to create in this area will also have the possibility for citizens to add in (voluntarily, they say), information from private sources, such as bank account and other financial details. Of course this could be more ‘convenient’ in terms of benefits and taxes, but it also puts an enormous amount of previously private data in the government’s hands and presents a huge temptation to identity fraud and theft from both outside and, more importantly inside the state bureaucracy (and let’s not forget, most identity fraud is an inside job).

It gets more worrying still as despite the advanced stage of these plans, the government has apparently still not decided exactly who will have access to this database, and the police in particular, as well as private insurance companies, are still considered as potential users. It seems that although the IT Strategic HQ might have developed data protection in Japan but they do not appear to understand its principles of necessity, proportionality and consent – indeed I asked them about these principles and they really had no serious reply. Instead they claimed that people in Japan wanted to have these central databases because the current fragmented system had led to poor security and data losses, and in any case, ageing society and the pensions crisis meant this had to be done. I have noticed that in Japan, ‘ageing society’ like ‘terrorism’ in the UK, seems to have become the spectre evoked to silence potential criticism.

There are many other issues too: the government is also trying to introduce a voluntary system of Electronic Health Records (EHR), but this is not as developed as the Connecting for Health centralised database that is still experiencing significant problems in its introduction in the UK; and there are some rather less controversial social inclusion measures included the provision of computers for schools and so on. However my overall impression after leaving the IT Strategic HQ was of a government that was determined to press ahead with centralised collection and control of personal information regardless of the views of citizens or of whether it is really necessary even to achieve the policy aims they have. And this won’t change as the result of a change in government either. If, as seems likely, the Liberal Democratic Party (LDP or Jyuminshuto) are voted out, the Democratic Party of Japan (DPJ or Minshuto) which will succeed them, has already said that it will create a central database.

(Thank-you to the officials of the IT Strategic Headquarters for their time).

Data Protection in Japan

Comprehensive data protection in Japan is fairly recent. Until 2003, data protection was still governed under much two earlier ‘ information society initiatives: firstly, the Act for the Protection of Computer Processed Personal Data Held by Administrative Organisation (1988) and secondly, the Protection of Computer Processed Personal Data Act (1990), which are based on the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. These laws were limited an applied only to the state, and within that, only to some national government organisations rather than all of them.

Lawyers and those concerned with privacy within and without government were well aware of these limitations, and in the late 90s, a special Privacy Issues Study Working Group was set upby the Electronic Commerce Promotion Council of Japan (ECom). This committee issued Guidelines Concerning Protection of Personal Data in Electronic Commerce in the Private Sector in March 1998. The Chair of that committee, Professor Masao Horibe, provides an account here.

Subsequently, a Personal Data Protection Legislation Special Committee was established in January 2000 under the Advanced Information and Telecommunications Society Promotion Headquarters (now the IT Strategic Headquarters), a body responsible directly to the Japanese cabinet. This body has issued all the laws and directions regarding IT, e-Japan etc.

The need to “protect personal data” (kojin deta) was mentioned in Article 22 of the Basic Law on the Formation of an Advanced Information and Telecommunications Network Society within the rubric of ‘security’. This was followed up by the e-Japan strategy of January 2001, which under the section on the Facilitation of E-Commerce, recommended that “Necessary legislative measures should be taken to win the confidence of consumers, including submission of a bill to protect personal data to the ordinary session of the Diet in 2001.”

The Bill was introduced in March 2001, but as a result of concerns about its effects on the freedom of the press, was left to fall by 2002. However the Personal Information Protection Bill was passed in 2003, one of five bills with implications for data protections to be passed in that Diet session.The bill came into force in 2005. I’ll discuss the content and operation of the bill later, but there’s a good summary in English from when the Bill was passed here.

The one particularly interesting thing to note here is that it doesn’t designate or establish any one body to oversee the operation of the law or the enforcement of rights, or deal with complaints as in European countries and Canada, for example, Instead it keeps data protection as an internal matter for designated government ministries (and for companies), with legal action an option if all else fails. The law is generally on the side of data flow and commercial / administrative convenience, which is not surprising given its origins in industry-led e-commerce promotion organisations.

A quarter of UK databases break privacy laws

This is massively important because it is based not simply on a financial, political or even an ethical position, but on the database projects’ respect for existing law. They are simply illegal…

A new report for the Joseph Rowntree Reform Trust by a very credible largely Foundation for Information Policy Research (FIPR) team that combines engineers, lawyers, software developers, and political scientists, has concluded that a quarter of the UK public-sector databases are illegal under human rights or data protection law. It also looks at UK involvement in some European database projects and finds all of them questionable too.

The report rates the 46 databases on a traffic light system – green, amber, red – and argues that those rated ‘red’, in particular the National Identity Register and the Communications Database, and are simply unreformable and should be scrapped. This is massively important because it is based not simply on a financial, political or even an ethical position, but on the database projects’ respect for existing law. They are simply illegal, and not just massively expensive, morally questionable or politically undesirable. In fact, a quarter of all the databases were found to contravene the law and more than half were ‘problematic’ (i.e. open to challenge in court) . All of those rated ‘amber’ (29 databases) the authors argue, should be subject to independent review.

There are a number of other major recommendations, including the reassertion of the necessity and proportionality tests contained in DP law, citizens should anonymous rights to access data, more open procurement of systems, and better training processes for civil servants. The most important and radical measures proposed, and entirely correctly in my view, are those concerning the location of data and the whole nature of UK IT development. For the former, the report recommends that the default location for sensitive personal data should be local, with national systems kept to a minimum – this appears to be rather like the ‘information clearing house’ system as opposed to central databases, that we proposed in our Report on the Surveillance Society, but better worded and justified! In the latter case, the authors simply note that fewer than 30% of government IT projects succeed at a cost of 16Bn GBP per annum and that there should never be a general and aimless government IT program, rather there should only ever be specific projects for clearly defined and justified (proportional and necessary) aims.

It is an excellent report and probably unanswerable in its logic. Tellingly, The Guardian report contains no response from any government minister…

‘Blacklisting’ firm shut down by ICO

For some time, I’ve been concerned about the little-discussed practice of ‘blacklisting’, the creation and sale of databases of workers thought to be troublemakers, radicals or union activists. Last year, I noted the failed attempt by the British government to legitimise this activity with the creation of the National Dismissal Register, and connected this to earlier surveillance of workers through the Economic League. See this more recent post where I summarised the story in a slightly different context.

But the Economic League, set up after WW1 and finally closed in 1993, had several offshoots. Now, as reported in most of the British press, one of them has been closed down by the UK Information Commissioner’s Office (ICO). ‘The Consulting Association’, a firm based in Droitwich, Worcestershire had apparently been operating for 15 years selling confidential information on construction workers to all the major building companies. According to the BBC, 3,213 workers’ names were contained on the list and were categorised by political affiliations and union activity etc.

Not surprisingly the firm was owned and run by one Ian Kerr, who was previously involved in the Economic League and who still seems to think he was doing nothing wrong, despite his past, and despite the fact that he had previously denied even the existence of this database. But he, along with all the clients named by the report, including Amec, Taylor Woodrow, Laing O’Rourke and Balfour Beatty and many others – there is a full list on the Guardian site – were breaking the Data Protection Act by illegally keeping and trading in personal information. We’ll see whether the big building firms get away with it; most likely they will simply claim that that they didn’t know the data was illegally acquired and traded.

Given the recent history of the National Dismissal Register to set up databases of troublesome workers, it is particularly ironic that minister, Peter Mandelson, is quoted as applauding this action by the ICO in the various reports.

German Corporations in Trouble over Surveillance

t seems that there is a mood in Germany for much stronger action, and a growing awareness that the country cannot, unlike in the UK at present, or indeed Germany in its own recent past, be allowed to slip into a situation in which surveillance becomes normal…

There is a major ongoing storm in Germany over the behaviour of its major corporations in spying on workers. There is a nice summary news report from the BBC which you can watch here.

The newest scandal emerged in January when it was revealed that the railway company, Deutsche Bahn, had conducted surveillance operations against thousands of its staff, both workers and management, possibly over years. The operations, with names like ‘Squirrel’, involved all kinds of intrusive internal espionage including tracking family members. The company’s aim was apparently to do with corruption and links to other rival corporations but the management have now admitted they went too far.

Internal security was also the reason behind the massive surveillance operations at Deutsche Telekom, the communications giant, possibly dating back to 2000. Here journalists and managers were targeted by a private detective agency. And of course then there was last year’s scandal over the way that the Lidl supermarket chain created a kind of Stasi-style operation at many of its stores and warehouses in Germany and the Czech Republic with secret cameras and operatives making detailed notes on the movements (especially toilet breaks) of its employees. According to The Guardian, the level of personal detail recorded by the store was incredible, one entry read: “Frau M wanted to make a call with her mobile phone at 14.05 … She received the recorded message that she only had 85 cents left on her prepaid mobile. She managed to reach a friend with whom she would like to cook this evening, but on condition that her wage had been paid into her bank, because she would otherwise not have enough money to go shopping.”

In the BBC report, the conclusion seems to be that better data protections laws are needed. Certainly this is true. But the cases involving corporations are important because they provide clear and comprehensible examples of how people ‘with nothing to hide’ can be targeted anyway and do have to be worried. There are enough of them too to show that this is not a series of isolated cases, but a part of a ‘culture of surveillance’. However it seems that there is a mood in Germany for much stronger action, and a growing awareness that the country cannot, unlike in the UK at present, or indeed Germany in its own recent past, be allowed to slip into a situation in which surveillance becomes normal. This means more than stronger DP, it means not allowing corporations and government to reduce fundamental liberties with arguments about ‘exceptions’. There seems to be growing awareness from the strong German Trades Unions in particular about this, we will see if this translates into wider social, and state, action.

At the Departamento de Policia Federal

Both human rights advocates and the police seem to be strongly in favour of the new RIC system as a means of social inclusion and to replace the chaotic and corrupt identification system based in individual Brazilian states at present, which allows anyone with any other form of ID to get a state Registro Geral card in each different state.

Departemento de Policia Federal, Brasilia — Departamento de Policia Federal, Brasilia

I have just come back from a very productive interview with Romulo Berredo, from the Director-General’s office at the Departamento de Policia Federal (DPF), who are the Brazilian equivalent of the FBI. There was a lot covered and I couldn’t hope to reproduce it all here. There were however a number of immediately interesting aspects.

The first was more evidence that the whole basis on which identity cards and database issues are being considered here is entirely different from the UK. Now I know this represents a police, and a state, view, but so far, both Brazilian human rights advocates and the police seem to be strongly in favour of the new Registro de Identidade Civil (RIC) system. This is both as a means of social inclusion and to replace the chaotic and corrupt identification system based in individual Brazilian states at present, which allows anyone with any other form of ID to get a state Registro Geral card in each different state. It is fairly easy to acquire 27 different identities in Brazil at present. And identification is important here. The great fear that many people seem to have – indeed it was called a ‘cultural’ characteristic by Berredo – is not the use of identification by the state as a form of control or intrusion but as a guarantee against the anonymity that would allow abuses by the state or indeed by other malicious persons. It provides a metaphysical and material kind of certainty and stability. The legacy of the last dictatorship was not so much an East German-style nightmare of knowledge and order but of corrupt and arbitrary rule.

It is this latter legacy which also drives the divisions between the different police forces in Brazil. The states-based Policia Militar (Military Police) and Policia Civil are both tainted in different ways by associations with authoritarian rule, and the former particularly with extra-legal execution and torture, and they continue to be regarded with caution, suspicion or even hatred by many Brazilians. The other police forces are also suspicious of the growing role of the DPF, which is often seen in terms of a power struggle not rational subsidiarity. Ironically then it is the states-based police forces that are dragging their heels over plans to create the kinds of national databases of criminal information that the UK has, and not for any libertarian reasons. In fact the DPF seem far more concerned with protecting human rights and defending the idea of citizenship, and because they are tasked with anti-corruption investigations have even arrested Senators and Judges, something unheard of even ten years ago. Of course those very same Senators and Judges are now fighting back, in a manner rather similar to Berlusconi in Italy, trying to alter the law to give immunities and protections. For example, handcuffing of arrested suspects was always normal until it happened to a Senator arrested for corruption. The Senate suddenly became interested in the ‘human rights’ of arrested suspects and passed a law limiting the use of handcuffs! Corruption at every level is still an enormous problem here, though Berredo argued that it was largely associated with those who had retained power from the years of the dictatorship.

The concentration on inclusion and joining-up government where it is clearly much needed does however lead to some gaps in thinking. The creation of new databases brings with it new duties and new potential problems of data-handling. As the privacy and data-protection law expert, Danilo Doneda, pointed out to me the other day, Brazil is in an almost unique position in not having any kind of regulator for privacy and information / data rights. He argued it was because the authorities just don’t see the need. Berredo confirmed this. He claimed that the DPF were trusted by the public – and relative to other police forces, that is certainly true! – and that they had to carry out their duties appropriately or they would lose that trust. It sounds nice, but it isn’t a good-enough (or legally-sound) basis for the protection of data-rights.

It all confirmed once again that Brazil is not yet a surveillance society – the state does not yet have the capabilities. There is no national database of fingerprints (even for convicted criminals) for example. But as Berredo said, it is moving in that direction. He was keen that there should be be limits. I liked the fact that he used this word. ‘Limits’ is a word that I found that the neither the UK government nor the European Commission seem to like, and they seem very unwilling to say what limits might be. However Berredo was quite clear that a technologically-driven surveillance future in which individuals could be tracked – he used the example of Google Latitude – was not one which he wanted to see. He recognised that he was both a policemen (at work) and a private citizen (at home) and that he, as much as anyone else, valued his privacy.

(Thank-you very much to Delegado Romulo Barredo of the DPF, for his openness, time and patience, and also to Agent Alessandre Reis, for his help)