Mind the Gap: the Privacy Void in Brazilian’s Public Transport

by | Oct 26, 2018

author profile picture

About Mariana Canto

Mariana Canto holds a Bachelor of Laws (L.L.B.) from the Federal University of Pernambuco (UFPE), Brazil having studied part of her graduation at the University of Hamburg, Germany. She is currently a fellow researcher at the Brazilian National Council for Scientific and Technological Development. She was a Fellow NextGen at ICANN62 and a Fellow Youth at the Internet Governance Forum 2017. Canto is also a member of the research and extension group Discussing Digital Law, Internet, and Technology and is an invited author of the Institute for Research on Internet and Society (IRIS).


Mariana Canto, “Mind the Gap: The Privacy Void in Brazilian’s Public Transport” (OxHRH Blog, 26 October 2018), <https://ohrh.law.ox.ac.uk/MIND-THE GAP:-the-privacy-void-in-Brazilian’s-public-transport> [date of access].

In April 2018, the agreement entered into between ADMobilize and ViaQuatro, the administrator of the yellow line of the São Paulo subway, enabled the use of a technology to collect data related to the facial expressions of public transport users. Almost four months later, on August 30, 2018, an action was filed by the Brazilian Institute of Consumer Protection against this practice. After great public commotion in relation to the case, on September 14, 2018, Judge Adriana Cardoso ruled that the cameras had to be removed within 48 hours. According to the decision, “it is not clear the exact nature of the collection of the images and the way in which the data is processed by the defendant, which in fact should be disclosed to the passengers even more due to the public nature of the provided service.” The judge also used the arguments provided by the Public Prosecutor’s Office as a legal substantiation for the decision: stating that the usage of data collection of all users of the public transportation violates the right to information and the freedom of choice of approximately 600,000 consumers who use the service on a daily basis.

Facial recognition technology has also been used in public transport in other Brazilian capitals. In order to prevent fraud, cities are increasingly investing in mechanisms for verifying the identity of holders of special tickets that allow the service to be free of charge or to have reduced fares. However, in several cities there is still a lack of disclosure regarding the privacy policy related to the collection of users’ data. A few months ago, the Observatory of Privacy and Surveillance criticized SPTrans of São Paulo for not being clear and public about its privacy policy for the bilhete único ticket. Likewise, Coding Rights produced a report on the RioCard ticket implemented by the city of Rio de Janeiro.

The recently approved Brazilian General Data Protection Law (LGPD), which was inspired by the European General Data Protection Regulation, makes clear the need for explicit and unambiguous consent from passers-by as well as restrictions to the collection and sharing of sensitive data, in this case, biometric data. Even though the LGPD does bring fairly beneficial tools for user protection, encouraging, for example, the use of privacy by design and privacy by default by developers, the presidential veto over the creation of a National Data Protection Authority poses a major threat to the effectiveness of the law, since an independent Authority is extremely necessary, otherwise the monitoring of public administration, for example, will be harmed. As the LGPD will  take legal effect only in 2020, other legislation seeks to regulate and ensure citizens’ privacy and data protection. These are the Federal Constitution, the Consumer Defence Code, the Civil Code, the Internet Civil Framework, the Public Transportation User Defence Code, the Law on Access to Information, and the Positive Registration Law, among others.

Across the Atlantic, one of the most well-known projects being used to bring the focus back to the user and their consent in smart cities around the world is the Decentralised Citizen Owned Data Ecosystem (DECODE). DECODE seeks to develop practical alternatives for building a digital economy centered on data generated and collected in a secure and transparent way. It combines blockchain technology with attribute-based encryption for appropriate privacy protections and gives the data owner control of how their data is accessed and used. Currently, pilot projects take place in Amsterdam and Barcelona. They apply technology to specific cases in three different themes: the Internet of Things, open democracy and shared economy.

Finding solutions for encouraging user’s power of choice or achieving the Internet of People, as defined by Julia Powles, is not a goal that can be accomplished in a short amount of time. It depends on software engineering and on legislation but more than that, on the elaboration of public policies aimed to reconcile innovation with the protection of fundamental and human rights. Perhaps, the million-dollar question is: how can we shape the infosphere environment to society’s advantage without undermining technological advancement?

Share this:

Related Content


Submit a Comment