Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Brazil: COVID-19 vaccination and related privacy issues

Measures taken throughout the COVID-19 pandemic have brought into the focus the issue of balancing privacy with other fundamental rights, a conflict which is also present with regards to vaccinations and vaccine passports. Rodrigo Berthier da Silva, Attorney at Law at Berthier Advogados Associados, discusses how this topic has developed in Brazil and the different legal interpretations that have been made of this balance.

Arthit_Longwilai / Essentials collection /


Over the last couple of years, mainly as a result of the pandemic, several public health measures, including the use of surveillance technology, have been adopted by governments and corporations around the globe to prevent the spread of COVID-19. Simultaneously, no medicine or treatment was able to relieve the stress on the medical and healthcare systems.

The fact is that the only effective means of slowing down the spread of COVID-19 was to track the virus, impose social distancing, enforce the wearing of masks, and other such measures, at least until an effective vaccine was developed.

At that time, most of the technologies adopted were being implemented by telecom companies to track individuals who were confirmed as or supposedly infected with COVID-19 or to warn communities about confirmed cases nearby.

The above process raised privacy issues around the globe, leading data protection authorities to release opinions on the need to balance privacy and public interest measures and politics, where often the rights of  the society, as a whole, may prevail over the individual rights of citizens. This may be the case where an individual's personal data (including sensitive personal data) is used  for a goal sustained on a legal basis, as long as data security measures have been implemented and the purpose of use was restricted exclusively to that goal, with the purpose of a greater societal benefit.

The Brazilian Government implemented several systems, such as SMS messages warning citizens about COVID-19 infections nearby, or the National Health Data System ('NSH'), which collects personal health data from all Brazilian citizens suspected to be infected or with COVID-19 symptoms.

Legal framework

As the COVID-19 pandemic was an issue prior to the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') coming into effect, the maturity in Brazil in relation to these issues of balancing privacy and public interest was almost non-existent. In this regard, data protection was treated as a mere appendix to the topic of privacy, still under the perspective of confidentiality of communications.

However, at this point, Brazil saw the judicialisation of this issue due to Provisory Measure No. 954 of 2020 ('MP 954/2020'), which deals with the collection of registration data from the customers of telecom companies for research by the Brazilian Institute of Geography and Statistic ('IBGE')

MP 954/2020 was challenged by the cases of ADI 6387, 6388, 6389, and 6393, wherein it was argued this measure was in violation of Article 5, XI, XII of the Brazilian Constitution ('the Constitution'), as Article 2 of the MP  954/2020 imposed an obligation on all telecom companies acting in the Brazilian territory to share consumers' names, telephone numbers and address, no matter whether the consumer (client) is a natural person or a company.

At this point, the LGPD was not fully enforced and could not be used to determine measures and limits on the data sharing to the IBGE. However, it was determined that an ordinary law drafted by the President could not give permission to the government to obtain personal data without complying with the limitations written in Article 5, XII of the Constitution, which says:

 'the secrecy of correspondence and of telegraphic, data and telephonic communications is inviolable, except, in the latter case, by court order, in the situations and manner established by law for purposes of criminal investigation or the fact-finding phase of a criminal prosecution'.

The issue at stake was the sharing of registration data of data subjects so that the federal government could carry out surveys without, however, specifying in detail the purposes of the use of  personal data, even during the pandemic.

The Supreme Court settled the case by suspending the effects of MP 954/2020 until final judgement. Ultimately, however, MP 954/2020 lost its effect because the Brazilian Congress did not pass its conversion in ordinary law, which must take place in 120 days according to Article 60 of the Constitution.

The Supreme Court's interpretation declared not only privacy, but also data privacy, as a fundamental right, in an unprecedented extension of the Constitution's meaning. The Court extended the right of inviolability of communication data as it was written to all citizen's personal data of any kind. As a consequence, the Court implicitly included the right to data protection as a part of the constitutional right to privacy.

However, the Supreme Court's decision was not enough to raise awareness of the risks to and importance of personal data protection, as it did not address the doubts raised about the competence to legislate on this matter. Thus, the Brazilian Congress passed, on 20 October 2021,  the Project of Constitutional Amendment nº 17/2019 ('the Constitutional Amendment'), which includes data protection as a fundamental constitutional right. This development demonstrates the increased awareness in privacy matters by citizens and their Government.

Vaccinations and balancing privacy with public health

Nowadays, where more than 50% of Brazilians are fully vaccinated, further discussions about privacy are on the table, such as to whether the vaccine passport should be mandatory or not.

Furthermore, the collection of personal data by the Brazilian Unified Public Health System ('SUS'), the only entity authorised to buy, negotiate, distribute, and give the vaccination to the Brazilian population without proof of compliance to the LGPD or other frameworks, may raise doubts as to whether such activities will be able to fulfil their purpose without violating directly privacy and other constitutional rights.

Beyond the context of data privacy as a constitutional fundamental right, the use of a vaccine passport could be an issue of the right to be treated equally by law.

However, the Brazilian constitutional interpretation does not allow for absolute rights. This applies even to fundamental rights, when the case is based on a collision of two or more such fundamental rights, as the Supreme Court has decided regarding the right to privacy versus the right to be forgotten. This case, filed under the number RE 1010606/RJ, was settled on these grounds:

"The idea of ​​a right to be forgotten, understood as the power to prevent, due to the passage of time, the disclosure of facts or truthful data and lawfully obtained and published in the media analog or digital. Any excesses or abuses in the exercise of freedom of expression and information should be analysed case by case, from the constitutional parameters - especially those relating to the protection of honour, image, privacy and personality in general - and express and specific legal provisions in the criminal and civil spheres". (STF Judge Dias Toffoli)

This interpretation was restated in the case of ADI 3540 MC/DF, where the Supreme Court balanced the conflict between the fundamental right to environment preservation and the right to explore economic activity.

A simple way to think about this subject is a 'seesaw' or a balance. Just imagine that the 'seesaw' is the Justice's balance. The following rights have the same weight:

  • the right to freedom of expression;
  • the right to privacy;
  • the right to healthcare; and
  • the right to live decently.

If you imagine one of these fundamental rights in each end of the seesaw's beam, they should hold equal weight. However, in the real world, situations will naturally give more weight to one side and make it prevail. So, if protecting public health involves the rights of many to be protected from a contagious disease, the right to privacy is lighter in the balance.

Another point worth giving attention to is that, as a nation, Brazil has multiple branches that are competent to legislate on health measures (i.e. federal, state, etc.). The upshot of this is that a state can create a new law imposing the presentation of vaccination status as a requirement and condition to come and go at public and private places. On the other hand, the Constitutional Amendment gives exclusive power and legislative competence to the federal level to legislate on data protection and privacy.

Certainly, it remains to be seen whether the certificate of vaccination or a vaccination passport  will be a mandatory requirement or merely an optional requirement.

However, the authorisations to collect and process personal health data, for a legal, moral, and legitimate purpose (i.e. Article 5, (XII) of the Constitution and Article (II)(b) of the LGPD) do not equate to a fully unlimited and non-discretionary use of it.

Moreover, while the SUS has already collected a huge mass of health data in the vaccination process, the SUS data system does not show an acceptable privacy policy, and some are uncertain about how they protect the data subject's personal data against leaks or hackers. On the other hand, the certification of vaccine, which is meant to be presented in stores, markets, theatres, restaurants, and events for example, minimises the data needed to prove that the citizen has taken the necessary doses to be immunised

The DATA SUS app is similar to the common pass: it connects the user to the DATA SUS network and generates a vaccination report and a certificate of vaccination containing a QR code to authenticate or validate the information at the smartphone's screen. To attend events or enter malls and restaurants, the QR code will be scanned.

To achieve its goals, the information will have to be transferred and shared with other operators besides the SUS (such as restaurants, drugstores, banks, hotels, etc.) linked to the system and accessing the health data of its clients. But which security measures will be implemented? How can a country facilitate this with so many endpoints? That answer is still to come, after authorities decide if Brazilians will be mandated to use the system. Even the optional PDF version of the certificate does not bring any closure to this story, as the verification of this is done via the QR code as well.

So, at this point, which carries more weight, data privacy or the public health measures represented by the vaccination passport? 

Rodrigo Berthier da Silva Attorney at Law
[email protected]
Berthier Advogados Associados, Florianópolis