The General Law on the Protection of Personal Data (LGPD) establishes that the protection of personal data in the context of public security activities should be the subject of a specific text. The gap in the legislation paves the way for the use of technologies with a high potential for violations of rights and the consolidation of a state surveillance apparatus.

This report analyzes the panorama of data protection in contracts for data management technologies and monitoring of online activities signed by the Public Security departments of four states: Bahia, Paraná, Rio de Janeiro and São Paulo.

Transparência Brasil found that the agencies, in most cases, contract technologies without observing clear provisions for the protection of personal data, do not apply the LGPD until a specific text is approved for public security activities, and lack mechanisms to guarantee the rights of data subjects.

• Only 28% of the 61 contracts in force from 2020 onwards that were analyzed contain a clause that directly references the LGPD, and 36% include general data protection clauses with no mention of the law;
• The majority (68%) of contracts for technologies with the potential to expand online state surveillance were signed with the company TechBiz Forense Digital Ltda;
• In cases of adherence to the LGPD in the contract, the clauses suggest that the contracted companies are more responsible for guaranteeing the rights of data subjects than the state;
• TB recommends the preparation of Personal Data Protection Impact Reports (RIPD) and clear and effective mechanisms to guarantee the rights of data subjects by state public security departments.