Brazilian Web Provider Fined $1.6 Million For Selling Browsing Data to Advertisers

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Ed Taylor  

July 29 — In a first-of-its-kind enforcement action in Brazil, the Justice Ministry recently fined the country's largest telecommunications company Oi $1.6 million for invading the privacy of subscribers to its broadband Internet service by without consent tracking their Web usage and selling the information to behavioral advertisers.

Amaury Oliva, director of the Justice Ministry's Department of Consumer Defense and Protection (DPDC), told Bloomberg BNA July 28 that the department began to investigate Oi in 2010 based on allegations it had partnered with Phorm Inc.—a U.K.-based online advertising company—to develop a program to monitor Internet activity.

Phorm was at the heart of investigations by U.K. and European Union officials regarding the use of Phorm tracking software in trials involving the U.K. telecommunications company BT.

In the July 22 announcement of the fine, the DPDC said it confirmed that Oi was using a software program that mapped the Internet navigation profiles of subscribers. The tracking information was then sold to third parties interested in offering Internet advertising and personalized content to Web users, Oliva said.

Despite the fine, the telecommunications and software companies involved in the tracking plan denied any wrongdoing. Oi said in a July 23 statement that it would appeal the fine.

Tracking Software Use Suspended

“The service was offered as a means of improving Internet navigation, but it was not made clear that it would be monitored and the navigation profile sold,” Oliva said. “This violates the principle of good faith, of transparency and the responsibility to inform. The company said that sensitive information was not stored, but who can guarantee that?,” he said.

He added that the fine wasn't larger because Oi had suspended use of the Phorm software.

“Our process is administrative, but consumers who feel they were cheated can file suits before the courts and federal prosecutors can put together class action suits,” Oliva said.

In developing the Justice Ministry's case against Oi, the DPDC consulted with Brazil's telecommunications regulator, antitrust agency and Internet management committee, he said.

Companies Deny Wrongdoing

Oi released a statement July 23 in which it denied having invaded the privacy of any of its clients.

It said the software in question was discontinued in March 2013 and was only used with a small group of clients invited to test the product. According to Oi, the testing process was overseen by government regulators.

“The service was offered as a means of improving Internet navigation, but it was not made clear that it would be monitored and the navigation profile sold.”

Amaury Oliva, Director, Justice Ministry Department of Consumer Defense and Protection

Phorm said in a statement provided to Bloomberg BNA July 28 that Brazil's telecommunications agency and antitrust agency had approved the partnership with Oi and “no consumer data was ever sold and all of the regulations referring to privacy were strictly respected.”

Call to Expand Protections

Laura Schertel Mendes, a researcher and specialist in privacy issues for the Brazilian Institute of Public Law, told Bloomberg BNA July 28 that the Oi enforcement action is an important development in Brazil.

“The collective question is if we don't trust the Internet then we are inhibited to participate in surveys out of the fear that this information can be used,” she said. The situation in Brazil improved in April when Brazil's Internet law was enacted. The law established the rights and responsibilities for users and providers, she said. The law didn't, however, establish a data protection framework.

Veridiana Alimonti, an attorney for the Brazilian Institute of Consumer Defense, told Bloomberg BNA July 28 that Oi's alleged selling of user tracking data isn't likely the only instance in the country of companies misusing client data.

“It is necessary to create rules for data banks with restrictions on their use and access,” she said.

To contact the reporter on this story: Ed Taylor in Rio de Janeiro at

To contact the editor responsible for this story: Donald G. Aplin at

Request Bloomberg Law Privacy and Data Security