| Constitutional | None | Privacy is constitutionally protected. Art. 5, Items X, XI, and XII. | Privacy constitutionally protected. Charter of Rights § 7, 8. | Privacy of correspondence nominally protected. Const. art. 40. | Constitutional norms exist but traditionally are not legally enforceable. | Privacy constitutionally protected. Basic Law, art. 10. | Privacy construed to be part of fundamental right to "life and personal liberty" under Const. art. 21. | Privacy is constitutionally protected; security exception. Basic Law § 7. | Privacy not explicitly protected, but inferred from certain protections and general rights set forth in the Constitution. | Communications privacy expressly protected by Const. art. 21, broader privacy right inferred from Const. Art. 13. | Privacy constitutionally protected. Art. 17 and 18. | The U.K. lacks a written constitution. | Privacy is a right inferred from the Constitution. Const. amend. IV. |
| Statutory | Telecom (Intercept and Access Act), ASIO Act. | The Wiretapping Act, Brazilian Federal Act 9296 / 1996 | Criminal Code, Nat'l Defence Act and CSIS Act. | State Security Law, art. 11 and 18. | Law n° 91-646. | Standards laid out in Telecom. Act and G-10 Act. | Currently no umbrella privacy statute. | Wiretap Act, Teleco. Act, GSS Act. | Data Protection Code (Legislative Decree no. 196 of 30 June 2003) | Personal Information Protection Act, Communications Interception Act. | Communication Privacy Act; Personal Info Protection Act. | Standards provided by RIPA. Some protections in DPA. | Standards provided by the Wiretap Act, ECPA and FISA |
| Law Enforcement vs. National Security | Subject to distinct requirements. | The Constitution only authorizes interception of communications for the purpose of investigating crimes, and the Brazilian Intelligence Agency does not have surveillance powers. | Subject to distinct requirements. | No meaningful separation. Neither subject to meaningful restrictions. | Distinct requirements; judicial approval is required for electronic surveillance for law enforcement purposes, but is not always required for national security purposes. | Express legal separation rule; “Trennungsgebot.” | No clear distinction | Subject to distinct requirements. | The Data Protection Code sets different standards for administrative, law enforcement, and national security activity. | Security forces have few powers. | Subject to distinct requirements. | Same standards apply; intercepted communications excluded from court proceedings | Express legal separation, though increased information sharing. |
| Distinction between content and non-content | Communications data has a lower threshold for access. Telecom Act § 110. | Police can obtain subscriber identifying data without a warrant, but court has held that such info is protected by Const., requiring warrant. | Unclear; Crim. Code does not expressly address collection of traffic data. | Widespread access makes the distinction irrelevant | Content is subject to greater protections. | No, though both protected by the same high standard. | No | Non-content data is subject to lesser protections | Greater protection is given to “sensitive data.” | Unclear | Transactional data – including call records and Internet log records - is not considered to be “personal information.” | Non-content data is subject to lesser protections. RIPA § 21-22. | Yes. Telephony non-content data accessible with subpoena; Internet transactional data only with court order (but less than a warrant). |
| Tech neutral (Same standards voice vs data; analog vs. digital) | Interception standard is tech. neutral. Telecom. Act § 5. | Interception standards apply to telephone and digital communications. | Interception standard is tech. neutral. Crim. Code §184(1). | Standards differ depending on medium of transmission | Yes; applies to any form of “interception of communication.” | Employs a “layer model” which is not tech. neutral | Standard for access is tech. neutral. Crim. Proc. § 91. | Standard for access is tech neutral | Different standards apply to monitoring different locations, such as a home compared to a car.Unique standards apply to certain forms of data, such as DNA. | Standard for access is tech neutral. | Standard for access is tech neutral. | Standard for access is tech. neutral. | Standards for law enforcement are tech neutral, but distinguish between access in real-time versus stored. National security standards generally the same for stored and real-time, but vary for radio. |
| Stored (cloud) data – different std (third party doctrine) | Separate provisions for stored vs. real-time access. | Issue currently unresolved by the Supreme Federal Court. | Cloud data may lose reasonable expectation of privacy. | Cloud data subject to greater protections | Communications are only protected from direct “interception” by government. | Third party access does not destroy an expectation of privacy. | Unclear | Unclear | Unclear | Unclear | Telecommunication service providers must obtain consent from the data subject before providing personal information to a third party, including government, absent a warrant (Telecommunication Business Act) | Cloud data may be “voluntarily” shared with gov.; additional consent not req. DPA §§ 28-29. | In general, no reasonable expectation of privacy in information held by 3rd parties; but one appellate court has held that stored content is constitutionally protected. |
| Use, retention, disclosure limits | Data must be destroyed when no longer required. Telecom. Act § 14. | No clear use limitations exist. Information not used over the course of an investigation must be destroyed. | Complex limits created by Privacy Act. | None | Vague provisions exist regarding the sealing and destruction of previously intercepted communications. | Use must be necessary to the purpose for which the data were collected. BDSG §15(1). | None | Limits on use and disclosure, exemption for security. Privacy Protection Act §2(b) | Data may only be accessed and used by government entities “in order to discharge their institutional tasks” (Data Protection Code, Art. 18). | Strict usage limits; innocent conversations must be deleted within 30 days. | Communications surveillance may only occur for 2 months for law enforcement purposes. | Intercepted communications may not be used in legal proceedings. RIPA § 17. | Disclosure limited to “proper performance of … official duties.” 18 USC §2517(1). |
| Oversight mechanisms | Reports to and by the Minister; intelligence surveillance reviewed annually. ASIO Guidance, para 11.1. | National Counsel of Justice established procedures limiting wiretaps. | Privacy Commissioner may investigate, audit. Minister of Public Safety annual report. | None | Independent Commision on Security Interceptions oversees national security wiretaps. | The G-10 Commission must approve certain surveillance. Parliamentary Control Panel publishes an annual report | Some ineffectual protections in Information Technology Act. | Numerous reporting requirements to the Attorney-General. | Data protection is overseen by the Data Protection Authority (Garande). Electronic interceptions must be authorized by judicial authorities. | Communications Interception Act requires annual disclosures of the number of interceptions | The Ministry of Information and Communications operates a wiretap complaint center. | Intercept Communications Commissioner reports to Investigatory Powers Tribunal. RIPA §§ 57-70. | Warrants require judicial approval; Congressional oversight of Nat. Sec. surveillance. |
| Design mandates | Yes. | The Wiretapping Act permits police to request telephone companies provide the necessary technical services and personnel to perform the wiretapping. | None, though proposed. | Yes. | ISPs required to collect and store identification and log data of users. | Yes. | Crypto-key escrow required. Info. Tech. Act § 69(3)(b). | Equipment must support surveillance tech. Telecom. Act § 13. | Unclear. | None | None | Teleco. equipment must support surveillance tech. RIPA § 12(1). | Equipment must support surveillance. 47 USC § 1001-1021. |
| Retention mandates | None, though mandate proposed. | None | None, though proposed. | 60 days for most data | Telecommunications operators are required to retain traffic data (including location data, and Internet logs ) for one year. Hosting providers are required to retain similar logs relating to persons who create or store data using their hosting service | 6 month retention law held unconstitutional. | Vague retention mandates exist with length unclear. Info. Tech Act §67C. | Retention is allowed only for a “reasonable period of time.” | Traffic data must be retained by the provider for 24 months and electronic communications traffic data must be retained for 12 months. Data Protection Code, Art. 132. | None | Mobile phone service providers, credit card firms and mass transit operators are required to store customer’ records for one year (Protection of Communications Secrets Act) | Communications non-content data must be retained for 1 year. Data Retention Reg. §§ 3-5 | None |
| Unmediated access | Member of 5 Eyes/ECHELON network; may have direct access to international radio or cable comms. | Brazilian Communications Agency has direct access to telecommunication databases. | Member of 5 Eyes/ECHELON network; may have direct access to international radio or cable communications. | Almost certainly has unmediated access. | Surveillance of international radiowaves. | Limited access to teleco. subscriber information. | Widespread access through Central Monitoring System. | Unclear | Unclear. | None known. | None known. | See Snowden leaks | See Snowden leaks |
