If you never heard of FaceApp, a smartphone app that provides photo-transformations and recently went viral, you probably saw at least one friend, or a famous character, posting his or her AI-aged selfies on social media.
And with the same speed that the Russian-developed app went viral, legal issues began to arise in severalcountries, including Brazil.
The ˜Procon SP Foundation”, a not-for-profit consumer protection watchdog linked to the Secretary of Justice from the State of Sao Paulo, recently sent warning letters to the developers of FaceApp, Wireless Lab, as well as to Apple and Google, owners of the virtual stores that make the app available In Brazil. In these letters, Procon SP demands all companies to inform and clarify why the application collects consumer data.
Current media coverage about the app’s popularity in Brazil highlights issues involving its Terms of Use and Privacy Policy . These allow, for example, FaceApp’s developer to broadly collect, and share to the public, images and additional data from any users, without informing the period of retention for the data and the actual use for such content.
Clause 5 of FaceApp's Terms of Use state as follows:
“You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you. When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your [username], location or profile photo) will be visible to the public.”
In its letter, Procon SP also complained that both the Terms of Use and Privacy Policy are not available in Brazilian Portuguese versions, which creates difficulties for Brazilian customers to understand their exact scope. Further, if Apple and Google are profiting from the app, they should be held liable in Brazil for being on notice of such concerns before allowing FaceApp to be available in their local stores.
While the above issues could be interpreted in Brazil as “minor” violations of our consumer protection law, it is interesting to examine how the privacy argument became a pivotal issue in such debate. Now that Brazil has approved its Data Protection Law (Lei Geral de Proteção de Dados, or “LGPD”) and passed the necessary laws to create a Brazilian data protection uthority (Agencia Nacional de Proteção de Dados, or “ANPD”), privacy has become a “hot topic” for the Brazilian press. A few days after the app went viral, several media outlets started to alert users about these privacy issues, and consumer authorities were pushed to react.
At present, since LGPD is not into force yet (this might occur in August 2020), it is up to public prosecutors to decide the possible next steps against FaceApp or its local resellers. Before LGPD, Brazil did not have a specific data protection law, but privacy was briefly mentioned in other legislation, such as our Internet Bill of Rights (“Marco Civil da Internet”).
Moreover, as data breaches and privacy concerns usually involve customer data, authorities could use a broader interpretation to fit any problems within the scope of Brazil's Consumer Protection Law, and use it to try to block or shut down the app in Brazil. However, on previous occasions the interest on data protection was not as big as it is today. We are now seeing a clear growth in customer awareness regarding privacy, which leads authorities to get more involved and, consequently, increases the risk of possible lawsuits for app developers from Brazil and abroad.
The presence of FaceApp in Brazil is not a major incident, as it is in other countries. And, let's be honest – FaceApp’s Terms of Use are not too different from other popular apps we often use. But there is a lesson we can learn from this situation: In a world where facial recognition surveillance and “deep fakes” are a reality, a “fun filter” for a selfie can become a privacy problem, particularly if this selfie is collected and used inadequately, for unclear purposes.
Since LGPD`s rules will, in the very near future, fully apply to any developer offering his app or making it available to customers located in Brazil, developers should do their best to clarify their policies for collecting, storing and using the data of consumers using any application, before entering the Brazilian market. Also, using “privacy by design” methodologies to address data protection during the app’s development phase could help to avoid such problems when the app “goes live”, guaranteeing a safer level of compliance with Brazilian data protection laws.
If all else fails, a developer should be ready to handle possible backlash from Brazilian authorities, which can be very aggressive if pushed by the media. While Privacy and Data Protection Law is probably now “the practice to develop” for several local firms, consultants and legal practitioners, it is still advisable to seek specialized legal advice if your app becomes so viral and popular to become a problem for Brazilian authorities.
_____________
*Dirceu Pereira de Santa Rosa is a partner at the law firm Montaury Pimenta, Machado & Vieira de Mello Advogados.
