Responses to Information Requests

Research Directorate, Immigration and Refugee Board of Canada

1. Overview

The Transparency Portal describes itself as [translation] "a free access website where citizens can find information on how public money is used," launched by the Comptroller General of the Union (Controladoria-Geral da União, CGU) in 2004; in 2018, a new version of the Portal was introduced (Brazil n.d.a). The Observatory of Public Sector Innovation (OPSI), a platform created by the Organisation for Economic Co-operation and Development (OECD) in 2011 that "work[s] with governments, academia, industry and global NGOs and civil society to provide cutting-edge public sector innovation support and guidance" and "provide[s] a global forum and knowledge hub for shared learning" (OECD n.d.), notes that the 2018 version of the Portal includes "a data warehouse (DW) which really integrates data from 17 sources" (OECD 2018-03-18).

Besides the federal Transparency Portal, there are also state and municipal transparency portals (Brazil n.d.b; Associate Professor 2023-10-23).

1.1 Information Contained in the Transparency Portal

According to its website, the Transparency Portal contains the following information:

[translation]

The data disclosed on the Portal comes from various sources of information, including the major structuring systems of the Federal Government—such as the Integrated Financial Administration System of the Federal Government [Sistema Integrado de Administração Financeira do Governo Federal (SIAFI) [1]] and the Integrated Human Resources Administration System [Sistema Integrado de Administração de Recursos Humanos (SIAPE) [2]]—, social benefits databases, Federal Government Payment Card [Cartão de Pagamentos do Governo Federal (CPGF) [3]] invoices, and public properties databases, among many others.

The bodies responsible for each source of information forward their data to the CGU, which receives, gathers, and makes available the information in the Portal. (Brazil n.d.a)

The same source also explains that the data disclosed by the Portal relates notably to annual budgets, public revenues, public expenditure, transferred resources, public servants, business travels, bids, and sanctions, among others (Brazil n.d.e).

The Transparency Portal provides data tables containing details on public servants in alphabetical order, notably their name, CPF number (six digits in the middle out of eleven) [see section 1.2 of this Response], type of employment (civil or military), administrative body (public institution or military branch), registration number (first three digits out of seven), status (active or inactive), and position (Brazil n.d.f).

1.2 CPF

According to its website, the CPF is a Brazil Federal Revenue (Receita Federal) database that contains the registration information of citizens registered as taxpayers, who can register only once, [translation] "which means that the CPF number is unique and definitive for each person" (Brazil n.d.g). According to the website of Brazil's Ministry of Foreign Affairs (Ministério das Relações Exteriores), a CPF number is required "to own assets and rights in Brazil which are subject to public registration," for example to open a bank account, buy a car or acquire real estate (2023-03-14). Under Law No. 14,534 of [11 January] 2023 (Lei nº 14.534, de 11 de janeiro de 2023), the CPF became the sole identification number for citizens [in public databases (BdF 2023-01-17)], and will also appear on all new documents issued by the Brazilian state (BdF 2023-01-17; Brazil 2023-01-12); the new identification [translation] "will only become fully implemented, however, after adjustments made by public bodies" (Brazil 2023-01-12).

Information about the CPF on the Federal Revenue website indicates that a CPF number can be canceled in cases of duplicates or [translation] "by decision in a procedure" (Brazil n.d.g).

For more information on the CPF, including requirements and procedures to obtain a number, see Response to Information Request BRA106280 of June 2020.

2. Ability to Access Personal Information in the Transparency Portal

InternetLab, a São Paulo-based think tank producing research and analysis on human rights related to technologies (InternetLab n.d.), reports that

[t]he social security identification number of any citizen can be accessed on the "Citizen Space – CadÚnico," a government's official website, by inserting the name, birth date, mother's name, and the beneficiary's city. It is also possible, in possession of the name, [Social Security Number (Número de Identificação Social, NIS)] and CPF, to access the benefit status on the Caixa Econômica Federal's website [a Brazilian state-owned bank (The Brazilian Report 2022-10-25)]. In the Transparency Portal, it is also possible to find, sorting by the municipality, the name of the beneficiary, social security identification number, and the benefit value. In addition to those, there is an extra-official public application through which some of these data can be accessed: the BolsaFamilia.Info. Through this portal, built by a private party aiming "to eliminate the fraudsters from the program [the Bolsa Familia Program is a money transfer governmental initiative designed to fight extreme poverty (InternetLab 2020-05-13)]," it is possible to access the full name, social security identification number, benefits' values, merely by defining the state and municipality of the beneficiary. (InternetLab 2020-05-13)

In correspondence with the Research Directorate, the Special Advisory Office for International Affairs (Assessoria Especial para Assuntos Internacionais) of the Minister's Cabinet (Gabinete do Ministro) of Brazil stated that a query on the Transparency Portal can be done without login or identification, using parameters such as the name, the CPF, the NIS or the Professional Fisherman Registration (Registro de Pescador Profissional, RGP) (Brazil 2023-11-08). The same source added that the personal information obtained can include the following:

1. Name;
2. CPF … partially. The CPF number is redacted, protecting the first 3 and last 2 digits of the total 11 digits. Example: XXX.123.456.XX;
3. NIS (… if existing);
4. RGP (… if existing);
5. City of Residence. (Brazil 2023-11-08)

According to sources, a search on the Transparency Portal will not provide the home address of an individual (Associate Professor 2023-10-23; representative 2023-10-17; Brazil 2023-11-08). In an interview with the Research Directorate, an associate professor at the Department of Civil Law of the University of São Paulo, who conducts research on personality rights in Brazil, including data protection and artificial intelligence, indicated that through a search with the [full] CPF number "in other public portals," such as the civil registry (Registro Civil) portal, the real estate (Registro de Imóveis) portal, or the commercial board (Junta Comercial) portal, an individual can gain access to personal information about another person, such as their date of birth or "where they live" (Associate Professor 2023-10-23).

2.1 Data Leaks and Privacy Breaches

Sources report that in 2022, personal data of citizens—[[translation] "mostly" (Brazil 2023-09-20)] beneficiaries of the Auxílio Brasil program—was leaked from databases (Brazil 2023-09-20; The Brazilian Report 2022-10-25). According to the Brazilian Report, an English-language news site that provides commentaries and analysis on issues affecting Brazil (Brazilian Report n.d.), 3.7 million of the people who enrolled in the Auxílio Brasil initiative, a federal "flagship cash-transfer program," were affected by the leak of personal data to financial institutions (2022-10-25).

According to media sources, in 2021, a leak of personal information, including CPF numbers and addresses, affected more than 223 million Brazilians [including some deceased persons (O Dia 2021-02-11)] (Agência Brasil 2021-03-19; O Dia 2021-02-11); the police arrested the suspected hacker in March 2021 (Agência Brasil 2021-03-19). Other sources indicate that in 2020, a personal data breach including full names, addresses and telephone numbers, at the Ministry of Health (Ministério da Saúde) affected 243 million Brazilians [including some deceased persons (CPO Magazine 2020-12-11)] (Al Jazeera 2023-08-25; CPO Magazine 2020-12-11). Metrópoles, a Brazilian newspaper published online, reports that hackers were able to get [translation] "confidential information" about public servants in the Federal District in February 2020 as a result of a "flaw" in the human resources system of the Federal District Government (Governo do Distrito Federal, GDF) (2020-02-21).

3. Protection of Personal Information in the Transparency Portal
3.1 Data Protection and Legislation

The Brazilian Constitution, amended in 2022, includes the following in its section about fundamental rights: "LXXIX - under the terms of the law, the right to protection of personal data is ensured, including in digital media" (Brazil 1988, Art. 5).

Sources state that the General Personal Data Protection Law (Lei geral de proteção de dados pessoais, LGPD) came into force in 2020 (DLA Piper 2022, 2; The Brazilian Report 2022-06-14) or "completely in 2021" (Access Now & Data Privacy Brasil Research Association 2022-03-31, para. 7). The LGPD, as amended by Law No. 13,853 of 2019, for which an English translation was published by Rennó Penteado Sampaio, a law firm in Brazil that provides consulting and litigation services in technology, real estate, and tax law, among others (Rennó Penteado Sampaio n.d.), provides the following:

Art. 1 This Law provides for the processing of personal data, including by digital means, by a natural person or a legal entity of either public or private law, with the purpose of protecting the fundamental rights of freedom and privacy and the free development of the personality of the natural person.

Sole paragraph. The general provisions of this Law are of national interest and must be observed by the Federal Union, States, Federal District and Municipalities. (by Law No. 13,853/2019). (Brazil 2018, emphasis in original)

The LGPD provides the following regarding the requirements to collect data:

Art. 7 Processing of personal data shall only be carried out under the following circumstances:

1. with the consent of the data subject;
2. for compliance with a legal or regulatory obligation by the controller;
3. by the public administration, for the processing and shared use of data necessary for the execution of public policies provided in laws or regulations, or based on contracts, agreements or similar instruments, subject to the provisions of Chapter IV of this Law;

…

§3 The processing of publicly accessible personal data shall consider the purpose, the good faith and the public interest that justify it being made available.

… (Brazil 2018, bold in original)

The same law indicates the following in cases of security incidents:

Art. 48. The controller must communicate to the national authority and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects.

§1 The communication shall be done in a reasonable time period, as defined by the national authority, and shall contain, at the very least:

1. a description of the nature of the affected personal data;
2. information on the data subjects involved;
3. an indication of the technical and security measures used to protect the data, subject to commercial and industrial secrecy;
4. the risks related to the incident;
5. the reasons for delay, in cases in which communication was not immediate; and
6. the measures that were or will be adopted to reverse or mitigate the effects of the damage.

§2 The national authority shall verify the seriousness of the incident if necessary to safeguard the data subjects' rights, it may order the controller to adopt measures, such as:

1. broad disclosure of the event in communications media; and
2. measures to reverse or mitigate the effects of the incident.

§3 When judging the severity of the incident, there will be an analysis of eventual demonstrations that, within the scope and the technical limits of the services, adequate technical measures were adopted to render the affected personal data unintelligible to third parties who were not authorized to access them. (Brazil 2018, bold in original)

According to sources, the LGPD established the National Data Protection Authority (Autoridade Nacional de Proteção de Dados, ANPD) (DLA Piper 2022, 3; Brazil n.d.h, 4). Sources report that the ANPD became independent in 2022 (The Brazilian Report 2022-06-14; DLA Piper 2022, 3) and that the institution was previously "link[ed]" to the Presidency of the Republic (Presidência da República) (DLA Piper 2022, 3). Sources indicate that citizens can make reports or complaints to the ANPD (Brazil n.d.h, 4; Três Marias 2022-02-10), which has the authority to investigate data leaks and determine remedial measures, which may include [translation] "wide dissemination of the [incident] in media[,] and measures to reverse or mitigate the effects of the incident," and forward the complaint to the competent correctional institutions (Três Marias 2022-02-10).

3.2 Possibility for Individuals to Manage Personal Data

The LGPD stipulates the following about the rights of the data subject:

Art. 18. The data subject, regarding the data subject's data being processed by the controller, at any time and by means of request, has the right to obtain the following from the controller:

1. confirmation of the existence of the processing;
2. access to the data;
3. correction of incomplete, inaccurate or out-of-date data;
4. anonymization, blocking or deletion of unnecessary or excessive data or data processed in noncompliance with the provisions of this Law; … (Brazil 2018, bold in original, footnote omitted)

The Special Advisory Office for International Affairs wrote that a claim for the deletion of personal data from the Transparency Portal can be made and "the request is analyzed on a case-by-case basis" and that "data considered sensitive [4], which may have been recorded in free text fields and automatically published, may also be removed in administrative requests made directly to the CGU" (Brazil 2023-11-08). The same source added that data deemed of public interest, but "at risk of possible misuse, is protected. Protection ranges from partial redaction (e.g. CPF) to complete protection (e.g. names of minors)" (Brazil 2023-11-08). In its FAQ section, the website of the Transparency Portal indicates that information can be protected [translation] "in various situations, such as public servants traveling for a confidential anti-corruption operation," and that "the responsible body defines the access restriction rules, which must be justified through secrecy or classification, as provided in articles 22, 23 and 24 of Law nº 12,527/2011 (Access to Information Law)" (Brazil n.d.b).

3.3 Enforcement

A national strategy on cybersecurity, approved by a 2020 decree by the Presidency of the Republic, indicates that because of a [translation] "greater access to digital networks, and due to the lack of maturity in cybersecurity, Brazil occupies a prominent place in the ranking of countries that receive the most cyber attacks" (Brazil 2020, Part. II, Sec. 2.4). According to sources, a report by Surfshark [a cybersecurity company (Costa Norte 2022-01-12)] ranked Brazil in the sixth position in its list of countries with the highest number of data breaches in 2021 (Costa Norte 2022-01-12; Access Now & Data Privacy Brasil Research Association 2022-03-31, para. 18), with approximately 24.19 million cases of accounts that suffered data breaches in 2021 (Costa Norte 2022-01-12). According to Costa Norte, a Brazilian news site, the US was in the first position and France was in the fifth in the Surfshark report (2022-01-12).

A monitoring report published by the ANPD indicates that in 2022, the organization received 1,045 requests and 287 [translation] "reports of security incidents"; the ANPD initiated 15 "investigation proceedings," and 8 administrative sanction proceedings, among which 7 were filed against government institutions, including the Ministry of Health (Brazil 2023-08, 6, 20, 21). Sources report that the ANPD imposed its first fine in July 2023 on a private company for noncompliance with the LGPD requirements (Forbes 2023-07-11; Brazil 2023-07-13). According to the website of the Federal Public Prosecutor's Office (Ministério Pûblico Federal, MPF) in São Paulo, following a public civil action over data leaks from databases managed by the Union [of Brazil], Caixa Econômica Federal, and the Social Security Technology and Information Company (Empresa de Tecnologia e Informações da Previdência, Dataprev) [5] in 2022, the Federal Justice (Justiça Federal) ruled in September 2023 that the three organizations and the ANPD must pay 15,000 Brazilian Real (BRL) [C$4,180] in damages to [translation] "around" 4 million Brazilian citizens (Brazil 2023-09-20). In December 2023, the MPF announced that the institution was the coauthor of a public civil action against the company responsible for a privacy breach in 2021, in which the personal data, including CPF numbers, of 223 million Brazilians was leaked (Brazil 2023-12-04). The MPF also requires in its lawsuit that the ANPD be held responsible for [translation] "undue exposure" and requests that the ANPD completes administrative proceedings against the company responsible for the leak, as the ANPD "failed to fulfil its legal duties" (Brazil 2023-12-04).

An article published in 2023 by Folha de S.Paulo, a Brazilian daily newspaper, quotes a director at the ANPD as stating that [translation] "since the beginning of the ANPD's activities, a greater number of cases of attacks and leaks of personal data have been observed in the public sector, the largest holder of [personal] information" (2023-06-23). The Associate Professor stated that Brazil has a "legal culture and long history" of collecting "a lot" of personal data about its citizens, and that private and public bodies can collect information like the CPF number or the home address even for "small or unimportant transactions" (2023-10-23). According to the same source, the laws to protect personal data "were issued too late to fully address the problem and they are inefficient," and "the risk [to individuals] in practice is usually low, because they [criminal organizations] collect thousands or millions of personal data" (Associate Professor 2023-10-23). The Associate Professor also stated that citizens can make complaints to "police authorities in various jurisdictions" in cases of misuse of their personal data, but that the authorities' personnel and resources "are insufficient" to address these issues "effectively" (2023-10-23). According to a 2023 article by Al Jazeera, the Director-President of the ANDP indicated that 150 people work for the organization (2023-08-25).

This Response was prepared after researching publicly accessible information currently available to the Research Directorate within time constraints. This Response is not, and does not purport to be, conclusive as to the merit of any particular claim for refugee protection. Please find below the list of sources consulted in researching this Information Request.

Notes

[1] The Integrated Financial Administration System of the Federal Government (Sistema Integrado de Administração Financeira do Governo Federal, SIAFI) "is the primary tool used in federal government budget and financial management. The system provides support to central, sectoral and executive public management entities" (Brazil 2020-04-20).

[2] The Integrated Human Resources Administration System (Sistema Integrado de Administração de Recursos Humanos, SIAPE) is a [translation] "nationwide system created with the mission of integrating all public servants' payroll management platforms. Today, SIAPE is one of the government's main structuring systems and is responsible for producing payrolls for more than 200 federal agencies" (Brazil n.d.c).

[3] The Federal Government Payment Card (Cartão de Pagamentos do Governo Federal, CPGF) is a [translation] "payment method used by the government that works in a similar way to [a] credit card … but within specific limits and rules. The government uses the CPGF to pay its own expenses" (Brazil n.d.d).

[4] The General Personal Data Protection Law (Lei geral de proteção de dados pessoais, LGPD) defines the different types of data in the following way:

Art. 5 For purposes of this Law, the following definitions apply:

1. personal data: information regarding an identified or identifiable natural person;
2. sensitive personal data: personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data, when related to a natural person;
3. anonymized data: data related to a data subject who cannot be identified, considering the use of reasonable and available technical means at the time of the processing; … (Brazil 2018, bold in original)

[5] The Social Security Technology and Information Company (Empresa de Tecnologia e Informações da Previdência, Dataprev) is a "public firm in charge of the monthly payroll of all pensioners and beneficiaries of welfare programs" (The Brazilian Report 2022-10-25).

References

Access Now & Data Privacy Brasil Research Association. 2022-03-31. Joint Submission to the United Nations Human Rights Council on the Universal Periodic Review 41st Session Fourth Cycle for Brazil. [Accessed 2023-11-28]

Agência Brasil. 2021-03-19. Karine Melo. "Police Arrest Hacker Suspected of Biggest Data Leak in Brazil." [Accessed 2023-09-28]

Al Jazeera. 2023-08-25. Angelica Mari. "Evolving Threats: The State of Personal Data Protection in Brazil." [Accessed 2023-08-07]

Associate Professor, Universidade de São Paulo, Brazil. 2023-10-23. Interview with the Research Directorate.

Brasil de Fato (BdF). 2023-01-17. Mariana Lemos. "CPF passa a ser o principal documento no Brasil; entenda o que muda." [Accessed 2023-09-27]

Brazil. 2023-12-04. Ministério Público Federal (MPF), Procuradoria da República em São Paulo. "MPF requer da Serasa o pagamento de multa superior a R$ 200 milhões por vazamento de dados pessoais." [Accessed 2023-12-14]

Brazil. 2023-11-08. Correspondence from the Assessoria Especial para Assuntos Internacionais do Gabinete do Ministro to the Research Directorate.

Brazil. 2023-09-20. Ministério Público Federal (MPF), Procuradoria da República em São Paulo. "Justiça determina indenização de R$ 15 mil a cidadãos que tiveram dados pessoais vazados em 2022." [Accessed 2023-11-28]

Brazil. 2023-08. Ministério da Justiça e Segurança Pública, Autoridade Nacional de Proteção de Dados (ANPD). Relatório do ciclo de monitoramento - Exercício 2022. [Accessed 2023-11-28]

Brazil. 2023-07-13. Ministério da Justiça e Segurança Pública, Autoridade Nacional de Proteção de Dados (ANPD). "ANPD aplica a primeira multa por descumprimento à LGPD." [Accessed 2023-11-02]

Brazil. 2023-03-14 (updated 2023-07-09). Ministério das Relações Exteriores, Embaixada do Brasil em Estocolmo. "CPF - Individual Taxpayer Registry ['Cadastro de Pessoa Física']." [Accessed 2023-09-27]

Brazil. 2023-01-12. Senado Federal, Agência Senado. "CPF será número único de identificação do cidadão, determina lei sancionada." [Accessed 2023-10-31]

Brazil. 2020-04-20 (updated 2020-07-21). Ministério da Fazenda, Tesouro Nacional. "What Is SIAFI?" [Accessed 2023-12-06]

Brazil. 2020. "Anexo: Estratégia Nacional de Segurança Cibernética." Decreto nº 10.222, de 5 de fevereiro de 2020. [Accessed 2023-10-11]

Brazil. 2018 (amended 2019). Brazilian General Data Protection Law. Translated by Ronaldo Lemos, et al., based on an initial version by Monica Hruby. Rennó Penteado Sampaio. [Accessed 2023-09-28]

Brazil. 1988 (amended 2022). Constitution of the Federative Republic of Brazil. [Accessed 2023-10-11]

Brazil. N.d.a. Controladoria-Geral da União (CGU), Portal da Transparência. "O que é e como funciona." [Accessed 2023-08-06]

Brazil. N.d.b. Controladoria-Geral da União (CGU), Portal da Transparência. "Perguntas frequentes." [Accessed 2023-09-27]

Brazil. N.d.c. Ministério da Fazenda, Serviço Federal de Processamento de Dados (SERPRO). "Siape - Sistema Integrado de Administração de Recursos Humanos." [Accessed 2023-12-06]

Brazil. N.d.d. Controladoria-Geral da União (CGU), Portal da Transparência. "Cartão de Pagamento do Governo Federal." [Accessed 2023-12-06]

Brazil. N.d.e. Controladoria-Geral da União (CGU), Portal da Transparência. "O que você encontra no Portal." [Accessed 2023-08-06]

Brazil. N.d.f. Controladoria-Geral da União (CGU), Portal da Transparência. "Consulta de servidores." [Accessed 2023-08-06]

Brazil. N.d.g. Ministério da Fazenda, Receita Federal. "Meu CPF." [Accessed 2023-09-27]

Brazil. N.d.h. Consejo Nacional de Defensa del Consumidor (CNDC) with Autoridade Nacional de Proteção de Dados (ANPD) & Secretaria Nacional do Consumidor (SENACON). How to Protect Your Personal Data. [Accessed 2023-11-02]

The Brazilian Report. 2022-10-25. Amanda Audi. "How Bolsonaro Loads the Dice Ahead of the Presidential Runoff." [Accessed 2023-12-14]

The Brazilian Report. 2022-06-14. Constance Malleret. "Brazil's Data Protection Authority Becomes an Independent Agency." [Accessed 2023-09-27]

The Brazilian Report. N.d. "About Us." [Accessed 2023-11-28]

Costa Norte. 2022-01-12. "No Brasil 24,19 milhões de pessoas sofreram com violação de seus dados em 2021." [Accessed 2023-11-28]

CPO Magazine. 2020-12-11. Alicia Hope. "Brazil's Health Ministry's Website Data Leak Exposed 243 Million Medical Records for More than 6 Months." [Accessed 2023-10-11]

DLA Piper. 2022 (updated 2023-01-28). "Brazil." Data Protection Laws of the World. [Accessed 2023-10-11]

Folha de S.Paulo. 2023-06-23. Luany Galdeano. "Setor público ainda busca equilíbrio entre transparência e proteção de privacidade." [Accessed 2023-11-02]

Forbes. 2023-07-11. Angelica Mari. "Brazil Issues First Fine for Data Protection Breach." [Accessed 2023-09-27]

InternetLab. 2020-05-13. Julia Drummond, et al. "Brazil's Bolsa Familia Program: The Impact on Privacy Rights." [Accessed 2023-09-28]

InternetLab. N.d. "What Is InternetLab?" [Accessed 2023-11-29]

Metrópoles. 2020-02-21. Francisco Dutra. "Falhas nos sistemas do GDF expõem dados de servidores públicos." [Accessed 2023-08-07]

O Dia. 2021-02-11. Luciano Bandeira. "Internet Insegura." [Accessed 2023-10-31]

Organisation for Economic Co-operation and Development (OECD). 2018-03-18. Observatory of Public Sector Innovation (OPSI). "Brazilian Transparency Policy and the Transparency Portal." [Accessed 2023-08-06]

Organisation for Economic Co-operation and Development (OECD). N.d. Observatory of Public Sector Innovation (OPSI). "About." [Accessed 2024-07-05]

Rennó Penteado Sampaio. N.d. "The Law Firm." [Accessed 2023-12-20]

Representative, Embassy of Brazil in Ottawa. 2023-10-17. Correspondence with the Research Directorate.

Três Marias. 2022-02-10. Portal de Integraçâo e Transparência. Clara Isabella Fonseca Lemos. "Vítimas de vazamento de dados podem denunciar o crime à Autoridade Nacional de Proteção de Dados (ANDP)." [Accessed 2023-09-27]

Additional Sources Consulted

Oral sources: Brazil – Ministério da Justiça e Segurança Pública, Ministério da Previdência Social; The Brazilian Report; Data Privacy Brasil Research Association; Instituto Igarapé; InternetLab; Justiça Global; technology law firm in Brazil; Transparency International.

Internet sites, including: Amnesty International; Associated Press; Austrian Red Cross – ecoi.net; Correio Braziliense; Factiva; Freedom House; The GovLab – Open Data Impact; Human Rights Watch; International Crisis Group; Jornal do Brasil; OneTrust DataGuidance; Privacy International; Transparency International; UN – Refworld; US – CIA, Department of State, Library of Congress.