A little less than 2 months ago, Law No. 14.132/2021 included in the text of the Penal Code the crime of persecution, typifying the conduct commonly referred to by the term, in English, stalking. The new penal type consists of “persecuting someone, repeatedly and by any means, threatening their physical or psychological integrity, restricting their ability to move or, in any way, invading or disturbing their sphere of freedom or privacy”.
Upon complaint by the victim, the offender may be sentenced to imprisonment, from 6 months to 2 years, and fine. The penalty may be increased by half if: the act is committed against a child, teenager or elderly person; against women for reasons of gender condition; if practiced by two or more people; if committed using a weapon.
With this legislative innovation, Brazil is equal to countries like France, Italy, Germany, India, Netherlands, Canada, Portugal and the United Kingdom, whose criminal laws also consider the practice of “stalking” as criminal.
It is noteworthy that crime often takes place online (cyberstalking), in which the stalker uses technology to amplify acts of stalking, such as sending messages via social media tools. There are even cases of applications that are developed with the aim of supporting practices of this kind, allowing, for example, the user to monitor the times when the person who is the target of persecution remains online or monitors their activities.
There are also applications that originally would have been designed for legitimate purposes, such as the monitoring of the minor’s online activity by the parent or guardian, but which end up having their use misused by stalkers.
This distortion of the purpose of a technological tool, a phenomenon known as “function creep”, in parallel with the possibility of criminal reprimand for the conduct of users, can lead to reputational consequences for organizations responsible for improperly exploited technology.
Black Mirror of real life
As an example, in 2012, two large technology companies had to respond publicly due to the emergence of an application, developed by a third-party company, called Girls Around Me (in free translation: “girls around me”).
In short, the application extracted and combined data from social media platforms and then displayed the profiles and location of females who would have registered their presence online in establishments close to the user (an act known as “checking in” ).
On the app’s download page, it was announced: “Girls Around Me is a revolutionary ‘scanner’ that transforms your city into a dating paradise”. However, unlike what happens on normal dating platforms, the girls displayed in the app had no idea of the existence of the tool, and the creation of their profiles was totally involuntary and not communicated.
In this context, there was a lot of discussion at the time to what extent the existence of the application would represent a legal violation. Arguments emerged that, since women made public the data in their profiles on social media consumed by the application, the mere organization and availability of such information does not constitute any irregularity.
This apology is an adapted version of the sayings “she was asking”, an absurd and unreasonable attempt to justify abuses by attributing guilt to the victim that should never be attributed to him. Although the data that fed the platform were, in fact, originally made available by women on social media profiles, this does not mean that the app could freely explore such information, even more in the intended way, packaging it and providing it with way to almost encourage the commission of criminal practice. No wonder the episode yielded the need for explanations and culminated in the removal of the application from virtual stores.
In any case, regardless of the discussion about the legality of Girls Around Me, the event serves as a wake-up call to technology companies in general, whose solutions may tomorrow be used to support projects by unorthodox developers, so to speak, and generate the need for explanation as to the absence of measures to avoid this misuse of purpose.
Therefore, it is worth remembering that, when developing technology, organizations must measure the possible impacts on privacy from the outset (an approach known as “Privacy by Design”), asking “what if?” for possible abuses that may be practiced by the various potential users, thus avoiding the occurrence of “function creep”, which can have serious reputational consequences. Increasingly, organizations must be able to demonstrate that they promote and care for the lawful, but also fair and ethical use of the personal data entrusted to them.
Paulo Vidigal, columnist of TechWorld, is a partner at Prado Vidigal, specialized in Digital Law, Privacy and Data Protection, certified by the International Association of Privacy Professionals (CIPP/E). He holds a postgraduate degree in an MBA in Electronic Law from Escola Paulista de Direito, with an extension in Privacy and Data Protection from Universidade Presbiteriana Mackenzie and in Privacy by Design from Ryerson University.