Report by Juliano Souza de Albuquerque Maranhão
Ethical Aspect
The Policy provides welcome procedural clarity to the substance of the various enforcement procedures carried out by ACM. While the procedures themselves are publicly available, the specification of the conditions in which information may (or may not) be disclosed as part of the procedures or as a preventive measure for harm is well in line with Brazilian cultural standards on what makes a procedure fair and on the expectations of transparency in institutional actors. The Policy does well in acknowledging the various interests at stake, as it starts from the premise that claims are legitimate (even if ultimately dismissed) and recognizes the need for fair and accountable decision-making in the procedures, while still accounting for the fact that some kinds of disclosure may impact the privacy of the various parties to the proceedings or motivating other kinds of harm. Given the complexity of these factors, any judgments on disclosure will need to attend to the particularities of individual proceedings. Still, the Policy under analysis makes things clearer both for decision-makers and for the parties to the proceedings.
With this guidance goal in mind, some aspects of the Policy require further development. The first such aspect is that any exceptions to the general disclosure rules should be justified by the decision-makers. At various points, the Policy authorizes decision-makers to withhold information they would otherwise be expected to disclose. For example, they are expected not to disclose the decision to the complainant if there is a “justifiable expectation of unreasonable harm” from said disclosure. But what counts as a “justifiable expectation” or an “unreasonable harm” depends on the context being analyzed and on the cultural background of the decision-makers. As such, decision-makers might lack the information they need to make an informed judgment on these matters, while the parties to the proceedings might not trust that any such decision is not arbitrary. These factors are compounded by the global reach of the ACM, which means that proceedings might involve decision-makers and parties with little shared background. To build trust in the use of exceptions to disclosure, I recommend two measures. First, the guidance provided to decision-makers should accompany examples of situations in which an exception is clearly applicable, as well as examples of situations that require further attention. Second, any use of exceptions to disclosure should be justified in writing with the factors that led to its application. By doing so, it will not only be possible to ensure accountability for any exceptional decisions, but future decision-makers will also benefit from richer guidance when deciding on whether to disclose information.
A second point that warrants attention is the definition of a “minor violation.” Given that one of the Policy’s goals is harm prevention, it makes sense to stipulate a reduced degree of disclosure in cases where said disclosure would do more harm than good. However, the definition of a “minor violation” as a “repairable” violation creates some problems, especially in the absence of a clear definition of what reparation is enough to make something count as a minor violation. So, I recommend defining “minor violation” in terms of the impact of the violation on the lives and careers of affected persons, rather than on the possibility of reparation. Such a definition would also ensure that harmed individuals can accept offers of reparation without having to worry that, in doing so, they will let potentially severe violations go without any form of disclosure.
A final, and related, point is that the Policy would gain from a more explicit engagement with the value of disclosure beyond the parties to the proceedings. While the disclosure of aggregate data about complaints is welcome, it is not enough to address two important types of spillovers of individual proceedings into the broader ACM community. The first, and simplest to address, is that information about the reasoning applied to previous cases—even if anonymized—might help people in navigating the grey zones of each policy. To balance the need for guidance and the need for confidentiality, I recommend that the information from disciplinary proceedings should be used to construct guidelines for the general audience. But such guidelines would not address a second, more pervasive, issue: that a norm of confidentiality means that information will circulate through informal “whisper networks” that often do not reach outsiders that might be at risk from repeat offenders. There is no simple solution to this problem, and perhaps the best ACM can do in this regard is to enforce fairly and fully its substantive policies. Still, it is important to understand that confidentiality, for all its advantages and unavoidability, comes at a price.
Contextual Aspect
The points above notwithstanding, the Policy would boost the legitimacy of ACM’s enforcement procedures. It does so by ensuring the parties to the proceedings that their rights will be respected, and by ensuring the community that any decisions were made in a fair and transparent manner. As such, it is likely to be well accepted by Brazilian computing researchers and professionals, especially as it does not provide substantive departures from other professional disclosure requirements.
One point that might introduce some friction regards disclosure of information to the respondent. Under point 4 of the general rules for disclosure (Section 2), consent is presented as a minimum requirement for disclosing to the respondent the identity of a complainant, harmed individual, or witness. This requirement clashes with current practices in Brazil at two points. First, it requires the consent of the complainant or witness, but not of the harmed individual. I recommend changing the formulation to “Disclosing the identity of a complainant, harmed individual or witness to the respondent minimally requires the consent of that individual.”
Such a rule is not alien to a Brazilian context. In fact, public sector ombudsmen are allowed to withhold the identity of complainants if doing so does not create obstacles to the investigation. Still, it goes against the practice of other professional associations: the Brazilian Bar Association1 and the national body for engineers2 both require disclosure of the complainant’s identity to the respondent. In that spirit, I recommend increasing the flexibility of the consent requirement mentioned above, turning it into a desirable condition or introducing some exceptions that allow for non-consensual disclosure.
Legal/Contractual Aspect
Since the ACM is not a public body, it has considerable flexibility under Brazilian law when it comes to defining its policies. This freedom, however, is constrained by two important limits. The first one is that any policies must comply with applicable law. In particular, Brazilian data protection law needs to be observed if any personal data is processed or collected in Brazilian territory. As a result, any disclosures prepared from Brazil or concerning individuals located in this country, regardless of the length of their stay or citizenship status, must observe the requirements laid down in the General Data Protection Law (Lei 13.709/2018, a.k.a. LGPD).
Furthermore, case law in Brazil establishes the horizontal effect of fundamental rights. This means that the various rights laid down in the Brazilian Constitution, particularly in its Article 5, apply not only to the Government but also to private actors and civil society organizations, such as ACM.3 The Policy does not clash, in general lines, with such a requirement; in fact, as discussed above, it contributes to procedural fairness. Still, the Constitution establishes a right to procedural publicity,4 under which the law can only restrict the publicity of proceedings if that is required by the defense of intimacy or by social interest. Given the private character of ACM, such a provision should not be understood as requiring full transparency of enforcement proceedings. Still, I recommend that cases involving parties or enforcers based in Brazil interpret the Policy’s provisions with an assumption that information should be disclosed except if the Policy specifies otherwise.5
1 Código de Ética e Disciplina da Ordem dos Advogados do Brasil, art. 55.
2 Regulamento para a Condução do Processo Ético Disciplinar, art. 7.
3 See, for example, case RE 201.819/RJ, in which the Supreme Court ruled that the Brazilian Composer’s Union had to observe the right to full defense and adversarial proceedings in its decision to expel a member.
4 CFRB, art. 5, LX.
5 And, as I recommend above, any exceptions to the policy itself need to be justified.