TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

| Brazil’s golden opportunity: The need for an independent DPA Related reading: How to be compliant with Brazil's Data Protection Act



A commonplace in Latin American privacy forums for many years has been discussions on the hypothetical adoption of a privacy law in Brazil – the region’s giant – which, until now, had been reluctant to go forward with such an adoption.

The wait is over, as Brazil has now delivered a balanced, comprehensive privacy law that will surely be the most impactful privacy development in the region since the adoption of the Iberoamerican Data Protection Standards, which was launched in Chile in 2017.

This sense of achievement, echoed by colleagues and authorities throughout Latin America is however not yet complete. Gustavo Artese, in a recent piece for Privacy Perspectives, frames the upcoming complications perfectly. “Brazil is not for beginners,” he writes, quoting a local attorney. This describes the atmosphere of doubt and questions which will need to be addressed either by the current or the upcoming government.

At the forefront of the discussions is the creation of the Brazilian data protection authority, which is mandated in the law, and certainly a central component of any workable data protection regime around the world.

The Brazilian LGPD includes many of the privacy controls and balances created to ensure that personal data is handled responsibly, in a way that fundamentally protects the individual while at the same time allows for responsible and transparent uses of data compatible with the swift technological developments that come as a result of constant innovation. References to accountability as an essential privacy principle, the call for the adoption of industry codes of conduct, the differentiation between controllers’ and processors’ liability, the introduction of data protection impact assessments and the inclusion of several basis of processing, including legitimate interests, and certainly the considerable sanction regime, align this bill with the structural reforms introduced by the EU General Data Protection Regulation. They also go a long way further, and hence contribute to positioning the LGPD several steps ahead of some outdated privacy laws of the region, including the Colombian 2012 law.

These developments, however, may end up fading and being inconsequential if efforts are not directed towards finding a solution for the implementation of an effective, independent, specialized and well-resourced DPA.

These developments, however, may end up fading and being inconsequential if efforts are not directed towards finding a solution for the implementation of an effective, independent, specialized and well-resourced DPA.

Let the Colombian experience works as a reference. Up until 2012, privacy was only enforced through expedited constitutional procedures, served before any judge, and often limited in scope. The Constitutional Court conducted a remarkable effort and accurately defined the scope of the right to privacy and data protection, all of which was included by reference in the 2012 adoption of a comprehensive privacy law.

One of the tangible results of this piece of legislation was the addition of a Deputy Superintendence for Data Protection in the decades-old Superintendencia de Industria y Comercio: a technical and well-resourced, credible regulator, already empowered to address competition and consumer protection investigations.

As of its incorporation, the Superintendence positioned itself as a credible DPA, by efficiently addressing the complaints of data subjects, providing guidance to stakeholders on how to maintain and implement effective privacy programs, coordinating efforts with peers and, generally speaking, taking an active role in the promotion of responsible uses of data in a modern, technology-driven society.

The gamble to invest resources in the Colombian DPA have paid off: data subjects are now aware of their rights, and ever more confident to exercise them before companies and the DPA itself. Organizations have gradually understood and taken interest in the benefits of responsible data practices and advanced rapidly toward increased accountability and compliance, and the SIC has gained recognition and traction in the regulator community, leading to increased staffing and resources.

The creation of a DPA can never be solved with a one-size-fits-all approach, and Brazil will certainly need to find a good tailor to finish its suit. It’s a golden opportunity that properly capitalized, with the creation of an independent DPA, will turn the country into a fundamental player in the world of data protection.

photo credit: Eduardo Amorim À Pátria, em seu dia... via photopin (license)


If you want to comment on this post, you need to login.