BMA Advogados Partner Felipe Palhares, CIPP/A, CIPP/C, CIPP/E, CIPP/US, CIPM, CIPT, FIP, PLS, CDPO/BR, CDPO/FR has become the first person in the world to hold all active IAPP certifications. Palhares, of Brazil, recently passed his final certification test for CDPO/FR to earn the distinction.
Palhares is no stranger to the IAPP, he currently serves as executive editor of the CDPO/BR Training Program. His resume includes stops at multiple Brazilian law firms. He also holds a cybersecurity certification from Harvard University and a Professional DPO certification from Maastricht University.
In this Member Spotlight, Palhares reflects on completing all his IAPP certifications. He also looks ahead to how he will apply the knowledge he’s gained from preparing for each of his certification exams to help his clients navigate the unsettled legal terrain that is the Brazilian's General Data Protection Law.
The Privacy Advisor: The final IAPP certification you received was for CDPO-France, did you know you wanted your career to be so globally focused?
Palhares: The idea actually was always to be globally focused. So, one thing that calls my attention to the privacy and data protection world is that it is no doubt an international issue. When you think about international data transfers, let's say from Brazil to the U.S.; for individuals, when you get to the border you have to issue a passport or a visa or something like that. (With) data, it's not like that. It just flows, right? So, when I send data from Brazil to the U.S., it just flows. It doesn't require a visa or a passport. So, by its nature, privacy and data protection seems to me like a real international issue. I always wanted to focus my career, not only in Brazil, but abroad. I practice law in Brazil, mainly, but we have a lot of international clients. Because of this, it's really important to at least understand how different laws work around the world.
The Privacy Advisor: When and where did your interest in privacy work begin? Did it start with your pursuit of your advanced degree at New York University, or did it evolve more over time?
Palhares: I think it evolved over time. I graduated in Brazil 11 years ago in 2010. At that time, I actually started working with litigation. So, when I went to NYU, I knew I wanted to focus on privacy, and I was studying information privacy law. From that moment on, my career was focused entirely on privacy and data protection technology. But it was not something that came at first when I graduated, it was evolving over time. Part of that is because in Brazil, right now, we have a General Data Protection Law, but it is quite recent. So, before that, we had sectoral laws like you have in the U.S., and they are aimed at consumer relationships, finance and financial institutions, or have different aspects of those laws that also connect with privacy, and all of those are still enforced on some level. But nowadays, we have a General Data Protection Law, which is similar to the EU General Data Protection Regulation, and it is a law that all kinds of organizations need to comply with. So it doesn't matter your sector, it doesn't matter how big you are, you need to comply with the LGPD, which is the Brazilian General Data Protection Law.
The Privacy Advisor: What was that feeling like when you received the notification you passed your last certification course, and you had become the first person in the world to hold all active IAPP certifications?
Palhares: It was quite rewarding. It's pretty amazing, of course, to be the first at something in this world. I’ve never even won a raffle, and I bought a lot of raffle tickets over the years. But it was quite rewarding even though the goal was not to set out and be the first person in the world to do this. The goal was really to understand privacy laws around the globe; understand how they interact, the differences between all of them. But it’s still rewarding knowing that, at least at this time, I was the first person in the world to achieve something special. I'm from Brazil, and when you think about it, the IAPP is a U.S. organization and all the tests are in English and some tests are in French and in Portuguese, so there's a lot of challenges for someone that is from Brazil with the different languages.
The Privacy Advisor: What additional professional opportunities does obtaining all of your IAPP certifications open up for you as a leading privacy expert in Brazil?
Palhares: I think there are a lot of opportunities. I actually consider the IAPP certifications and designations are quite relevant for any privacy professional. There are a lot of other organizations, certifications and schemes, but I really believe that the IAPP is the strongest one and the most relevant one for this community. Usually when you have a CIPP certification it's something that the privacy community can understand that it took a lot of time. You have to study, you have to pass a test that is not easy, and I think this is rewarding as well. I have different certifications from other organizations, and I can say for sure that the IAPP tests and exams are the toughest. It's not like an easy task that you just go over there and say, “Hey, let's do this. It's gonna work.” I'm fortunate enough to pass all of my exams on my first sitting, but I know a lot of people, who are great professionals and really knowledge people, who fail to pass it at first. So, this is something that maybe if you are ready, if you are reading this or for anyone that decides to read the story, I really believe that any kind of certification from the IAPP could be huge (point of) leverage for his or her career.
The Privacy Advisor: Now that you have obtained all the active IAPP certifications, what does the future look like for your work in Brazil helping your clients navigate the relatively new LGPD?
Palhares: I think there's a lot of challenges ahead, especially in Brazil. The law here is really new. We have a new data protection authority that started working last year, mainly and because of that, there are a lot of things that still need to be regulated in Brazil. So, the future holds a lot of challenges. We are only seeing, right now, the beginning of the evolution of privacy laws in Brazil. If you look at the big picture, and if you look around the globe, we are seeing a lot of different laws being enacted right now. We have China, we have India talking about a new law, while we have the U.S. considering the federal law, which is something that you have been considering for a long time and it's still something that is ongoing. But if you think about the global picture, privacy laws are all around the world and they are turning into new laws, and previous laws are being revoked. So, I believe that not only in Brazil, but there's a lot of challenges for privacy in the future worldwide.
The Privacy Advisor: Given the varying states of compliance with the LGPD by businesses across the Brazilian economy, do you see yourself as playing a leading role in how the law evolves and takes hold in your country?
Palhares: I really love this field. I work with privacy every day; all of my time is devoted to practicing data protection, at this time. A lot of my work is involved in cybersecurity as well. We have seen a lot of ransomware attacks in Brazil and around the world but in especially Brazil lately, c'est la vie. I've been helping a lot of organizations that were target of ransomware attacks and responding to those kinds of incidents by notifying the Data Protection Authority and other regulators. So, I want to believe that I play a part here, but you know, there's a lot of awesome professionals that also work with privacy data protection. I'm not sure if I can say that I'm a leading one. I want to believe I do a lot of things here in this field, but maybe this is something that other people can say about me.
Photo by Keagan Henman on Unsplash
