Last year, 2018, proved to be a very important year for data protection in Brazil. As recalled by European Data Protection Supervisor Giovanni Butarelli, Brazil is now considered the most populated country in the world to have a national general data protection law. There are, therefore, great expectations concerning privacy themes that should take a leading role in the privacy agenda in 2019.
National data protection authority model: Free flow of information and compliance
As the lights of 2018 went off and shortly before ending his term as a Brazilian president, Michel Temer created the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados), along with the National Council for the Protection of Personal Data (Conselho Nacional de Proteção de Dados Pessoais e da Privacidade), through Executive Order n. 869/2018. It is worth remembering that the ANPD and the CNPD were both vetoed by the president when he sanctioned the general data protection law, Law n° 13.709, in August 2018, arguing there would be a flaw at the formal constitutionality in the legislative process.
Even though the former president claimed he would create the authority "with pretty much the same words," that did not happen. Unlike what had been proposed in PLC 53/2018, unanimously approved in the National Congress, the ANPD belonged to the Direct Public Administration and was subordinate to the Presidency of the Republic. It is the opposite model of a special autarky regime, which, according to the table below, would grant more institutional, functional and financial independence to the ANPD.
The existence of an autonomous and independent regulatory body is a key factor for Brazil to be considered a country with an adequate level of data protection, which would allow the country to be able to freely receive data transfers from people located in other countries and other economic blocks (e.g, in the case of Japan and EU).
In one of his recent visits to Brazil, Bruno Gencarelli, who heads the International Data Flows and Protection Unit at the European Commission, stated there would be a convergence between Brazilian and EU legal frameworks, but it would be essential to have a DPA for a future agreement on the creation of a geographical area of free data flow.
Sophie Kwasny, head of the Data Protection Department of the Council of Europe, also stressed the importance of an independent audit framework. During theBrazilian Privacy Seminar, she recalled how the very history of the International Convention on Personal Data Protection 108 — in its original text in 1980, as well as in its recent process of modernization in 2018 — indicates that it is an international standard to have an autonomous oversight body. Currently, more than 50 countries have acceded to Convention 108, which includes countries with socioeconomic realities that are quite similar to the ones in Brazil.
Moreover, beginning at the second half of 2020, data from Brazil can only leave the country in the direction of countries that have an adequate level of data protection or if another international data transfer mechanism is activated. The ANPD will define the content of standard contractual clauses, and it will also validate specific contractual clauses, global corporate standards, seals and codes of conduct for international data transfers, as well as evaluate which countries have a level of equivalence to Brazilian data protection.
It's difficult to imagine a country having an adequate level of protection of personal data without their country having a general data protection law, and this issue is also key to the other side of the Atlantic. Since the U.S. and other trading partners with Brazil do not have a general law on personal data protection, the profile of the ANPD, which will open the aforementioned toolbox for international transfers, is extremely relevant.
It's always good to remember that the ANPD should be collaborative until and after the LGPD takes force, ensuring compliance with the new regulation. In this sense, several provisions of the law are subject to calibration by the ANPD. International experience points to the importance of an independent regulatory body for such a compliance process, granting legal certainty to a series of rules that depend on regulation a posteriori.
It's time to leave behind 2018’s "hangover” moment, in which there was much celebration around the approval of the Brazilian general data protection law. 2019 is the time to sow the ground to reap good fruit when the law comes into force in August 2020. This involves a rethinking of the DPA model, a discussion that can be fertilized and irrigated from domestic and external joints. Otherwise, integration with countries and economic blocks and even the Brazilian domestic market may shrink amid an uncertain regulatory environment.
Cryptography on the horizon of the Federal Supreme Court and the National Congress
Since 2016, an “action against the noncompliance of fundamental precept” (ADPF 403-SE) has been processed, and in it, a consideration of the constitutionality of current blocking orders against WhatsApp is under analysis of Federal Supreme Court (Supremo Tribunal Federal). In June 2017, the STF called a public hearing to discuss the technical possibility of intercepting WhatsApp messages from users of the platform since blocking the company from operating in the country has been a kind of sanction imposed on WhatsApp for not allowing access to the messages under the argument that it is technically impossible to break the end-to-end encryption.
Although the action has been proposed with the aim of the fundamental right to freedom of communication, the STF is not bound to analyze it under this view. There is a possibility for the court to consider whether the judicial blocking orders against WhatsApp violate other fundamental rights and freedoms, such as the right to privacy. In this sense, practically the whole content of the public hearing discussion held in 2017 pointed out that such judicial blocking orders would be unconstitutional for targeting a technology that materializes the fundamental right to communication confidentiality.
At the end of 2018, the process was included in the agenda of the plenary of the STF. Then, in January 2019, the public security working group of the National Council of Justice prepared a list of 11 points to guide actions of the National Congress and the Ministry of Justice in the fight against crime. One of the measures is to tighten the rules to which such messaging applications must be submitted, forcing them to provide access to the content of the conversations exchanged via the platform.
This year promises to be a year in which the temperature will rise around the limits of how the government intervenes in the development of cryptography. Something that will be decisive in this respect will be not only the final result of the trial conducted by STF but, above all, its rationality about the future decision to be made. It is very likely that the trial will influence not only the discussions, but also the content of future legislative initiatives aimed at regulating the use of cryptography in Brazil.
Photo by Rafaela Biazi on Unsplash