TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | The regulation of trans-border data flow from a Brazilian perspective Related reading: 10 years after: The EU's 'crunch time' on GDPR enforcement




How to promote the advancement of a data driven economy with international transfers and, simultaneously, safeguard adequate patterns of protection of personal data and privacy? This question guided the recent public hearing convened by the members of the Special Commission of the Brazilian Chamber of Deputies, which analyzes draft laws on protection of personal data.

On the occasion, a group of specialists, composed of representatives of civil society, companies and academia, were able to point out the key arguments of the regulatory scenario in which Brazil is inserted, under multifaceted perspectives. 

The first aspect analyzed involved the change of social behaviors promoted by disruptive technologies and their impact on economic development. In the data-driven economy, the boundaries between the logical and physical layers become increasingly fluid, so that one of the major challenges is to define precisely the contours of the figure of imputability. In other words, who would be responsible for the transfer and management of your personal data in certain legal relationships: companies or users? Is it possible to point out that, invariably, companies are solely responsible for the process of data transfer or mismanagement of personal data? Data from the National Household Sample Survey (PNAD/2015) revealed a growing demand by the Brazilian population for disruptive services. This fact is largely due to the promotion of Internet access and the regulatory scenario defined by the Civil Internet Framework. According to PNAD/2015: “85.6 million or 49.4 percent of the population aged 10 years and over used the Internet at least once in the reference period of the research." Once established, and the big picture in which the debate about international data transfer is set, the next step includes the analysis of the premises that justify these transfers.

The first premise involves the infeasibility of point-to-point data transmission in the global economy, as pointed out by Chris Kuner in this OECD Digital Economy paper. The second concerns the ubiquity of international data transfer and the changing role of territoriality. How do you know where someone's personal data is? In some situations, it is not possible because of physical and logical infrastructure networks, in which the simple transfer patient data to experimental laboratory research necessarily entails transnational transit. If such an element cannot be defined with empirical precision, but only technical, how to define the legal regime of protection of these international data transfers? The third premise comprises the figure of imputation, as previously indicated. In the cyberspace regulatory context, the increasing involvement of users and the new roles played by them have generated complications in the reconstruction of the data management chain in transnational operations. How to identify those responsible for compromises and leaks in operations of this nature? This is the main challenge of the supervisory and regulatory bodies in order to define those responsible for notifying users.

All these elements, however, meet at the same crossroads: the regulatory model for the protection of personal data. While Brazil is struggling to define its regulatory framework, in May 2018, the General Data Protection Regulation shall be applicable. This model is known for establishing a pattern of regulation in which the public power establishes broad normative standards of rights protection, but at the same time leaves room for the private initiative to establish private regulations for the promotion of innovation.

An example of this procedure are the binding corporate rules, BCRs, in which companies located inside and outside the European continent define contractual patterns of protection of personal data in transnational exchanges. The regime of binding corporate standards has proved to be a skillful experiment to deal with the pressing answers required by the data driven economy and the need for setting clear and secure protection of personal data.

The main requirements for an international transfer of data in countries with regulatory frameworks are the adequacy of the operation; transparency, accountability and user empowerment (accountability); consent and fair use. However, none of these steps is an exclusively European phenomenon that justifies an unthinking legal transplant. Countries such as Argentina and Uruguay have been promising examples of a harmonious balance between technological innovation and protection of rights. Argentina issued in November 2016, Disposición 60, which regulates article 12 of the Law 25.326/ 2000 and Decree 1558/2001, which defines the regime of international data transfer, as well as indicates the countries with an adequate level and in keeping with the country's standards. Curiously, among the countries listed is not Brazil.

Brazil is not a reference for the productive sectors that demand international data transfer and for segments of civil society that defend minimum standards of protection of rights because it has placed itself in a distant and not very expressive position. While the GDPR contains in its Art. 44 a clear and secure general parameter for international transfers, Brazilian Federal Draft Act 4060/12 does not contain a specific section on the subject, while Federal Draft Act 5276/16 and Senate Draft Act 330/14 contain a serious problem of legislative technique by dispersing the regime of civil liability for several articles, rather than a single section with the guiding standard.

In addition, all of aforementioned draft bills do not contemplate, for example, cases of exclusion of liability such as the user's exclusive fault or mitigating liability and the forecast of prior approval of binding corporate standards before a data protection authority that ensures the same level of adequate protection.

It is not surprising that Brazil yet remains with no definitive legal framework for data protection and international transference, since this country was one of the last signatories of the CISG-United Nations Convention on the International Sale of Goods. Meanwhile, the process of internationalization of the Brazilian economy and the promotion of competitiveness and innovation are moving against the main values of socioeconomic development.


If you want to comment on this post, you need to login.