Privacy professionals all over the world have a lot on their plate. Laws continue to be proposed, passed and amended, and each piece of legislation comes with a brand new set of challenges to solve. No one has all of the answers.
A panel at the IAPP Privacy. Security. Risk. conference took a look recent developments in Brazil and Mexico and some of the questions privacy professionals are grappling with in those two countries.
An area of concern in both Brazil and Mexico is one that privacy professionals all over the world will likely find relatable. While larger organizations have the resources to tackle compliance requirements, it is not as easy for small- and medium-sized businesses to adhere to privacy legislation.
National Institute of Transparency, Access to Information and Personal Data Protection Director, Privacy Sector Verification Vitelio Ruiz Bernal said Mexican states have started to develop laws and guidelines to handle data subject rights. While each state may work on the same task, it may be easier for some to put them into practice than others.
"We have big states and cities that have the means to cover [the rights], then we have states on the south part of Mexico that don’t have the means to," Ruiz Bernal said. "They are wondering how they are going to make these rights compatible with all the different agencies and government levels. We are getting there."
Ruiz Bernal said it's the same concern with the appointment of data protection officers. He added most federal agencies have appointed a data protection officer, "but we don’t know what’s happening in the states and the little towns."
Brazil has been working on its own data privacy law since 2010, said Dannemann Siemsen Advogados Partner Carlos Eduardo Eliziario de Lima, CIPP/E. The Brazilian Data Protection Act will bring with it a data protection authority to enforce the legislation.
De Lima said there is debate about whether the DPA can handle its enforcement duties and thoughts around organizational comprehension of the law.
"There is a concern regarding the ability of the authority to monitor the whole Brazilian market. In the beginning, the authority will likely focus on the big players in the market," de Lima said. "We are seeing market associations struggle to understand the new law. Few companies are ready. They are still struggling to understand with what they should do to comply."
It has been especially taxing for the companies because Brazil didn't previously have a culture dedicated to privacy before the law came to fruition, de Lima said. The DPA's new ability to administer fines will also help to bring attention to privacy and the LGDP, he added.
In response to the hurdles in front of them, de Lima said Brazilian organizations have started to hire law firms and IT tech consultants to bolster compliance efforts. In addition, Brazil has seen an increase in the number of privacy practitioners operating in the space.
The DPA will be made up of a National Council comprising 23 members of the government and a five-person board of directors. De Lima said there are questions that surround these appointments, as well. Because the Brazilian presidency and federal government have taken a strong stance toward intelligence, national security and the military, de Lima said it remains to be seen whether those viewpoints will influence the staffing of the board and council.
Meanwhile, as Brazil works on its own privacy law, Mexico has its eyes on work with the EU. Ruiz Bernal said Mexico joined Convention 108 in 2018 and is working toward its adequacy status with EU. Should it be granted, the country will move to join Convention 108+. Ruiz Bernal also said Mexico has started to work with DPAs of other Spanish speaking countries to "make something concrete in how to cooperate in different ways and how to make concrete guidelines."
Brazilian and Mexican privacy professionals have their fair share of topics to follow as each country continues to navigate their respective landscapes, and while the journey for privacy professionals there has been long and productive, it's far from over.
If you want to comment on this post, you need to login.