You played a pivotal role in developing the Bill for the Protection of Personal Data in Brazil in 2015. What were the main challenges faced in accomplishing this judicial framework?
I believe these challenges have much to do with a country’s particular social and legal profile as well as with its institutional framework. In the case of Brazil we can notice that, whereas its 1988 Constitution recognizes privacy as a fundamental right and introduces the Habeas Data writ. However, data protection has not developed as a natural consequence, making Brazil an unusual case of a democratic country with a large economy without a general data protection law enacted.
Even with growing awareness regarding surveillance and the lack of effective control over personal data, there is no definitive consensus on the need for a general data protection legislation. The main challenge in order to build a legal framework on this subject is to demonstrate that threats related to privacy and data protection can be effectively addressed by a general legislation.
Another challenge is a cultural one. Much of the legislation and regulation that is considered to address data protection and privacy issues in fact deals with confidential and secret data - such as financial, industrial or business secrecy. This has little to do with a modern data protection framework, but the idea is deeply rooted in Brazil’s legal tradition, making it harder to introduce new principles, concepts and enforcement measures typical of contemporary data protection laws.
Another major challenge is the proposed creation of a Data Protection Authority, which is regarded as a necessity by the Data Protection Draft Bill but, considering the financial and political crisis Brazil is undergoing, is facing concrete opposition.
In what way does the Brazilian approach to data protection and internet security differ from international law?
Brazil’s approach is based on general dispositions on privacy and intimacy in the Constitution, as well as in sectorial frameworks. The most representative of these is consumer protection (including credit reports) and the Internet Civil Rights Framework (Marco Civil da Internet).
The lack of a general framework on data protection and security makes it harder to comply and harmonize with international legislation on the subject. This makes, for example, international data transfer an almost unregulated area in Brazil.
The core of several international data protection laws is the presence of principles such as the Fair Information Privacy Principles. Brazilian law doesn’t have these principles present in a general legislation, even if they can be (partially) found in the Internet Civil Rights Framework (Marco Civil da Internet), the Law on Credit Reports or even in Consumer Law. Thus, compatibility among solutions to data protection issues in Brazilian law tends to differ not only on its effects but also substantially on their structure, since legislative tools in Brazil differ substantially from those found in international law.
As a side note, the Internet Civil Rights Framework (Marco Civil da Internet) as well as the draft bill on data protection were built upon modern and open public consultation, done entirely on the Internet. This procedure can point to a direction where the user also is an active subject in building the regulatory framework.
What are the main threats and challenges in the 21st century in the field of data protection and why is this important?
The pace of the evolution of the treatment of personal data, however fascinating, is extremely difficult to cope with from a regulatory point of view. The adoption of new technologies that makes use of personal data is driven basically by reasons of efficiency much more than by a reasoned reflection on their impact.
The paradigm shift represented by the incorporation of Big Data in several services and products, for example, hasn’t been entirely absorbed even by the most comprehensive data protection legislations, that are still based on classical instruments such as the consent of data owner as a means to legitimate the use of data - in a time when in an ever growing number of situations, it is becoming impossible to approach or even identify the moment of the collection of data. Other technologies will surely make the scenario even more complex, as we are on the eve of a large-scale introduction of sensors and devices for the so-called Internet of Things. Moreover, complex and often secrete algorithms are using personal data to make decisions, evaluations and forecasts in an ever-increasing number of fields.
What safeguards exist, or can be introduced, to counter these threats?
Experience demonstrates the need to shift from the paradigm of transparency/ individual control of personal data to one that encompasses these traditional aspects but also provides for concrete warranties against misuse of personal data in the increasing number of the situations the individual doesn’t or can’t have a clue of what’s happening with his personal data or is simply unable to react accordingly, due to the complexity of new models and paradigms of data treatment.
To counter these threats, it is not only necessary to update regulation in order to permit more efficient monitoring and enforcement measures, but the consideration of a whole new governance framework for privacy and data protection that includes the participation of all the actors in the life cycle of data, encompassing not only the regulator but the industry (and the compliance with privacy standards in devices and services), data controllers, data owners and others whose actions can positively interfere with the treatment of personal data.
In the wake of terrorism attacks, debates about encryption and surveillance overreach have been brought to the fore. What is your view on this conflict between the right to privacy and the right to security? How can we balance them on a judicial level?
Putting privacy and security on different sides of the equation won’t produce an effective answer to a very complex problem. Firstly, privacy and security are complementary - in the absence of security, for example, any attempt to protect privacy risks being totally useless. And the absence of privacy tends to undermine trust in personal and commercial relations, making security an ever-difficult goal to achieve.Thus, the issue would be not basically one of ‘balance’, but one of ‘complementarity’. In order to maximize privacy protection and security to the maximum extent, it is imperative that eventual surveillance and monitoring measures be subjected to an evaluation not only of their actual outcomes but also their impact on human rights - as in the Necessary and Proportionate Principles.
Is it useful to draw up laws on a national level, to tackle these global issues?
Even when we consider the global nature of the threats and the fact that data protection issues are increasingly global issues - as well as the universal character of Human Rights -, this doesn’t reduce the importance or necessity of national laws.
Generally, laws that protect the individual tend to be expressed in national laws that are particular to each country’s characteristics. These national laws are also the best way to translate general principles - including transnational data protection principles - to the particularities of a certain country’s legal system.
This, added to the general problem of enforcement of international rules at several levels, strongly suggests that the best scenario would be the development of laws at national levels that translate the general principles and tools of data protection to each national framework.
Nevertheless, global efforts are of supreme importance, whether by developing international regulatory documents that addresses the complexities of the subject, or by developing instruments of governance of privacy including the several actors involved - many of them enterprises or organizations that do not act under a sole jurisdiction.
- Danilo Doneda, Independent Consultant and Professor, State University of Rio de Janeiro (Brazil)