How Brazil Could Become a Regional Leader on Data Protection
A bill passed yesterday by Brazil’s Lower House marks a major step forward in the push for privacy.
The world is awash in data. Each minute, people around the globe take 47,000 Uber trips, write 456,000 tweets, conduct 3.6 million Google searches and receive 103 million spam emails. Every day they create over 2.5 quintillion bytes of information. Personal data given up by mobile phones and computers is the energy – the new oil – that drives the global economy.
All that data floating around raises serious questions about what businesses and government agencies can and cannot do with it. Some countries, particularly in the European Union (EU), have moved quickly to respond to citizen concerns about data privacy, while others, like the U.S., lag behind. Brazil, for the most part, has been a laggard. At least until yesterday.
On May 29, Brazil’s Lower House approved legislation that would require all public and private entities operating in the country to receive consent in order to store a user or client’s personal data. Among other measures, the bill also sets out general rules for public access to data, including requiring personal information to be destroyed after client or user relationships end. If approved by the Senate, the new law will dramatically reshape the rules for government agencies and private companies alike.
The move comes after months of political wrangling and years of simmering concern over privacy. Brazilians were particularly irked by Edward Snowden’s revelations of mass data collection and espionage by the United States back in 2013. More recent data-mining scandals, including those involving Cambridge Analytica and its Brazilian counterparts, which collected data on over 433,000 Brazilians, ratcheted-up the calls for reform.
New requirements as part of the the EU’s General Data Protection Law (GDPR), passed in 2016, also dramatically increased pressure on Brazilian authorities. Building on a 1995 Data Protection Directive, the GDPR lays out the basic rights for how personal data of EU citizens can be used, stored and processed. This privacy law has teeth. On the day the GDPR came into effect, privacy activists filed claims against Facebook and Google that could result in $9.3 billion in fines.
While the costs of GDPR compliance are high, the benefits are extensive, including for Brazilians. What makes the new EU legislation so powerful is that it applies to anyone handling personal details of EU citizens anywhere. For better and worse, the new legislation is setting a precedent for data protection around the world. Citizens who come into contact with governments and companies under GDPR jurisdiction can now exercise their rights, including to be forgotten, to access their own data, and to obtain and reuse their personal data.
Civil liberties activists are clamoring for similar legislation in the U.S. and elsewhere. While the bill passed yesterday in Brazil doesn’t quite rise to the level of the GDPR, it is a step in the right direction.
Brazil’s legislation incorporates many concrete provisions to protect privacy and curb discriminatory profiling. Importantly, it would also require the creation of two new institutions to carry these measures forward. If passed, the government will be required to establish a Data Protection Authority and a National Council for the Protection of Personal Data. These new bodies will be made up of an array of stakeholders, albeit mostly public authorities, with the express purpose of implementing and monitoring the new law. Once it is formally adopted, Brazilian public and private entities will have a year and a half to comply.
The step toward a new data protection law represents a stunning victory for Brazil’s digital rights campaigners. Despite major cyber breaches and risks to personal data, Brazil has to this point been slow to strengthen its data protection rules. Lawmakers have been distracted by never-ending political scandals, economic volatility, security crises, and looming presidential elections. National security prerogatives often trump personal freedoms.
The bill passed yesterday by the Lower House would do much to consolidate and improve upon a patchwork of at least 30 laws on digital privacy that Brazil currently on the books. This progress on data protection now lies with the Senate.
Comprehensive privacy and data protection laws like the GDPR have effects extending far beyond their borders. The GDPR has helped revitalize Brazil’s data protection legislation, and the digital rights of Brazilians everywhere. While there is still work to be done, today data protection is a fact of life. And that is good news, for a change.
Muggah is the co-founder of the Igarapé institute and the SecDev Group and Foundation. Hurel coordinates Igarapé Institute´s cyber security and digital liberties projects.