Why data protection authorities are essential: A cautionary tale for Brazil

News & Analysis
Brazilian flag made of bricks

This month Brazil adopted a new data protection law, joining the ranks of more than 120 countries which have adopted such legislation, providing individuals with rights against the exploitation of their personal data. But after a veto from the Brazilian president, the law lacks an independent authority in charge of its application, which can severely undermine its impact.

When drafting data protection bills, one of the most important and often politically contentious issue tends to be their enforcement. Given the challenges related with implementing these laws, independent data protection authorities have an invaluable role. They help to interpret the law and to monitor the activities of data controllers and processors to ensure they comply with their obligations. They also play a key role in investigating violations of rights , and ensuring there is a venue for redress, rendering these rights truly effective.

What is very clear at this point is that passing data protection laws without a data protection authority simply doesn’t work, and it is also completely insufficient to meet international standards, such as the Convention 108 of the Council of Europe and the OECD data protection guidelines, or regional standards such as the General Data Protection Regulation of the European Union.

That is the case of countries such as Paraguay or Chile, which approved data protection laws more than 15 years ago (2001 and 1999, respectively), and still haven’t created a data protection authority. While that is not the only defect of these laws (they also have many loopholes in the name of ‘industry’ and ‘innovation’), the lack of enforcement bodies in both countries means that legislation has failed to protect citizens from unabashed data exploitation.

We need to keep this cautionary tale in mind when discussing developments in other countries. Last week, Brazilian president Michel Temer signed a general data protection bill into law (English version here), after more than 8 years of public discussion. However, President Temer also vetoed key provisions of the new law, including those creating a new data protection authority (Articles 55-59 ), while also restricting administrative sanctions and limiting government accountability on data processing.

As the Brazilian Coalition for Rights in the Digital Environment reported, in the signing ceremony the Brazilian president explained that the veto was due to a technicality, and that he would send at the earliest convenience a new bill to create a data protection authority.

However, the current Brazilian government is running against the clock: in less than two months from now there will be presidential elections. Meanwhile, the general data protection law that will enter into force in February 2020 is still lacking an administrative authority, yet some articles (like art. 52) make references to such body.

There is still a lot to praise about the new law: it has a strong set of principles, rules for extraterritorial application, sound security provisions, regulation of cross-border data transfers, obligations to appoint data protection officers and to perform data protection impact assessments, among other positive features that are the fruit of years of public engagement and an active civil society intervening in the process.

But the success of all these positive features depend on whether they are actually enforced, and a key to this happening requires an independent, well-resourced data protection authority to guarantee effective implementation. Having the ability to initiate an investigation ex officio and providing redress for complaints is almost impossible without an independent authority. Providing technical guidance to data controllers and promoting public awareness are also tasks that cannot be done properly without having an independent agency whose mandate is to oversee enforcement.

While holding off on the celebrations, we give our support to civil society groups like the Brazilian Coalition for Rights in the Digital Environment (alongside our partner Coding Rights, who are also members of that coalition) to call for legislation that truly protects people.

An enforceable general data protection law requires an independent data protection authority, and the Brazilian government needs to comply with their promises. The clock is ticking.

Image obtained from here