© Leaders League
In the digital realm, civil society has become divided between freedom and security, especially as data becomes increasingly valuable to organizations in both the public and private sectors. The European Union, Brazil and other countries have recently launched new data protection laws to address concerns. In this context, one might wonder what the future holds for data protection.
In the European Union (EU), the General Data Protection Regulation (GDPR), which came into force on May 2018, replaced the Data Protection Directive 95/46/EC and was designed to harmonize privacy laws across the EU and reshape the way organizations approach the use of data. In early 2019, the first major GDPR infringement case surfaced: Google was fined €50 million by the French data regulator, Commission Nationale de l’Informatique et des Libertés (CNIL), for a breach of the EU’s data protection rules related to lack of transparency, adequate information and valid consent regarding ads personalization. Although the EU has been leading data protection discussions for several years, the implementation of GDPR is a milestone for the field.
In Brazil, the recently approved General Data Protection Law (LGPD), sanctioned by former President Michel Temer on August 14th, 2018, is a bill largely inspired by European regulation. Similarly to GDPR, LGPD defines personal data as any information related to an identified or identifiable natural person and will apply to any data processing operation occurring in the country’s territory, regardless of the location of the entity conducting the operation or holding the data. Organizations must also identify a specific legal basis for data processing operations, such as consent, research purposes or fulfillment of a contract. Failure to comply with regulations may result in civil liability and administrative penalties, which could incur fines up to a total of R$50 million. Furthermore, LGPD establishes the creation of an independent federal agency, the National Authority for Data Protection (ANPD), which will be responsible for the regulatory aspects as well as for the monitoring and enforcement of the new law, which comes into force as of August 2020.
An International Outlook
Besides the EU and Brazil, numerous other countries are pursuing more robust data protection legislation. The United States, despite its lack of a comprehensive national privacy law, has several sector-specific laws and data security regulations in place among its states, such as the recently enacted California Consumer Privacy Act (CCPA), which becomes effective as of January 2020. In India, the government recently appointed a committee to draft a comprehensive Personal Data Protection Bill, which is likely to be European-influenced, but has yet to be introduced to parliament. The People’s Republic of China, in turn, continues to have a complex framework with various laws and regulations; however, its Cyber Security Law came into effect in 2017, thus becoming its first national law to address data protection and privacy issues.
What The Future Holds
From a business perspective, although there is a general international consensus regarding the core concepts of data protection, the key challenge for multinationals will be the varying legal interpretations of each jurisdiction. In this regard, companies should not underestimate the workload they will have to deal with when it comes to the LGPD and other data protection regulations. According to Marcel Leonardi, Counsel at Pinheiro Neto Advogados and former Senior Public Policy and Government Relations Counsel at Google: “For a very long time, people thought data protection laws would be more applicable to the technology or consumer-centric sectors, but now they realize legislation will impact every single sector of the economy. As such, Brazilian and foreign companies should begin their journey into the data protection environment as soon as possible alongside professionals who effectively understand their market and can dialogue with its existing norms.” Data protection is here to stay and should not be perceived as an unnecessary burden, but instead as a new and more transparent way of doing business.