The GSMA welcomes the announcement of the Brazilian Government that the President has sanctioned a general data protection law.
The approved text came a long way from its first draft in 2010, with multiple rounds of public consultations and contributions from the GSMA and its members. Many important discussions are well reflected in approved law, such as a risk-based approach to security and breach notifications, and having several alternatives for the processing of data (including consent, but not limited to it).
The new law moves Brazil in the right direction towards enabling the data economy. Until recently, Brazil was one of the few key players in the Americas that still lacked a comprehensive data protection law. The establishment of a horizontal, general purpose law helps create legal certainty for the use of data regardless of sector and technology, as well as protect the privacy of users. Striking the right balance between freedom to use data and consumer protection is fundamental to stimulate data-based innovation while supporting the building of trust in the digital ecosystem.
To realise the full potential of the digital ecosystem, data needs to move across national boundaries without restrictions. The recent effort by some countries to localise data—to require that certain types remain in country, or be stored on local servers—hinders free data flows and hurts both economic growth and foreign investment, without making the data itself any more secure. This new law in Brazil, therefore, sends a strong signal that it is possible to both allow data to flow freely and protect consumers’ personal data.
However, there are also challenges associated with the new law. The bill also leaves many important elements, such as deadlines and minimum requirements for notification, security, standards, data interoperability and portability, to be defined by further regulations and decisions. It is important that the law remains future-proof by not focusing on particulars, especially on what concerns standards, business models, and technologies, as those are likely to change and evolve over time. Similarly, any new regulations on the field of privacy should also focus on principles and remain neutral in terms of technology and service, and continue to strive for striking the right balance between innovation and protection.