29 de novembro, 2018
A nova lei, semelhante à GDPR, permite maior confiança e segurança para as atividades de empresas estrangeiras no país.
Confira o artigo completo: Como a Lei Geral de Proteção de Dados facilitará o comércio internacional brasileiro?
2018 can be considered a breakthrough year for Brazil in terms of privacy rights and protection of personal data. At the end of a long legislative process, Law 13.709/18, which enacted the Brazilian General Data Protection Law (LGPD) was sanctioned with the purpose of establishing rules for the protection of personal data and standardizing treatment of the matter.
Although it is true that Brazil already had other laws[i] that dealt with the protection of these data, and that the right to privacy and intimacy are fundamentally guaranteed by the Federal Constitution, fact is that sparse legislation did not attribute trust and recognition to our system, nor was this regulatory arrangement equivalent to the legal protection standards adopted long ago by other countries, in particular by the European Union (i.e., General Data Protection Regulation (“GDPR”).[ii]
Therefore, alongside the formal discrepancy of regulatory systems, it became inconceivable that Brazil, as the world’s ninth largest economy[iii] and fully inserted into the global digital economy, with 130 million people connected to the internet[iv] and great desire for electronic commerce[v], remained obsolete when compared to other nations with whom it maintained trade relations.
In addition to these justifications, a legislative agenda became fundamental for Brazil to become recognized by international organizations[vi] and guarantee that it was in line with the GDPR, which entered into force at the beginning of the year.[vii]
Under these circumstances, the country made great strides in editing the new law. Among the many expected benefits, we understand that it will be essential to keep Brazil at the center of future international trade.
International Scenario: What are the neighboring countries’ regulations on the matter?
Even though personal data protection is not groundbreaking at an international level, it is undeniable that GDPR’s entry into force brought worldwide attention to the issue, notably due to its extra-territorial reach. This regulation imposes compliance by all companies offering products or services to Europe, even if they do not have a physical presence within the territory.
Furthermore, the transfer of data collected in European countries to other entities or countries should comply with international transfer rules set forth in GDPR. Among these, the “adequacy decision” criterion is the one that offers greater security, predictability and convenience to companies.
According to the European Commission’s understanding, if a country offers appropriate levels of personal data protection comparable to that guaranteed by GDPR, international transfers are automatically allowed between companies and individuals, who may act as if they were subject to the same rule. Obviously, this is a great benefit to the international relations of these countries, strengthened by reducing bureaucracy and uncertainty in commercial relations. Therefore, obtaining an adequacy decision can be crucial to boost trade between any country and the European Union.
According to the United Nations Conference on Trade and Development (Unctad), few countries do not have a specific law for the protection of personal data.[viii]
In this context, it was noted that Brazil was one of the few countries in Latin America that had not yet adopted specific legislation, while other MERCOSUR members already had their regulations in place.
Argentina was one of the pioneers on the subject in South America, sanctioning a specific law for the protection of personal data in 2000. Already in 2002, it was the first Mercosur country to obtain adequacy recognition by the European Union through the 95/46 Directive (previous rule to GDPR). On that occasion, EU recognized that:
“… the Argentine law covers all the basic principles necessary to assure an adequate protection level for individuals, while also providing exceptions and limitations in order to safeguard important public interests. (…) The law provides the establishment of a monitoring body responsible for data protection and in charge of performing all necessary actions to comply with the objectives and provisions of the law. “[ix]
In 2008, Uruguay sanctioned a law establishing specific protection for personal data and the use of “habeas data”. Later, in 2012, the EU also recognized the adequacy of this Uruguayan law:
“The application of data protection rules is guaranteed by the existence of administrative and judicial remedies, in particular through the action of habeas data, which allows the person to whom the data relate to take legal action against the party responsible for processing of the data, in order to exercise the right of access, rectification and deletion, and by independent supervision carried out by the Regulatory and Control Unit of personal data (Unidad y Regulatory Control of Datos Personales-URCDP), which has research, intervention and sanctions powers, following the provisions of article 28 of Directive 95/46/EC, and which acts independently. “[x]
Paraguay, on the other hand, despite not obtaining recognition by the European Commission, also has a specific law for the protection of personal data since 2001, which was modified and expanded by law 1969/2002, currently in force. Similarly, other South American countries also have specific laws in this regard, as is the case of Chile, that has a personal data protection law since 1999 (currently in review for adequacy by GDPR) and Colombia, whose law was enacted in 2012.
In light of the above and based on GDPR, it is understandable that the European Union considers necessary to grant an adequacy decision and that the country adopt specific rules which provide not only personal data protection principles, but also necessary safety, and administrative and judicial mechanisms to guarantee compliance with such rules, where a responsible authority for control is essential. As so, our neighbors are working towards this, recognizing that this measure is of great importance for international relations.
The importance of Personal Data Protection for international trade
Taking the above into consideration, Brazil, in adopting specific legislation for the protection of personal data (inspired by GDPR), takes the first step towards a level of equality with the European rule, which is currently the global reference.[xi] Consequently, the country will also be in a compatible level with other countries. This stance is, admittedly, crucial.
In a world increasingly dominated by the digital economy, trust becomes a fundamental condition for consolidation and business continuity.
Unctad states that, “Internationally compatible data protection regimes are desirable as a way to create an environment that is more predictable for all stakeholders involved in the information economy and to build trust online.”
In this sense, data protection is no longer a matter of market differential, but essential to build the confidence of investors and consumers, and enable business continuity. According to the report by the Organization for Economic Cooperation and Development (OECD), the Computer and Communications Industry Associations (CCIA) explains that:
“With the growth of digital flows and e-commerce have come concerns about the protection of personal data, and the security of digital transactions and content. These concerns are not just shared by consumers. Protection of data is at the core of the Internet’s sustained growth as a platform for expression and trade in goods and services. In fact, the lifeblood of Internet-based industry—which today has grown to include a substantial component of all industries—is the trust that global Internet users have in online platforms.”
Regarding competitiveness, the personal data protection rules in Brazil are a synonym of risk reduction and favor new businesses in the country, since the regulatory environment will be predictable, providing greater legal certainty. As stated by the European Commission:
“In the digital era, promoting high standards of data protection and facilitating international trade must thus necessarily go hand in hand.”[xii]
Currently, the European Union is the second main trading partner of Brazil and our biggest foreign investor. Therefore, ensuring the maintenance and development of our trade relations is extremely important. In this sense, the enactment of the Brazilian LGPD enables the possibility of recognition by the block, and as a result, more safety and agility in business relationships, increasing trade flows. As we noted, companies located in Argentina and Uruguay are already in a clear trade advantage with European companies, because the data transfer is free and companies do not have to bear the cost of implementing a specific safeguard to authorize data transfers.
The LGPD itself represents an advancement so that Brazil can seek an adequacy decision before the European Union. Therefore, ensuring the protection of personal data means increasing credibility and competitiveness vis-à-vis other companies in the global market.
As for commercial expansion, e-commerce has been a facilitating tool for the insertion of companies in other countries, mainly for small and medium-sized companies, eliminating costs of physical presence in different territories. And in this sense, to sell any product or service online, you must use personal data. Therefore, the existence of standards that ensure its [data] protection is a relevant factor to create a favorable environment, capable of leveraging internet commerce.
Trade depends on people, and therefore should work in the benefit of people. Taking this into consideration, data protection legislation in Brazil establishes an environment that not only favors the protection of personal information and the right to privacy set forth in our Federal Constitution, but also increases the possibility that companies keep up with the global changes, and do not have their businesses blocked by inadequacy and legal insecurity.
The GDPR has become a global regulatory framework on personal data protection, due to international trade flows of several countries with the European Union. Therefore, many are adopting new rules or updating their laws to suit that model. We also see a greater search for obtaining adequacy decisions between the EU and other countries.[xiii]
Given the world´s current situation, in which more than 50% of the countries already have legislation for the protection of personal data, those who do not comply may face difficulties in settling in international trade.
In conclusion, there are expectations that Brazilian trade will be facilitated with the adoption of LGPD, because this law presents fundamental rules and principles of protection, consistent with the GDPR and, consequently, with other countries. Such a measure will institutionalize an environment of greater trust, credibility and security for foreign companies consolidate trade in Brazil and for Brazilian companies venturing into other markets.
 United Nations Conference on Trade and Development. Data protection regulations and international data flows: implications for trade and development. April, 2016. Disponível em http://unctad.org/en/PublicationsLibrary/dtlstict2016d1_en.pdf
[i] Among them, the Civil Code, the Consumer Protection Code, the Telephone Interception Law, the Law on Access to Information, the Civil Internet Framework and the Carolina Dieckman Act (Law 12.737 / 12, which deals with the inviolability of computer devices).
[ii] In addition to national examples, we can cite Convention 108. It was created in 1981 by the Council of Europe, this treaty is “the first binding international instrument which protects the individual against abuses which may accompany the collection and processing of personal data and which seeks to regulate at the same time the transfrontier flow of personal data “. It is currently ratified by 53 countries, of which 9 are not part of the Council of Europe.
[iii] International Monetary Fund (IMF) Available at https://www.imf.org/external/datamapper/NGDPD@WEO/OEMDC/ADVEC/WEO/JPN/FRA
[iv] International Telecommunications Unit (ITU). Available at https://www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx
[v] Unlike the rest of the Brazilian economy, the sector registered a growth of 12% and revenues of R $ 23.6 billion in the first half of 2018. According to a report by Folha de São Paulo of 08/29/2018, available at https://www1.folha.uol.com.br/mercado/2018/08/comercio-eletronico-cresce-12-e-fatura-r-236-bilhoes-no-primeiro-semestre.shtml.
[vi] It is publicly understood that the enactment of the LGPD is decisive for Brazil to be accepted as part of the Organization for Economic Cooperation and Development – OECD, as reported by the State of São Paulo Newspaper on April 13, available at https://economia.estadao.com.br/noticias/geral,por-vaga-na-ocde-governo-articula-criar-orgao-para-protecao-de-dados-na-internet,70002266200.
[vii] The General Regulation on Data Protection (679/2016) is the newest European regulation for the processing of personal data, applicable to all the countries of the Union without distinction. It establishes rules for the use of such personal data by companies and public bodies, determines the need for the establishment of national control authorities and imposes severe fines in case of noncompliance (and may reach up to 4% of the overall turnover of infringing companies).
[viii] [viii] United Nations Conference for Trade and Development.; Data Protection and Privacy Legislation Worldwide. Available at http://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Data-Protection-Laws.aspx
[ix] European Commission. Commission Decision of 30 June 2003 pursuant to Directive 95/46 / EC of the European Parliament and of the Council on the adequacy level of personal data protection in Argentina. Brussels, 30.06.2003 (2003/490 / EC). Available at https://eur-lex.europa.eu/legal-content/PT/TXT/?uri=CELEX%3A32003D0490
[x] European Commission. Commission Implementing Decision of 21 August 2012 in accordance with Directive 95/46 / EC of the European Parliament and of the Council on the adequacy of the Eastern Republic of Uruguay with regard to automated data processing. Brussels, 21.08.2012. (2012/484 / EU).Available at https://www.cnpd.pt/bin/legis/internacional/DecExeCOM_21-8-2012_Uruguai.pdf
[xi] Some publications and the EU itself refer to GDPR as a Gold Standard in the sphere of personal data protection (available at https://edps.europa.eu/timeline/gdpr_en?page=1) and the EU commissioner , Vera Jourová said “We want to define a global standard”, when referring to GDPR ( available at https://www.politico.eu/article/europe-data-protection-privacy-standards-gdpr-general-protection-data-regulation/).
[xii] European Commission. Communication from the Commission to the European Parliament and the Council “Exchanging and Protecting Personal Data in a Globalised World”. Bruxelas, 10.01.2017, available at file:///C:/Users/mba/Downloads/Communication-Exchanging_and_Protecting_Personal_Data_in_a_Globalised_World%20(3).pdf.
As an example, we have the negotiatios between Japan and European Union for the recognition of the Japanese legislation, according to note of the European Commission of 17.07.2018, available at http://europa.eu/rapid/press-release_IP-18-4501_en.htm[:]