Value and regulation of personal data in the BRICS

27 Nov 2019 16:40h - 18:10h

Event report

[Read more session reports and updates from the 14th Internet Governance Forum]

Mr Luca Belli (Civil Society, Latin American and Caribbean Group) began by discussing the cyberBRICS project aiming to map existing regulations, identify best practices, and develop digital policies regarding personal data protection. It also deals with cybersecurity governance within the BRICS (Brazil, Russia, India, China, and South Africa). Belli noted that a book will soon be available on how cybersecurity is mapped within the BRICS .

Belli explained that for BRICS, data protection regulation has been a focus area over the past few years and with greater mobilisation around the regulatory framework post the 2017 Xiamen declaration. Brazil adopted a new regulation on personal data protection in August 2018 (General Data Protection Law (LGPD) going into force in 2020). Russia has updated their regulation, and India declared the fundamental right to privacy in 2017. China adopted a cybersecurity legislation covering data protection and data security, while South Africa established a data protection regulator with the requirement to implement the Privacy of Personal Information Act.

Considering that this group of five countries represents 3.2 billion people, with 4 out of the 5 countries being among the top five countries with mobile Internet users, data protection is a key issue. Mr Achilles Zaular (Science and Technology Dept. Ministry of Foreign Affairs) said that with the passing of the LGPD in Brazil, companies and organisations have another ten months to assess the requirements and comply with the guidelines.

The LGPD stipulates that all data processing related to Brazilian nationals must comply with the LGPD, regardless of where the data processing company is based or operates from. Organisations are also responsible for appointing a data protection officer who will interface with the national authority. It is clear that when the law goes into effect in 2020, local and foreign companies, government agencies, the data regulator, and the judiciary will engage in a learning experience around the issues that will arise around data management and compliance.

Mr Andrey Shcherbovich (HSE Moscow) said that in Russia, the individual must specifically consent to the use of personal data stating the purpose for which the data may be processed. Databases holding the data cannot be further processed if there would be a change in the purpose for which the data was originally collected without notification of data subject. There are certain categories of sensitive personal data that cannot be collected related to race, nationality, health, religious, and political beliefs, with few exceptions. Shcherbovich raised a concern about data localisation and data related to Russian citizens only being on servers within the Russian Federation, which creates a challenge for cross-border data transfer for social networks like LinkedIn, as well as in cases where countries have a similar localisation approach.

Ms Anja Kovacs (Internet Democracy Project India) shared concerns around India’s proposed data protection implementation, namely: 1) Right of data subject to hold data fiduciaries accountable, like in case of automated decisions, and 2) Consent is framed lacking transparency, in a way allowing data fiduciaries and the state side step the consent of the individual. Kovacs echoed Zaular’s point on data being a resource and expressed that a country with India’s population has both the opportunity to benefit from the size of the available data for profit and the balance of protecting the privacy rights of the citizens. This is also true in China with 850 million Internet users with a state driven artificial intelligence (AI) programme that is now viewed as a security threat by the United States.

Questions arise around how tech companies that benefit from, and are impacted by, privacy regulation view and treat the GDPR, as well as how involved these companies should be.

With regards to the independence of the data protection agencies in different countries, Russia was not recognised by the European Commission as providing adequate data protection due to the lack of independence of the data protection agency. This should be of note in Brazil and China, where the policy making unit is headed by the Chinese president. China’s data protection policies do not reduce the government’s control over user data to ensure the ability to cater for national security interests. Whereas with South Africa, the data protection authority is the first on the continent and there is work to establish a network of authorities for the African continent.

It was agreed that the market and cultural differences between the BRICS territories lead to challenges in alignment of the policies, but there was still room for greater co-operation in the treatment of data that affects the citizens.

By Andre Edwards