International data transfers
The paper addresses MPs in the process to assess Bill no. 5276/2016; Multinationals and SMEs willing to transfer personal data from Brazil to the EU and vice versa; Data subjects seeking adequate safeguards on how and where their personal data is processed. The paper aims to highlight how international data transfer as defined in Bill no. 5276 might be further aligned with the GDPR and, more generally, with the EU data protection principles.
Today, every undertaking, regardless its size, faces the issue of knowing where its data is stored or transferred. Usually, EU Multinational companies deal with international data transfer by adopting the easiest approach: relying an adequacy decision (e.g., the EU-US Privacy Shield); entering into a contract between the data exporter and the data importer (e.g., the Standard Contractual Clauses) or implementing corporate codes of conduct (e.g., Business Corporate Rules). Considering the increasing economic value of data (e.g., Big Data and IoTs etc), it is opinion of the author that the regulation of international transfer of personal data should be a priority for any international cooperative initiative in the field of data protection. From a data protection point of view, a clear and uniform legal framework on data transfer is the first issue which may influence an undertaking to start a business in a certain country.
Today, Europe and Brazil are experiencing a unique opportunity to work on an EU-Brazil harmonised data protection framework, with the EU’s General Data Protection Regulation (“GDPR”), aligning data protection laws across the 28 Member States, which is a good example to apply in Brazil, where a new data protection (Bill no. 5276, hereinafter referred only as “Bill”) is currently under discussion.
The following bullet points represent a summary of certain legal aspects on international data transfer provided in the Bill that the Brazilian legislator may want to consider in order to create an effective EU-Brazil harmonized data protection framework.
- The first task to harmonise the Bill with the GDPR relates to the mechanism for a country/territory to obtain an “adequacy decision”. Art. 33(1) of the Bill allows a transfer personal data to a third country provided that the latter ensures an equal level as the one ensured in Brazil. In this regard, the Brazilian legislator may consider that the assessment of an adequate level of protection should include not only the legal framework of the third country/territory but also the
- Notwithstanding cooperation in criminal matters is a one of the legitimate basis for international data transfers (Art. 33(2) of the Bill), Brazil may consider entering into a specific agreement with the EU covering a minimum set of standards for data processing, limitations of use and respect of individuals’ rights (e.g., the EU-US Umbrella Agreement). Such agreement would regulate the use of personal data, avoiding unlawful exploitation by public authorities (e.g., the Snowden case in the U.S.).
- In the EU, consent is a legitimate basis for international data transfer (Art. 49(1)(a) GDPR) provided that such consent is explicit, freely given, specific and informed. Art. 33(7) of the Bill does not report all these characteristics, whilst they are provided in Art. 7 and 9 of the Bill regarding the processing of personal and sensitive data. In this regard, the Brazilian legislator may consider amending Art. 33(7) of the Bill assuring that end users provide their consent on the same conditions described in Art. 7 and 9 of the Bill. To be harmonised with the EU law, consent should be valid only if: a prior information is provided “in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child” (Art. 12(1) GDPR). In this regard, the information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing (Art. 12(7) GDPR) - “presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language” (Art. 7 GDPR).
- The qualities of the competent authority (DPA) under Art. 34 of the Bill should be further expanded by the Brazilian legislator, providing a public body or agency with independent powers and autonomy as it is the case in the EU for each national DPA.
- In elaborating “standard contractual clauses or enforce constant provisions in documents that serve as basis for transborder data flows” (Art. 34 of the Bill), the competent DPA may take the EU Commission’s Standard Contractual Clauses as an example of adequate safeguards for the processing of personal data. These shall include at least a joint liability between the data exporter and the data importer for any processing and onward transfer of personal data.
- Art. 34 (2) of the Bill concerning the possibility to implement Business Corporate Rules should better explain the information to be provided by the relevant organization. More specifically, the Brazilian legislator may consider explaining the meaning of “supplementary information or due diligences may be required when dealing with operations of processing” described in paragraph 4 of Art. 34 of the Bill. Multinational companies may indeed refuse to apply for Business Corporate Rules in case such option may imply access to sensitive information such as trade secrets.