CPDP 2021 – The role of OECD in Latin America: the dynamic of regulatory convergence in personal data protection
The Data Privacy Brazil Research Association was responsible for organizing one of the panels of the 14th Edition of the CPDP International Conference. Counting with the participation of renowned experts […]
The Data Privacy Brazil Research Association was responsible for organizing one of the panels of the 14th Edition of the CPDP International Conference. Counting with the participation of renowned experts in data protection, the panel discussed the role of the OECD in Latin American and its relation with the dynamics of regulatory convergence on the subject of data protection.
Along with Convention 108, the OECD Guidelines are one of the most influential normative documents in the field of personal data protection. Despite the existence of several generations of laws on the matter around the world, the fundamental normative principles are more or less the same as those prescribed in the 80s, when the OECD guidelines were enacted. Even the principle of accountability, which today is seen as a normative pillar of the latest generation of data protection, was already prescribed in these documents.
However, the current context is very different from that experienced in the 1980s, in this sense, after 33 years, in 2013, the OECD revisited it’s guidelines with the publication of the “Privacy Framework”. Since 1980, several new countries have joined the OECD and more are yet to come, mainly from Latin America – Brazil, in fact, is one of those currently seeking it’s entry into the group. Beyond the organization’s internal changes, in this period the world underwent a revolution in technological and informational terms, that led us to see business models and public policies driven by data in a way we never imagined.
Cristos Velasco highlighted the main findings of the report produced by the OECD “Going Digital in Brazil” of October 26, 2020. The report discusses progress efforts in Brazil to enhance trust in the digital economy, focusing interalia on digital security, privacy and consumer protection based on the OECD Going Digital Integrated Policy Framework. Cristos highlighted the importance of fulfilling the criteria of having an independent DPA, which includes remaining free from any internal and external influence to exercise its functions.
Cristos also mentioned the ongoing work of the review of the OECD 2013 Privacy Guidelines and the work of the OECD expert group which include over 60 international experts and the latest work of the OECD concerning national privacy strategies, data localization and transparency reporting.
On the same topic, the Director of the Brazilian NDPA, Miriam Wimmer states that, although currently there are some mechanisms that seek to grant Authority’s autonomy – such as the independence of the directors to choose their own staff – the ideal, and what is expected, is for the NDPA to become an autarchy. Another positive point in relation to the current status of the Authority is the provision for the creation of a National Council for the Protection of Personal Data and Privacy (NCDP), an advisory body composed of representatives of civil society, academia, research institutions, unions, among others, which promotes a multisectoral arrangement, something that is praised in the OECD report. Nevertheless, having in perspective the brazilian notorious interest to become a member of the organization, Miriam reinforced the importance of the country to reevaluate some aspects of the institutional configuration of its governance policy on privacy and data protection. On that aspect, the expert highlights the necessity to consolidate a culture of transparency, a topic linked to the creation of a relationship of trust in the digital environment.
Directly related to the issue of transparency and trust, another point stated during the event was the importance of accountability and the role of the OECD in consolidating this principle between different countries. On the subject, Giovanna Carloni recalls that accountability is not a new word for corporates, which may represent an advantage for its insertion in this environment. The panelist points out that, as a familiar principle to companies, there is an opportunity for accountability to serve as a bridge for corporate leaders to lead the discussion on data protection and privacy to their companies. In this sense, the OECD can encourage the affirmation of accountability on the business environment, one of the ways to do this is by endorsing existing frameworks such as the CIPL Accountability Framework.
Also in regard to the role of the OECD, the panel addressed the influences on data protection regulation that the organization plays in Latin American. María Paz Canales affirmed that the OECD’s positions are important references for the regulation of privacy and protection of personal data in Latin America, mainly regarding principles approach. The expert also points out how in this sense there is an alignment between Latin American and European countries, having in mind the institutional legal structure that most nations in both regions have by stating privacy and data protection as fundamental rights.
However, Carolina Botero highlighted the need for closer ties between the international organization and civil society agents in Latin America. In her speech, the director of Fundación Karismas appeals to the fact that few Latin American countries are currently members of the OECD, which reduces the impacts that the organization could have on the region, however she noted that the recommendations are often followed even by non members. In addition, she indicated that one of the characteristic problems of the global south is the difficulty for its civil entities to follow the organization’s work agenda, mainly because of the low amount of resources available to do so. Although asymmetrical, the panelist affirms that the level of engagement in Latin America, especially with regard to civil society institutions, has shown to be increasing. She mentioned that the main challenge has been to shift the language from a human rights perspective towards an economic development line.
As closing speech, Bruno Bioni emphasized the role of the OECD in the regulatory journey of privacy and protection of personal data. Recapping the historical disputes between self-regulation mechanisms and command and control techniques over the regulation of data protection matters, the Director of Data Privacy Brazil recalls the movement for change of what is considered to be a regulatory convergence. Previous efforts were more focused on trying to harmonize all the different mechanisms adopted by countries around the world, but in the last decade, due to the role played by OECD a new term has emerged: “interoperability”. The change in terminology suggests that the total convergence of different countrie’s data protection standards would not be an attainable goal, however, it is possible to develop instruments that guarantee areas of regulatory intersection, as for example the binding corporate rules, stamps and others co-regulation mechanisms – a middle ground between self-regulation and state regulation.
Undoubtedly, the rules on privacy and data protection still have a long way to go before they consolidate and articulate themselves on the international stage. The choice of the theme of this panel was made precisely in order to collaborate with this journey, mainly in relation to the particularities of the Brazilian and Latin American context.
Por Bruno Bioni & Marina Kitayama