Image of a blue and orange pie chart. The blue piece is on the left side and takes up more than half of the circle. There are also subtitles for the graphics. The orange is for "other days" and the blue is "total inclusions on the 30th and 31/03".

InternetLab Reports – Public Consultations No. 09

InternetLab Reports 04.02.2015 by Francisco Brito Cruz and Jonas Coelho Marchezan

Check how was the ninth week of Brazil’s internet policy public consultations regarding the Marco Civil da Internet’ regulatory decree and the data protection draft bill.

 

Marco Civil regulatory decree debate: more time to foster the policy debate

The public consultation about the Brazilian Marco Civil da Internet’ regulatory decree was extended until the April 30th. The debate was initially planned to end at March 31th, but the Ministry of Justice decided to extend it taking in to account a huge number of contributions in the last two days of the public consultation (which was bigger than that in all other days of consultation). The idea is to encourage debate and create interaction among participants.

We decided last week to wait the end of the debate, which would have occurred on March 31th, to post the edition of this Report, in order to include on it the final days of discussion. Since the public consultation will continue to occur during April, the Reports will continue to be published every friday (next on April 10th).

This new wave of contributions concentrated on 30 and 31 March was different than others in many ways. The new contributions are much more extensive and deep in arguments. In addition, the vast majority of comments in recent days were made by organizations, not individuals. The main actors were companies, lobby associations and civil society and academic organizations.

The intense participation on the Marco Civil regulation public consultation during March 30th and 31th can be seen in this chart provided by the Ministry of Justice. The blue part represents the participation that occurred on these two days.
The intense participation on the Marco Civil regulation public consultation during March 30th and 31th can be seen in this chart provided by the Ministry of Justice. The blue part represents the participation that occurred on these two days.

 

Data Protection draft bill: international data transfers

Even within the national territory, it is not a easy task to find a model that strikes a balance between the privacy of citizens and the potential for innovation involving data processing. The challenge appears to get  bigger when it faces the question of international data transfers. What is the best regulatory solution to address this common practice?

Some argue (see comments on Article 5, paragraph XIII) that it is necessary to limit the data traffic that happens inside the Brazilian territory, so there would be always the possibility of State control over these activities. This radical alternative goes against the Internet’ everyday practice. Although many times stored in Brazil, data travels frequently abroad for technical reasons related to the strongly decentralized way that the Internet works.

The solution sought by the bill seems to regard the decentralized operation of the network. The bill establishes in its article 28, that international transfers of personal data will be allowed when made to countries that provides a personal data protection level “comparable to this law.” The text also allows exceptions to this rule, usually in cases to fulfill legal obligations and international law or treaties.

 

Protection “comparable to this law”

What would be the “protection level” as referred to law? According to the contribution of the participant névoa, the draft bill text do not provide a technical definition of such level.

In fact, the draft bill text do not address specific technical standards for data protection. This is because this type of pattern and standard is typically created through more specific rules, which allows faster update as technology improves. The idea seems to consolidate principles and general rules in the laws and leave technical standards and definitions to the regulation (in a decree, for example), as in the case of the Marco Civil.

Apparently, the kind of protection that is sought by the draft bill is not technical, but legal. The article 28 establishes that international data transfers shall be allowed only to countries that provide legal remedies and provisions in the same level provided by the Brazilian draft bill.

 

The rule of location and international transfers

Another issue was raised by Giovanna Carloni. According to the participant, the European directive on data protection sets a rule similar to the draft bill for international data transfers: only allows transfers to countries that provide equal protection.

But this rule, called “location rule”, has been widely criticized in Europe. According to the participant, the increasing use of cloud computing and other arrangements that do not take into account the territorial separation of the country has been slowly emptying the sense of linking data transfers to a “level of protection” of a particular country, within its borders.

Also according Giovanna Carloni, has been discussed a new approach to the problem in Europe. Instead of keeping the focus on the country that will receive the data, the idea would be to establish security guarantees and transparency required for the service operator who is treating that data.

 

Another issue was raised by the participating Giovanna Carloni. According to the her, the European Directive on Data Protection sets a rule similar to the draft bill for international data transfers: only allows transfers to countries that provide equal protection.

According to participant this rule, called “location rule”, has been widely criticized in Europe. The argument is that the increasing use of cloud computing and other arrangements that do not take in to account the territorial separation of countries would be gradually undermining the effectiveness of linking data transfers to a “level of protection” of a particular country, within its borders.

For the participant, a new approach to the problem has been discussed in Europe. Instead of keeping the focus on the country that will receive the data, the idea would be to establish obligations for that one who is treating that data. Her participation was completed with the following comment:

“Obviously, rules would have to be created so that the provider prove such a level of protection to the competent organ. It is something to be considered and studied and certainly we can avail ourselves of the debates that already occur with the reform of the European Directive. “

 

Authors: Francisco Brito Cruz and Jonas Coelho Marchezan.

 

compartilhe