The agency (or agencies) that will enforce any new data protection law in Brazil is an unsettled issue. The Justice Ministry draft legislation discusses activities and duties for an agency, but it never discusses the agency itself. A clear lesson from more than 40 years of data protection is that agency structure matters. Is the agency an ombudsman or tribunal? Should it be part of a broader information agency (i.e., government transparency as well as privacy) or even an added duty given to a consumer protection agency? Alternatively, should data protection be part of every industry regulatory responsibility? There are global examples for each of these models.
On 10 August, the Information Accountability Foundation explored structural issues in Brazil’s capital, Brasilia, in a session hosted by Consultoria Legislativa da Câmara dos Deputados, the association of staff to the Brazilian House of Deputies. The IAF team included Jennifer Stoddart, former Canadian federal commissioner as well as lead commissioner in Quebec, Jose Alejandro, Nymity managing director for Latin America and former Colombia DPC, Jacobo Esquenazi, HP Americas privacy officer, Gustavo Artese, an IAF Fellow and Brazilian privacy lawyer, and Marty Abrams. The lead theme was enforcement agency structures, their strengths and weaknesses, and how agencies have been implemented in Canada, Colombia and Quebec. A second theme was how organizations take accountability guidance from agencies and build comprehensive programs.
The IAF was particularly pleased to be hosted by Consultoria Legislativa da Câmara dos Deputados. These are the people who will be the first to receive draft data protection legislation from the government and make recommendations to the deputies.
On 11 August, the IAF team presented a similar seminar for the business community in Sao Paulo hosted by VPBG Avogados.