At the time of writing this chronicle of my impressions of the International Privacy + Security Forum (IPSF) that took place in Washington DC in full "Cherry blossom" On April 4 and 5, 2019, the Global Privacy Summit organized by the influential IAPP that brings together almost four thousand privacy professionals showing that the DC is - along with Brussels - the capital of the world in terms of privacy despite the fact that the United States continues without having a federal law on the matter.
The organizers of the IPSF, the veteran "evangelists" of privacy in the United States, Daniel J. Solove de la George Washington University -where the Forum took place- and Paul M. Schwarz from Berkeley Center of Law and Technology Laura Juanes, privacy leader at Facebook and myself were entrusted with the organization of the two panels on privacy in Latin America and this chronicle will focus on what was discussed in those panels and the sessions that stimulated me the most at the Forum, therefore, personal chronicle and not an exhaustive report of everything discussed there.
PRIVACY IN LATIN AMERICA
Where is the region going?
After recalling that the region - if the Caribbean and the Central American countries are included - is made up of more than twenty jurisdictions, sometimes very different from each other, Laura Juanes, global director of Privacy Policy Engagementreviewed the privacy regulations already existing in most of the countries "first generation laws" -in which the now repealed Spanish LORTAD and LOPD had a lot of influence, which had not completely correctly transposed the also today repealed Data Protection Directive- by not including, for example, the legitimate interest as a legitimizing basis for the treatment-, the "second generation" laws -with great influence of the RGPD- currently under discussion (caso of Argentina) and, finally, the legislative initiatives that several countries are currently following (notably Chile) without forgetting the great importance that the future Brazilian law may have in the region due to the great demographic and economic weight of Brazil.
The panelists highlighted that the Ibero-American Data Protection Network, which has more than fifteen years of history, is the regional forum of authorities and their Data Protection Standards for Ibero-American States The kind of "directive" for effective cooperation related to the protection of personal data and regional privacy has been consolidated as the axis - or in European legal terminology. However, the panel found that the existing cooperation and coherence mechanisms in the region are far from being able to be equated with those created by the European model due to the different legal and institutional framework that exists between the Member States of the European Union and the countries of the Ibero-American region.
Likewise, due to the great economic influence that - for example, in economies such as Mexico - the US has, the panelists also agreed that although the adaptation with the European Union (which today only recognizes Argentina and Uruguay as countries with a adequate regime equivalent to the European one) is an important political objective, we must not lose perspective of the economic and political influences of the region. A) Yes, Isabel davara (recognized privacy lawyer in Mexico) recalled that although Mexico continues to take firm steps to obtain compliance with the European Union - as confirmed by its recent ratification of Convention 108 - it is a regional leader with its own criteria and autonomy. The lawyer stressed how in the future Treaty between Mexico, United States Canada (T-MEC) -USMCA in its acronym in English- that will replace NAFTA affects the importance of respect for data protection in digital commerce, making express references to the OECD and APEC principles CBPR which, as also underlined Jose Alejandro Bermudez Durana (former Superintendent of Data Protection in Colombia and lawyer in Colombia), are also consolidating as an important regional standard.
For this reason, and despite being evident the great influence that the GDPR is exerting around the world - many already qualify it as the global standard in terms of privacy - the panelists agreed that although the existing approach to global problems (for example, gaps of security) tends to emulate the notification solutions of the GDPR, each country is different and it is essential to take into account the local context when entering the region that, for regulatory purposes, moves between different influences and is entering the elaboration of its “second generation” laws that, hopefully, take on the best of each regulatory model and learn from the mistakes made.
Brazil: the giant awakens the world of privacy
Nothing better than the one considered as "father of the law", danilo donada (professor at the University of Rio de Janeiro) and Andre Giaccheta (prestigious lawyer of the Pinheiro Neto law firm) to reel, with the acute and pragmatic restraint of Laura Juanes a panel that began with a shocking statement that should not be forgotten and that is that, if the Brazilian law finally enters into force in the summer of 2020 - the date on which its extended vacatio legis-, Brazil will become - with its almost 210 million inhabitants - the largest country in the world with a general data protection law.
Now, the tortuous process of elaboration that the enactment of the Law had, its vetoes by the President and the complexities present in the Brazilian legal framework due to the existence of several laws that regulate this matter such as the Civil Framework of the Internet (Law No. 12.965 / 14), its regulatory decree (Decree No. 8.771 / 16) and the Access to Information Law (Law No. 12.527 / 11) which -as evidenced in the panel- pose contradictions between the different regulations, there is still an obstacle This will be resolved very soon (June 2019) and is whether or not the law will be validated by the new Congress.
Trusting that this validation will take place, the panelists explained the keys of the Law, in which the RGPD has had great influence and agreed that for Brazil to have the corresponding leadership role and achieve adaptation with the European Union it will be critical that your future data protection authority National Data Protection Authority o ANPD is configured as a truly independent supervisor in which, if I can allow the suggestion, hopefully we will see Danilo Doneda as the first director.
FROM IRELAND, HELEN DIXON AND THE CHERRY ON THE CAKE IN THE WEEK OF THE CHERRIES IN FLOWER
The keynote address of the first plenary session was given by the director of the Irish data protection authority, Helen Dixon, who in the week of the impressive natural spectacle of the cherry blossom of Washington DC ("Cherry blossom") was the "Cherry on the cake" of the conference.
It should be remembered that Ireland has gone from being one of the countries that, unfortunately, were part of the PIIGS (Portugal-Ireland-Italy-Greece-Spain) and that it was most affected by the financial crisis to become an attractive destination for companies. American technology multinationals that have located their European headquarters there. Its attractive tax regime, its well-educated and English-speaking population and Brexit are some of the ingredients of the success achieved in which its pragmatic - not lax - supervisory regime has played an important role.
Helen Dixon outlined the strategy of the Data Protection Commission which he leads, which has the support of the Irish government to continue increasing its office staff from 130 to 170 employees this year. Ireland is well aware of the importance of its data protection authority, which is already one of the main European control authorities, as it has among its supervised large American technology companies such as Facebook (Whatsapp-Instagram), Microsoft-Linkedin , Apple, Twitter, etc. Dixon who stated that she is determined to use her sanctioning powers as necessary, although she had no qualms about recognizing the efforts made by these companies and the innovations they are making to give citizens greater control over their data and highlighted how much they It can be obtained from public-private collaboration in the common objectives that society faces.
Faced with the Manichean approaches to which we are accustomed in other latitudes of southern Europe, Helen Dixon's speech and the "Business case" or “country project” for which Ireland has chosen with its fiscal and regulatory regime are an example of attracting talent and technological investment to be followed closely.
THE EUROPEAN DATA PROTECTION COMMITTEE: FIRST IMPRESSIONS
Anna Zawila-Niedzwiecka, from the legal department of the new European Data Protection Committee explained to the American audience the differences between the old Working Group on Article 29 of the Directive and the new Committee, which, if something was clear, has - for the moment - little staff and a very tight schedule of meetings in Brussels of the different authorities national supervisors.
In the plenary session that the European Data Protection Committee and the Federal Trade Commission americana was evidenced a good understanding between those responsible for regulators on both sides of the Atlantic and the efforts because the Privacy Shield be consolidated into an adequate mechanism despite the fact that if I can afford it, it is aware that some so-called privacy “activists” - or rather their own ego - will not give up trying to prevent it.
The Committee - like the European Commission - expressed its willingness for the GDPR to end the national disparities of the Directive and its commitment to make the cooperation and coherence mechanism work. If this is not the case, our opinion is that then it will be the Court of Justice in Luxembourg who will have to carry out this task and it would be desirable that the GDPR could be implemented in a homogeneous way in all Member States without having to involve Luxembourg each time they occur. discrepancies.
ROLE OF THE PROVIDERS OF GDPR COMPLIANCE SOLUTIONS
The GDPR has led to a veritable explosion of “compliance” solution providers to comply with the GDPR. In this panel Ari ezra waldman from New York University shared with the audience the study carried out on these “vendors"And shared a panel with representatives of the IBM subsidiary (Promontory) and as representatives of the"vendors”BigID and Anonos.
The panel made it clear that the contracting of these solutions should not be perceived as contracting an insurance that eliminates all the risks of compliance with the GDPR. However, it was agreed that these solutions help to reinforce the active liability measures required by the GDPR.
Despite the extraterritorial reach of the RGPD and the impact it is having in the United States, it is striking as these "vendors”Are more popular in the American market than in the territory of application par excellence of the GDPR, which is Europe, where companies continue to rely more on lawyers and consultancies to support regulatory compliance than on technological solutions offered by these solution providers. Now, the unstoppable growth of the industry "cool tech"And the expansion to Europe of these" vendors "predicts will increase and its success will depend on how regulators value the fact of having these solutions in place or not when it comes time to initiate a sanctioning procedure.
WORLD BANK PROJECT ON DIGITAL IDENTITY, PRIVACY AND ECONOMIC DEVELOPMENT
The last panel of the Forum as in the biblical episode made the best wine reach the end since the World Bank, in the hands of the Spanish fredes montes presented his project Identification for Development ID4D along with attorney Roy MacMillan and San Jose University (California) professor Mike Jerbic.
The ID4D initiative aims to help countries become aware of the transformative potential of the implementation of digital identification systems. And it is that, as is known, there are still a million million people in the world without identification, which excludes them from social protection, access to health systems, financial services, political rights and other types of services, leading them to be subject to discrimination, and social exclusion. Digital identity could facilitate access to services for a large number of people, however, this form of identity is not without risks or challenges for its adoption.
The panel aroused a lot of interaction among the attendees since, even in developed economies, digital identity is being a great challenge due to the lack of agreement regarding identity management by private providers or the absence of interconnection between different identity providers. Challenges that in some way the European Regulation e-IDAs aims to solve.
CONCLUSION
While the cherry blossoms of Washington DC were in bloom, hundreds of privacy professionals cloistered themselves between the walls of the George Washington University to try to envision the direction that privacy and information security should take in the times that we have had to live.
El Cherry blossom”Or National Cherry Blossom Festival, is an annual celebration that takes place every spring in Washington DC in commemoration of the gift that the mayor of Tokyo, Yukio Ozaki made of three thousand (3.000) Japanese cherry trees on March 27, 1912 Mayor Ozaki donated these trees in an effort to increase the growing friendship between the United States and Japan and also to celebrate the close relationship between the two peoples.
I do not know if the RGPD can be seen as the gift that Europe gave to the world, but let's hope that at the next annual meeting of the IPSF, countries like Brazil that have chosen to align their future legislation with the European standard can tell us if that tree from latitudes much colder it curdled and flourished and that we can admire its flowers.
This article was initially published in the newsletter of THE LAW Privacy.
© 2019. Javier Fernandez-Samaniego
javier.samaniego@samaniegolaw.com
