Brazilian data protection authority should have directors with different profiles, senior official says

30 April 2019 9:30am
Brazilian Flag

23 April 2019. By Rodrigo Russo.

The Brazilian government wants to ensure that the country’s data-protection authority will have directors with varying profiles and experiences, a senior official from the Ministry of Economy told MLex.

“It is important to ensure a multidisciplinary, multisector character for this agency," said José Antônio Batista de Moura Ziebarth, the director in charge of data-protection matters for the ministry. "We want to have directors with different profiles, coming with multiple experiences and perspectives. It would be important to have data scientists, for example, rather than only lawyers and economists.” 

Potential candidates must be willing to engage in a “hands-on” approach, Ziebarth added. “Our perspective is that these officials will have a lot of work to do by themselves, working with a small staff. We must first test the demand for the agency and be cautious with its budget. We want to learn from the best international practices and check if some initiatives can be applied here in Brazil,” he said.

Many lawmakers and data-protection observers have been debating how large the agency should be. Ziebarth said that the UK’s Information Commissioner’s Office, frequently mentioned as a model, currently has a staff of around 700, but in its early stages, it began with around 20 people.

Ziebarth wants the directors of the agency to be appointed by August — or September at the latest. Under the current design of the agency, which still needs approval by the Congress, it would have five directors appointed by Brazil’s president.

“The selection process should start as soon as possible. We’re currently considering promoting a public call for those willing to occupy the seats, which would then be scrutinized and interviewed to guarantee we’ll have the best candidates for the jobs,” Ziebarth said.

Once it is effective, the agency could begin its work by defining sector-specific regulation, such as banking and healthcare, Ziebarth said, based on his ongoing dialogue with foreign data-protection authorities.

The model of the authority

Ziebarth told MLex the Ministry of Economy is adopting a pragmatic stance on the model under which the data-protection authority would operate. Under the presidential decree currently discussed by lawmakers, the authority will be part of the Presidency.

The original design established that it would be an independent agency within the Ministry of Justice, but legal advisors to the country’s chief of staff already said that they would challenge the constitutionality of a return to this model, claiming the legislative branch can't create expenses to be incurred by the executive branch.

“We acknowledge this isn’t the ideal model, but it’s what we can implement today. The big question for us is the timely creation of the authority. It would be counterproductive and inefficient to drag this debate further. We need it up and running. We need clarity: the data protection bill will enter into force one way or another, and our concern is that the rules and the referee must be ready before the game begins,” Ziebarth said.

“The data protection bill has 53 mentions to the ‘authority,’ and one must consider the turmoil that could happen if no central authority is created by the time it enters into force" by August 2020, according to the presidential decree. "That could lead to a chaos in the system, with several local and federal agencies ruling differently on similar topics, increasing legal uncertainty. Our perspective is to protect legal certainty,” Ziebarth added.

Adequacy with EU

Ziebarth said that as it currently stands, the data-protection agency model will not be enough to obtain a favorable “adequacy” decision from the EU, even if the government pledges technical autonomy and de facto independence for its work.

“Adequacy” is EU jargon for agreements struck with countries outside the bloc in recognition that national laws provide adequate protection of European citizens’ information when it travels across borders.

But Ziebarth emphasized that this is just the first step, and one that should be temporary.

“The discussion of data protection is fairly recent in the country," he said, but "the Ministry of Economy is committed to taking Brazil to an advanced stage at the global arena. The country must think about this process. Brazil wants to join the OECD, which asks for efficient application of international best practices.”

GDPR