Data protection frameworks emerging in the BRICS countries
By Luca Belli
The members of the so-called BRICS grouping (Brazil, Russia, India, China and South Africa) have realized that digital transformation is an essential element for the future of their economies and societies. In this perspective, data protection becomes a key priority to foster thriving digital environments, where individuals enjoy protections and businesses benefit from legal certainty.
Given the remarkable economic and strategic value that personal data has acquired, the regulation of this “new asset class” becomes also an essential factor for the assertion of digital sovereignty. This is even more relevant considering these countries are home to approximately 42% of the global population and almost 40% of existing internet users, thus making the BRICS grouping the largest producer of “the world’s most valuable resource.”
At the CyberBRICS project, we have started the first initiative to develop comparative and systematized analyses of the digital policies developed by BRICS countries. This post briefly explores some of the results of our mapping exercise, regarding the data protection dimension. While the BRICS frameworks deserve in-depth analysis, this article aims at highlighting the most striking commonalities. The BRICS Data Protection Map developed by the CyberBRICS team may be a useful resource for readers interested in having a more detailed overview.
Over the past five years, the pressing need to regulate personal data and the growing alignment in BRICS digital priorities have spurred the proposal, adoption and implementation of increasingly compatible data protection frameworks.
The grouping’s willingness to cooperate on digital policies, norms and standards has become increasingly clear since the ninth BRICS Summit in 2017. Indeed, the main outcome of the summit, the Xiamen Declaration, explicitly recognized the countries’ commitment to “advocate the establishment of internationally applicable rules for security of ICT infrastructure [and] data protection.”
The research developed at the CyberBRICS project highlights that all BRICS countries undertook major regulatory developments regarding data protection, in recent years, elaborating on new legislation, updating existing ones or establishing new regulators. These evolutions include:
- In August 2018, the adoption of a new Brazilian General Data Protection Law and, in August 2019, the approval of a new National Data Protection Authority (although this has not been established yet).
- In December 2017, the update of the Russian data protection legislation, including data localization provisions.
- In August 2017, the recognition of privacy as a fundamental right by the Indian Supreme Court and elaboration of a new Data Protection Bill, on which the Indian Parliament is expected to deliberate soon.
- In June 2017, the introduction of a new right to the protection of personal data in the new General Provisions of the Civil Code, as well as data protection and data localization norms in the Chinese Cybersecurity Law, further specified by the recently updated Personal Information Security Specification.
- In 2017, the establishment of a data protection regulator in South Africa, created by the 2013 Protection of Personal Information Act, which will be fully implemented in the upcoming months.
In a very condensed timeframe, BRICS has revolutionized data protection in its legal systems. Interestingly, despite the absence of any formal agreement on the substance of their domestic frameworks, several regulatory elements are extraordinarily similar. The main reason for such convergence is likely the common inspiration from existing frameworks, particularly the EU General Data Protection Regulation, as well as the Organisation for Economic Co-operation and Development Guidelines.
A shared data protection skeleton
Based on the findings of the CyberBRICS project, we can identify a non-exhaustive but telling list of policy elements around which BRICS data protection frameworks are converging. A more detailed comparative analysis is possible, using our interactive BRICS Data Protection Map.
Due to the relatively recent development of the BRICS data protection framework, BRICS decision-makers have enjoyed the privilege of constructing their norms based on existing best practices.
A patent example is the definition of personal data, which all BRICS — with a slightly different formulation in China — considers as the information related to an identified or identifiable natural person. A very similar approach also underpins the definitions of sensitive data, data subject and data controller.
- Data protection principles
The core principles upon which the data protection architecture is erected are also commonly shared. The principles included in BRICS frameworks may be found in virtually all data protection regulations and allow identifying a global principle core that is usually common beyond BRICS, at least regarding the first four principles. The BRICS data protection principles include:
- Purpose limitation.
- Fair and lawful treatment.
- Data minimization.
- Core rights of the data subjects
BRICS legislators have included a very similar spectrum of rights although with different flavors. All BRICS frameworks embrace provisions establishing the individual rights to:
- Access to data.
- Correction of incomplete, inaccurate or outdated data.
- Elimination of personal data processed with the consent of the data subject.
- Revocation of consent.
- Obligations of controllers
BRICS data protection frameworks also present a very comparable set of obligations for data controllers and processors. Interestingly, while the definition of data controller is virtually the same in the five frameworks, the Chinese specification does not include the role of data processor.
The core obligations for data controllers in the BRICS include:
- Abiding by data protection principles.
- Obtaining a free and informed consent to process data.
- Duly communicating information on the data processing.
- Ensure the security of all personal data under their responsibility.
- International data transfers
Finally, yet importantly, all BRICS countries have considered the essential role of international data transfers for the (digital) economy. All BRICS favor data transfers but only as long as foreign third parties are deemed as providing an acceptable level of protection.
The evaluation of a sufficient level of protection is performed through quite heterogeneous mechanisms, spanning from the adoption of adequacy decisions on foreign legal frameworks, as foreseen in the GDPR, or specific administrative authorizations to transfer data for national service providers, or yet the use of corporate rules or binding agreements admitted by national authorities.
Toward a BRICS data protection dialogue
The above-mentioned elements highlight that a shared data protection skeleton is emerging in the BRICS, spontaneously increasing the compatibility of national frameworks.
The reasons why these regulatory (r)evolutions happening in the BRICS may be heterogeneous, and the overall results are very positive.
First, the protection of personal data has finally entered national debates. This, by itself, is a tremendously important advancement in countries where there is near-to-zero data protection culture, but personal data is harvested at an industrial scale.
The rising relevance of data protection is due partly to the global policy tendencies, notably the adoption of the GDPR, as well as the numerous data-related scandals and the realization that data protection is an essential tussle of cybersecurity and digital sovereignty. In this context, the BRICS’ willingness to enhance their cooperation and alignment regarding digital policymaking is patent, and the benefits of compatible regulations may be enormous for both users and businesses.
In fact, although in the majority of BRICS countries data protection frameworks still have to be finalized or properly enforced, the introduction of norms, based on which compliance can be planned, is providing greater juridical certainty to any entity processing data while also expanding individual rights.
As many things in BRICS countries, data protection is in an experimental phase, and there is still an ample margin for improvement. Multistakeholder discussions, aimed at providing diverse opinions on what could be done to strengthen BRICS data protection frameworks and how to do so, are vital.
For this reason, we decided to stimulate a BRICS multistakeholder dialogue on data protection, organizing the first BRICS Data Protection Summit, during the Latin American edition of the Computers, Privacy and Data Protection Conference, which will take place at FGV Rio de Janeiro in June 2021.
Originally published on International Association of Privacy Professionals website, 9 April 2020.