Gabriel Araújo Souto, Fellow, Datasphere Initiative
Introduction
In my previous Fellowship blog post at the Datasphere Initiative, I discussed the importance of data governance in the pharmaceutical industry and presented the proposal for an External Data Governance Board (EDGB) as a way to ensure compliance with regulations and protect sensitive data. Under this novel proposal, the EDGB would be composed of people from different affected stakeholders who are experts in data management, law, and the specific sector of the company hosting the Board. The Board would be responsible for overseeing data governance by, for instance, performing risk assessments, supporting the development of governance protocols, and providing guidance on compliance and data protection, while providing new perspectives and avoiding biased decisions.
Here, in localizing this discussion to my country, Brazil, I suggest that an EDGB is a relevant process to be adopted by companies to be compliant with the Brazilian Data Protection Regulation (LGPD),¹ into effect since September 18, 2020, and rooted in the European General Data Protection Regulation (GDPR).
Setting an EDGB signals externally, to the affected community (users that have their data used by that company) and investors, the adoption of good governance practices by the company. It also sends an internal signal of a culture of transparency and oversight. An EDGB can also serve as the champion for the development and implementation of company-wide data responsibility and accountability frameworks. Under this proposal, an EDGB requires that its members provide guidance and oversight both regarding legal compliance with the LGPD in the case of Brazil, and a sounding board for the development of a data governance culture applicable to the company’s day-to-day operations and the behavior of its employees towards data. But for this to be true, an EDGB needs to be empowered by a clear structure, with clear internal governance rules and a clear ability to affect companies’ decisions and policies.
Benchmarking of the Brazilian status quo
The LGPD – and the consultation processes that ended on its adoption – is responsible for creating a culture of data protection in Brazil which, while in its infancy, demands fast adaptation of processes by companies. It is important to note that the LGPD applies to every company – with or without offices in Brazil – in every sector of the economy that, in one way or another, interacts with personal data. The novel proposal of an EDGB, while not mandatory per the LGPD, is an enabling structure both for legal compliance as well as for fostering this data protection culture.
Experiences with oversight boards are still new in reality. Examples include the Facebook Oversight Board and, in Brazil the TikTok Security Council and the Ministry of Economy Central Data Governance Committee. While these are not specifically focused on privacy and data protection, they might be good examples for the design of an EDGB.
In the TikTok case, TikTok Brazil launched a Security Council composed of academia and civil society leaders to support the company on content moderation policies and analysis of security and privacy issues.² This Council also tests products and services to support the fine-tuning of the company’s policies and compliance processes. ³
At the end of 2022, and after protests from the Brazilian civil society due to the various data breaches and lack of compliance with the LGPD, the Brazilian government also recognized the importance of better governance by expanding the multistakeholder oversight in the Central Data Governance Committee (CDGC) of the Ministry of Economy.⁴ This was done by inviting members of civil society to join the Committee. This committee is responsible for deciding questions on the integrity, quality, and consistency of data in the Brazilian Citizen’s Base Register – the nationwide and governmentwide consolidated dataset of Brazilians’ personal data. More recently, the committee is also developing a series of awareness-raising and training materials for data governance across the Brazilian sector, including a series of guides which the first was just published.
TikTok’s and the CDGC are recent experiences, thus it is still too soon to evaluate their real impact. However, I see these experiences as welcome ones to support a broader culture of oversight and the participation of affected communities in the decision-making processes that can affect them.
Conclusion and Next Steps
The LGPD has significant implications for Brazilian companies and requires them to comply with specific requirements for the collection, storage, and usage of personal data. One way to ensure compliance with the LGPD is to establish a multistakeholder EDGB. By implementing it, Brazilian companies would take an additional step to set good governance practices that hopefully ensure better equity by including affected actors in the products, services, and policy decisions that might impact them. This Board could also serve as a core internal and external interlocutor for the application of the LGPD.
In my next post, I will propose a step-by-step guide for the formation of EDGB in the context of the LGPD, in the hope of supporting the field in furthering a culture of data protection, privacy, and trust.
¹ For an English version, see IAPP. (2020). Brazilian General Data Protection Law (LGPD, English translation). IAPP Resource Center. https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/
² TikTok. (2021). TikTok apresenta Conselho Consultivo de Segurança do Brasil. TikTok Newsroom. https://newsroom.tiktok.com/pt-br/tiktok-apresenta-seu-conselho-consultivo-de-seguranca-do-brasil
³ PrivacyTech. (2022). Tiktok faz testes para que dados sejam coletados respeitando a privacidade. PrivacyTech. https://privacytech.com.br/redes-sociais/tiktok-faz-testes-para-que-dados-sejam-coletados-respeitando-a-privacidade,422193.jhtml
⁴ Brasil. (2023). Comitê Central de Governança de Dados. Governo Digital. https://www.gov.br/governodigital/pt-br/governanca-de-dados/comite-central-de-governanca-de-dados