GDPR Goes Global: The Case of Brazil and India

The GDPR has decisively reshaped the global privacy debate, as evident by Brazil and India’s proposed new data protection laws that bear the GDPR’s mark. While harmonising approaches to privacy may make international compliance easier, they also presage how GDPR will provoke an additional wave of new, divergent rules in key markets. It’s worth keeping a weather eye open to what other GDPR-inspired laws may wash ashore.

The GDPR has decisively reshaped the global privacy debate, as evident by Brazil and India’s proposed new data protection laws that bear the GDPR’s mark. While harmonising approaches to privacy may make international compliance easier, they also presage how GDPR will provoke an additional wave of new, divergent rules in key markets. It’s worth keeping a weather eye open to what other GDPR-inspired laws may wash ashore.

Brazil

After several changes in government and nearly eight years of development, Brazil has finally approved a new General Data Protection Law (LGPD). The law replicates GDPR’s tripartite division of data subjects, controllers, and processors, as well as its stringent consent standards.

Under the LGPD, businesses will be required to appoint a Data Protection Officer and citizens will have the right of data portability. Similar to the GDPR, the LGPD will be applicable to organisations with headquarters in Brazil as well as those processing data in Brazil and the personal data of Brazilian residents.

While similar in content to GDPR, the law does not create of a national data protection authority; this line item was vetoed by the Brazilian president, Michel Temer, although a data protection authority will likely eventually be proposed by a successor. The law will take effect in February 2020 and in the meantime, the EU must determine whether Brazil offers an adequate level of protection to approve data flow between the two jurisdictions.

India

The national government’s ‘Srikrishna Committee’ has issued its long-anticipated draft legislation for a new Personal Data Protection Bill (PDPB).

While not based on the same principle of “fundamental rights” as the GDPR, the PDPB maintains a consent-centric framework. It keeps the tripartite division of data subjects, “data fiduciaries” (controllers), and processors and also seeks to exert broad, extraterritorial jurisdiction, limiting data collection and processing with regards to purpose, necessity, notice, quality, period of storage, and ‘fair and reasonable’ processing.

Alongside this, the draft law offers a new and complex system for cross-border data flow, whereby copies of personal data must be stored in India. Processing “critical” categories of data, as identified by the Indian government, must also take place exclusively in India.

New Burdens on Industry

A proliferation of regulatory regimes with standards that are still incompatible is the worst possible outcome for business. High compliance demands will impose new burdens on global business and data-driven innovation, while fragmentation threatens the ability to operate across borders.

The GDPR represented a radical change in global privacy rules and, regardless of its virtues or flaws, it set the standards for future national regulation across the globe. Nevertheless, while the GDPR may be the first point of departure for upcoming privacy regulations, policy-makers in many places are adding unique features and nationally specific data protection rules that complicate global business. As a wave of shifting global privacy rules approaches, globally engaged companies can’t take their compliance for granted and need to stay on top of new developments.

Want to find out more about what leading companies are doing to comply with new requirements? Watch our “GDPR Goes Global: The Case of Brazil and India” webinar.

GDPR and data protection regimes are just some of the issues that our team advises on. We have the tools to help you stay ahead in this ever-changing regulatory landscape. Find out more about out Data Governance Advisory Tool here.

Related Articles

Upcoming Webinar | Wi-Fi 6: Perspectivas y Oportunidades para México

Upcoming Webinar | Wi-Fi 6: Perspectivas y Oportunidades para México

En México y en el mundo, la irrupción del Covid-19 y el aislamiento social han acelerado la dependencia en el...

12 Apr 2021 Events
CITC Webinar: Fostering 5G Technology in Saudi Arabia

CITC Webinar: Fostering 5G Technology in Saudi Arabia

CITC is working to transform Saudi Arabia into a digital society by enabling an array of different wireless technologies that...

8 Apr 2021 Events
Upcoming Webinar: Fostering a New Generation of Satellite Technologies in Saudi Arabia

Upcoming Webinar: Fostering a New Generation of Satellite Technologies in Saudi Arabia

Saudi Arabia’s Communications and Information Technology Commission (CITC) will host a webinar focusing on the future of satellite technologies and...

6 Apr 2021 Events
Tech Policy Podcast | Episode 13: In Conversation with Chamber of Progress Founder Adam Kovacevich

Tech Policy Podcast | Episode 13: In Conversation with Chamber of Progress Founder Adam Kovacevich

In this episode, we are joined by the Chamber of Progress Founder and a veteran Democratic tech policy executive, Adam...

1 Apr 2021 Webcasts