In our last “Beat by Beat,” we looked to the experience of India, China, Korea, and Israel, and explored how governments, industry, and other stakeholders are examining data access, data rights, privacy and cybersecurity to responsibly unlock the promise of improved health outcomes and to lower costs. In this edition, we pivot to Latin America, where we examine two key markets: Brazil, with its new data protection framework coming online in late 2020, and Chile, which is on the cusp of creating a personal data protection agency.
Brazil: Following in the EU’s GDPR Footsteps?
Brazil’s healthcare market is one of the most important in Latin America, with the largest population in the region of over 200 million and an elderly population expected to expand from 20 million to 65 million by 2050. Recent estimates place the value of the Brazilian digital health market at over US $843 million.
Brazil is updating its legal framework for data protection, with the finalization of the Brazilian General Data Protection Law (LGPD) in December 2018. The LGPD requires companies to implement substantial changes in their personal data processing operations, as it establishes a number of obligations on those who process personal data. Agents must: 1) enact security measures; 2) obtain consent of the data subject; 3) demonstrate compliance with the rules for data processing; 4) inform data subjects of any changes in data processing; and 5) delete personal information of data subjects upon the completion of processing.
The law’s key provisions closely mirror the EU’s General Data Protection Regulation (GDPR), most notably with respect to extraterritorial application, international data transfers, and penalties of up to two percent of a company’s previous year’s global revenue (GDPR allows for fines up to four percent of revenue), limited to 50 million reais (approximately US $12.9 million). The law, however, does deviate from GDPR in several aspects, and provides an additional, specific legal basis for processing data in order to "protect health, in a procedure carried out by health professionals or health entities."
In the final days of 2018, outgoing Brazilian President Michel Temer moved to create the National Data Protection Authority (ANPD), which will initially be housed within the office of the President. The Brazilian government has until the end of February to vote on the measure, which some have criticized as creating a "weaker" and less autonomous data protection body than originally intended, given its linkage to the executive office. The LGPD's date of entry-into-force was also delayed until August of 2020, giving digital health innovators until then to identify potential risks and implement changes to their data practices.
As with compliance with the GDPR, healthcare companies that collect data in Brazil or offer services to its citizens will need to examine privacy and data protection policies, and consider changes to meet potential requirements, including: appointment of a data protection officer; conducting a risk-based data protection impact assessment (DPIA) before processing data; monitoring of data processing; ensuring technical security safeguards; and a developing a plan for notification in the event of a breach or data incident.
Chile: Creating a Personal Data Protection Agency
In Chile, there is also political momentum in the legislative and executive branch to reform the country's data protection regulations. In 1999, Chile became the first nation in South American to pass a comprehensive data law; but some believe the law lacks adequate supervisory mechanisms and fails to cover the processing of information through technology. To remedy these shortfalls, Chilean lawmakers have been working on several measures, including creating a personal data protection agency to ensure compliance with legal obligations and to penalize any breach. On April 3, 2018, the Senate approved the general text of the bill. For the bill to become law, it will need to pass discussion in both the Senate and the Chamber of Deputies. Some observers predict that it could be approved by both chambers as early as 2019 and become mandatory by 2020.
A key feature of the reform is the creation of a new Chilean personal data protection agency. The design of the agency explicitly takes into account the experience of the Spanish Personal Data Protection Agency. The Spanish agency and European regulations served as models for Chilean lawmakers when determining the key features of the new legal data protection framework for their country. As a result, health innovators could expect prescriptive requirements with regard to data collection, and a strong emphasis on individual rights and control of their data.
Looking East, Looking West – or Global Interoperability?
This fluid, evolving data protection environment in Latin America raises several questions: Will privacy regulators look to emulate European principles or import the GDPR framework, wholesale? Does the broader Asia-Pacific region provide different perspectives or models that can be incorporated – particularly for countries such as Chile and Peru, as Pacific Rim nations and members of the Asia-Pacific Economic Cooperation (APEC) forum? And most importantly, is there a “third way” that could bridge the various regimes and move toward global interoperability?
In October, on the margins of the 40th International Conference of Data Protection & Privacy Commissioners (ICDPPC) conference in Brussels, C&M International convened privacy thought leaders to consider this very question. The event brought together industry associations, privacy regulators, and other government officials to discuss unique perspectives from the Asia-Pacific on data protection and efforts to enable seamless global data transfers. Alongside the event, C&M International announced a multi-association letter with seven initial industry signatories, calling for renewed dialogue between APEC and the EU around interoperability of privacy frameworks and cross-border data transfers.
Inherent in the discussion and the accompanying industry letter was the notion that the APEC Cross-Border Privacy Rules (CBPR) system could be, with continued uptake and some reforms, a framework to provide that practical bridge between different privacy regimes. The CBPRs are unique in respecting individual countries’ ability to legislate in this arena – thus rejecting a “one-size-fits-all” approach – while providing a mechanism that enables seamless cross-border data transfers with strong standards for protection of personal information. Importantly, the CBPR system continues to gain momentum. Just last month, APEC’s governing body for the CBPRs approved Australia and Chinese Taipei as the latest participants, expanding the CBPR system to eight member economies – with others expected to follow. More companies are expected to be certified in the coming months, along with the potential for additional third-party accountability agents to administer the certification process. As the Latin America data protection landscape continues to evolve, companies making strategic investments in the region should partner with APEC and CBPR-participating economies in building global standards and interoperable mechanisms to promote privacy protections, while enabling the flow of data that underpins the 21st century digital economy.