General Data Protection Law Research Articles

Enhancing Organizational Compliance Programs: The Impact of Data Protection Implementation under the Personal Data Protection Law

This research aims to address the following question: Is there an intersection between compliance programs and the privacy requirements outlined in the General Data Protection Law (LGPD)? To achieve this objective, the study examines the key legal aspects that directly relate to compliance programs and need to be considered for effective implementation of data protection within a corporate organization, in accordance with Brazilian legislation. The research adopts a deductive method and relies on a thorough analysis of relevant literature.
 The findings of this study demonstrate that compliance programs play a crucial role in guiding ethical guidelines within an organization. Given this, it is concluded that compliance programs should incorporate the legislative parameters outlined in the LGPD into their policies and initiatives. By doing so, organizations can ensure that data protection is effectively addressed, aligning their compliance efforts with the requirements of the law. This integration helps organizations establish robust mechanisms to protect personal data, safeguard privacy, and mitigate the risks associated with non-compliance.
 The research highlights the importance of considering data privacy as an integral part of compliance programs. It emphasizes the need for organizations to adopt a proactive approach by integrating privacy requirements into their compliance frameworks. By aligning compliance programs with the LGPD, organizations can foster a culture of data protection, enhancing trust among stakeholders and promoting a responsible and ethical business environment.
 In conclusion, this study underscores the interdependence between compliance programs and data privacy regulations, specifically the LGPD. It emphasizes the necessity for organizations to incorporate privacy requirements into their compliance strategies, thereby ensuring effective implementation of data protection measures and adherence to legal obligations.

Perceptions of ICT Practitioners Regarding Software Privacy.

During software development activities, it is important for Information and Communication Technology (ICT) practitioners to know and understand practices and guidelines regarding information privacy, as software requirements must comply with data privacy laws and members of development teams should know current legislation related to the protection of personal data. In order to gain a better understanding on how industry ICT practitioners perceive the practical relevance of software privacy and privacy requirements and how these professionals are implementing data privacy concepts, we conducted a survey with ICT practitioners from software development organizations to get an overview of how these professionals are implementing data privacy concepts during software design. We performed a systematic literature review to identify related works with software privacy and privacy requirements and what methodologies and techniques are used to specify them. In addition, we conducted a survey with ICT practitioners from different organizations. Findings revealed that ICT practitioners lack a comprehensive knowledge of software privacy and privacy requirements and the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais, LGPD, in Portuguese), nor they are able to work with the laws and guidelines governing data privacy. Organizations are demanded to define an approach to contextualize ICT practitioners with the importance of knowledge of software privacy and privacy requirements, as well as to address them during software development, since LGPD must change the way teams work, as a number of features and controls regarding consent, documentation, and privacy accountability will be required.

Impact of GDPR on Identity and Access Management

This article examines the implications of the General Data Protection Regulation (“GDPR”, “Regulation”) on Identity and Access Management (“IAM”) process and system design. It introduces organisational and technical good practices that may help ensure demonstrable compliance with the Regulation as well as improve user experience and customer trust.Although the focus here is on the GDPR, the approaches described may, by extension, also help in complying with data protection legislation in other geographies including (for example) the California Consumer Privacy Act (“CCPA”), or the Brazilian General Data Protection Law (“LGPD”).

The General Data Protection Law and the Challenges of Compliance in the Third Sector: An Analysis of Impacts and Alternatives

This article examines the implementation of the General Data Protection Law (GDPL) within the Third Sector and explores the challenges faced by organizations in achieving compliance. The objective is to analyze the applicability and effects of the GDPLwithin this sector and identify potential solutions and alternatives. The article employs a qualitative approach, utilizing a literature review methodology to gather information from academic articles, legal doctrines, and relevant publications. The historical and legislative background of data protection and privacy is first discussed, both from an international (European) perspective and its subsequent evolution in the Brazilian legal framework. The study then delves into an in-depth theoretical analysis of the key provisions of the GDPL to provide a comprehensive understanding of its impacts and contributions. The main focus of the study is on identifying the significant challenges that Third Sector entities encounter during the process of GDPL compliance and proposing effective strategies and approaches to address them. The article concludes by emphasizing the importance of compliance with the GDPL to avoid penalties, liabilities, and potential economic repercussions for Third Sector organizations, given the influence that compliance has on their partnerships and collaborations.

The EU-US Privacy Shield Regime for Cross-Border Transfers of Personal Data under the GDPR

Cloud-based technologies, big data, statistical signal processing algorithms, and Artificial Intelligence (AI) technologies are expected to play an increasingly important role in themedical field. Big data and AI-technologies rely on the cloud for data storage as well as for computational power and thus need effective and robust legal frameworks for international data transfer. Because of inconsistent data protection regulations, this is not always simple to achieve as it can be illustrated in the United States (US)–European Union (EU) context. Due to the lack of general data protection law at the federal level, the US currently does not have a general ‘adequacy decision’ from the European Commission (EC) to enable EU-US cross-border data transfers without the need for additional data protection safeguards under GDPR. As a fallback, a ‘limited adequacy’ decision was adopted in 2016 on the so-called ‘EU/US Privacy Shield Framework’. This framework protects the fundamental rights of natural persons in the EU and allows the free transfer of personal data to companies that are certified under the EU-US Privacy Shield. However, the EU-US Privacy Shield has been recently contested at the Court of Justice of the European Union (CJEU). This paper analyzes the EU-US Privacy Shield Framework, the associated legal challenges, and how these might affect organizations deploying or implementing cloud-based medical technologies relying on cross-border data transfers from EU data subjects.

Protection of Personal Data in Brazil: Internal Antinomies and International Aspects

A new era of personal data protection regulations has been emerging worldwide. The European GDPR (Regulation No. 679/2016) is the main example. To cope with the new landscape and foster the international flow of data many countries are amending their regulations, using the GDPR as a landmark. In this context, Brazil enacted its first General Data Protection Law - BGDPL (Law No. 13.709/2018) on August 14th, 2018. Brazilian firms, internet activists and scholars were all eagerly waiting for this regulation, since it was supposed to be enacted in 2014, alongside with the Brazilian Civil Framework of the Internet - BCFI (Law No. 12.965/2014) and a new Copyrights Act, to adapt the Brazilian legal system to fit the needs of the 21st century. However, the legislative process for approval of these new acts did not develop as expected, resulting in some contradictions between them. The purpose of this paper is to draw a comparison between the new Brazilian General Data Protection Law and the Brazilian Civil Framework of the Internet, putting in evidence some of these contradictions. It is argued that if not properly addressed, these contradictions can jeopardize the new act and cause severe practical problems. Since the BGDPL is strongly based on the European GDPR, a comparison will be also draw between them. The specific points of contradiction that will be addressed in this paper are the ones dealing with the data subject’s informed consent and with fines and penalties. The focus is on the interpretation of these legal texts with the support of the legal literature. In the end, the authors propose a way of harmonizing the Brazilian regulations – therefore contributing for a better data protection environment in the country – as much as assuring its compatibility with the GDPR and the international standards.

Reflexiones escépticas, principiológicas y económicas sobre el consentimiento necesario para la recolección y tratamiento de datos

Is there a correspondence or affinity between the juridicalprincipiological and factual-economical conceptions for the effective protection of the consent of the holder of personal data when hiring in a network?Under the mantle of the present question, it aims to analyze the contemporary contractual scenario under the perspective of the privacy policy and the Brazilian General Data Protection Law (LGPD). In this context, it is proposed a skeptical reflection on the principles and economic guidelines defended by law and doctrine to verify if the consent is an instrument of real effectiveness to the tutelage of the subjects in network. The first topic concerns the conceptual and conceptual analysis of consent in the LGPD and in the specialized doctrine. The second topic deals with the limited rationality of the users of the network services in understanding the dispositions in the policies of privacy and in the terms of electronic services. At the end, it is concluded that despite the juridical and legal defense aimed at solidifying consent as an indispensable tool for collecting and processing data, the current electronic contractual model does not allow its effective concretization, proposing, in this case, an alternative. The rationale is anchored in the deductive, bibliographical and integrated research methods and in the case study technique.

Dados pessoais sensíveis e a tutela de direitos fundamentais: uma análise à luz da lei geral de proteção de dados (Lei 13.709/18)

O presente artigo pretende aproximar o conceito de dados pessoais sensíveis de uma teoria de direitos fundamentais, por meio de uma interpretação dos princípios e valores constitucionais que justificam a proteção do direito à privacidade. Pretende-se investigar a Lei Geral de Proteção de Dados - Lei 13.709/2018 - e as políticas por ela assumidas no que diz respeito ao trata­mento de dados pessoais sensíveis tanto pelo Estado, quanto pelo Mercado. Sustenta-se a necessidade de um tratamento restrito dos dados pessoais sensíveis como forma de proteção contra o seu uso discriminatório, visando a promoção plena do exercício democrático.

Indian Personal Data Protection Act, 2018: Draft Bill and Its History, Compared to EU GDPR and California Privacy Law

2018 is a big year for data privacy and data processing regulation. On July 27, India published a draft bill for a new, comprehensive data protection law to be called the Personal Data Protection Act, 2018, only a few weeks after the European Union General Data Protection Regulation (GDPR) took effect on May 25, 2018 and California enacted the California Consumer Privacy Act of 2018 at the end of June. Brazil already followed with a new General Data Protection Law (Law No. 13,709/2018) only a few weeks later, on August 14, 2018. With the new law, the Indian government responds to a mandate from the Indian Supreme Court, which had directed the government of India in August 2017 to enact comprehensive data protection legislation. Before the Personal Data Protection Act becomes effective in India, there is no omnibus data protection regulation as in Europe, nor are there detailed sectoral privacy laws as in the United States. The new Indian Personal Data Protection Act adopts and further develops many existing principles of EU-style data processing regulation and some aspects of U.S.-style data privacy laws. Global companies can, and should try to, address the requirements of the new Indian Data Protection Law, the GDPR, the California Consumer Privacy Act and other privacy regimes simultaneously and holistically, in the interest of efficiency. But, it is also clear that companies cannot just expand the coverage of their GDPR-focused compliance measures to India without addressing the nuances of the new Indian Personal Data Protection Act, and the many differences compared to other jurisdictions' data processing regulations and data privacy laws. It is noteworthy that India is not maintaining its status quo, pursing lighter regulation, or following the U.S. approach of sectoral, harm-specific protections for individual privacy, in which the Silicon Valley rose to world leadership in information technologies and the broader U.S. technology sector flourished. Instead, India is leaning heavily towards the European model of restrictive data processing regulation. This shift could well affect India's globally leading information technology sector. In our article, we review the history and political context of the draft bill, summarize its key provisions, and compare them to the EU GDPR and the California Consumer Privacy Act.

Will it be a better world? The proposed EU Data Protection Regulation

This article concerns the proposal by the European Commission to govern data protection on the basis of a regulation. It considers arguments in favour and against using a regulation with respect to general data protection law. A regulation sustains harmonization primarily in respect to transnational data processing but cannot achieve the goal of full harmonization within the EU. A regulation has several negative consequences for data protection at the national level. It is furthermore assumed that the proposed Regulation will improve the position of data subjects but it is disappointing that key issues with respect to social networks have not been addressed.