What do you do?
I work with privacy and data protection (for me there is a clear difference between the concepts).
These concepts are about people. Therefore, I deal with people – with people's lives. I have been working in the field for almost 12 years now, teaching, practising law and managing projects and teams. However, I like to say that my day-to-day challenge is to balance societal and corporate interests and their impacts on people's fundamental rights, not limited to privacy. It is not an easy task, mostly because it is a multifaceted environment, intrinsic to almost every human relation there is. The nuances are countless and answers are rarely clear. Every single day is a new situation that you have to face almost from scratch. Maybe this is why it is so fascinating!
Since law school, I have been passionate about the intersection between law and technology (I always wanted to be a computer engineer since I started to code when I was about 10 years old, but I ended up in law – that's a long story). As soon as I graduated I was accepted for the master’s degree in constitutional law and fundamental rights when I started to research cybercrime. However, I only properly started my interest in privacy in 2010, when a former boss of mine gave the draft of a bill of law to study so I could go with him to a meeting to discuss it.
That draft was the first version of the Brazilian General Data Protection Law, known as LGPD. Therefore I can say that I have been discussing the Brazilian regulation for more than 10 years now. Nonetheless, from 2010 to 2014 I was still working with other issues within the context of cyberlaw, such as crimes and intellectual property violations. But from 2014 on, when I returned to Brazil from a period in Singapore and Strasbourg, where I was working and researching data protection, I have focused on privacy. So when the LGPD was approved and a wave of people interested in the field started, I was already intertwined with the area.
What’s keeping you busy?
I divide my time into three areas: corporate, teaching and academia. Currently, I lead the privacy and data protection programme for LATAM at Twitter. Our team was responsible for implementing LGPD in the company in 2020, and now we are expanding our activities to other countries in the region while expanding our program in Brazil.
Also, I teach at Data Privacy Brasil, an organisation that I founded together with Bruno Bioni back in 2018 and has trained almost 4,000 people. Data Privacy Brasil has provided cutting-edge privacy and data protection education and research, taking place at some of the most important discussions in the field in Brazil and abroad.
I am finishing my PhD at the University of São Paulo. My research is about algorithmic accountability and the right to explanation. Hopefully, I can manage to finish it soon, after three years of enduring work.
What mentors or other influential figures have helped you get where you are today?
For sure, my biggest mentor is Sophie Kwasny. She was my manager at the Data Protection Department at the Council of Europe, where I was a study visitor and interned between 2013 and 2014. Sophie's passion for standing up for human rights, without never losing her kindness was invigorating. That is the same reaction you get wherever you mention Sophie's name in a privacy circle. She also became a really good friend who continues to inspire me over the years.
If you could change one data-related law, how and why would you change it?
With privacy regulation in general, what we’re seeing is that the more countries have individual laws and regulations, therefore it has become more difficult to build a cohesive level of protection. It has become harder to ensure privacy standards travel with people regardless of where they are. Therefore a common international approach should be built.
Also, I do believe that current data protection laws, the way that have been designed, are doomed to be considered flawed in achieving their basic objective: to protect privacy as a human right. That is because they continue to protect the data itself, and not the impacts that the misuse of data might have on people. That may seem awkward, but systems do not need to process personal data to have an impact on individuals. Big companies right now are investing in technologies – such as differential privacy, synthetic data and machine learning – that can process large amounts of non-personal data and yet affect people. The next generation of data protection laws needs to focus on the impact that the processing of data, personal or non-personal, may have on people's fundamental rights.
That said, I am going to give a spoiler: LGPD is almost there. Some of its provisions can be interpreted in such a way. Who knows?
How has covid-19 affected what you do?
Deeply. And I think we are far from envisioning its long-term effects. Firstly, I started a new job at a company and I have never set foot in the office. Also, the entirety of my team is located abroad. At the education startup where I teach, we had to become an edtech literally from one day to another. I have always been an outside person, practising sports, gathering with friends. That is history. Tons of empathy had to be employed to put ourselves in others' shoes, not only to try to understand their fears but to feel with them, to struggle with them. I do believe that empathy ought to be the most important legacy of these dark times we are still living.
What’s the next big thing – what data opportunities are companies now looking at?
Explainable, accountable and manageable AI. With society almost completely intertwined with automatic decisions that can have a material impact on our lives, it is of utmost importance for companies and the government to become accountable for those systems and their decisions, with or without human intervention. That will only be possible if we properly understand how we have reached those decisions. It is not enough to have access to input and outputs. It is necessary to provide explanations that allow people, individually and collectively, to understand the decision-making rationale so they can challenge them, review them and oppose them. Only through due process mechanisms, we will be able to make organisations accountable for AI processes.
What’s keeping companies worried at the moment – what are some key data risks?
Effective privacy management. Generally, it is not easy to build robust privacy teams, and it is even harder to convince the board that protecting privacy needs to be a company-wide corporate objective. Few companies have such a vision. Companies still think in matters of fines. They do not acknowledge the efficiency and reputational gains and the competitive advantage that good privacy programmes can bring to organisations. That's their biggest risk. That's what they should be worried about: how mature and effective is my privacy programme? How can I extract value and innovation from it? How can I differentiate my company and at the same time protect basic human rights?
What do you do to relax?
I cook and I practise sports. A lot of sports. Sports are an integral part of my life. I ran a couple of marathons, two ultra-marathons (more than 42km), and one half IronMan (70.3km). I started to train for a second one, but with covid and the lockdowns in Brazil, it became really hard to swim and I got tired of cycling indoors. Maybe when these twilight times end, I'll try again. As for cooking, I cook almost all of my meals, from breakfast to dinner. And I love trying new recipes and cooking for family and friends. Before Covid, it has almost become a tradition to gather people around during Sunday afternoons for a late lunch. Everybody calls it a ‘linner’!