I came to the data field due after working in civil service for the past 15 years and also through an academic career focused on the intersection between law and technology. I first became involved in data protection about 10 years ago when this was still a new issue in Brazil. At the time, Brazil was beginning to debate the adoption of a comprehensive data protection law, and, as a civil servant, I had the privilege of participating in the early discussions on the proposed legislation. Some years later, I had the opportunity to dive deeper into this field while working on policies that highlighted the critical role of data protection frameworks in national digital transformation and AI strategies. As the Data Protection Bill gained momentum in Congress, privacy also became an important field of interest for me academically. In 2020, I was honoured to be appointed a member of the first Board of Directors of the newly-created national Data Protection Authority (ANPD).
In terms of challenges, regulating the use of data requires a deep understanding of technological changes and market structures, taking into account international debates and regulatory developments in other jurisdictions. In a country such as Brazil, where personal data protection is still a new issue, the biggest challenge is to understand this rapidly evolving technological and legal landscape, with a view to protecting fundamental rights while maintaining a legal environment that stimulates innovation.
The ANPD's administrative sanctioning regime came into force in August 2021. GDR asked: How has this changed the agency's approach to regulation?
ANPD was created very recently, in November 2020, and has been focused on developing and implementing the Brazilian general data protection law. Over the past year, ANPD provided guidance on several relevant issues, held public consultations and public hearings, and established formal channels to receive questions, complaints, and data breach notifications. We also worked hard to approve the regulation on administrative sanctions, through open consultation processes. ANPD chose to adopt a responsive approach, based on the idea that while administrative sanctions are a relevant enforcement tool, it is also necessary to consider other approaches to promote compliance with the law, through an effective dialogue between the regulator and regulated entities. In this sense, even before the administrative sanctions were enforceable, ANPD interacted with data controllers and processors to request information and issue recommendations on compliance with legal obligations. As of August 2021, we can also apply administrative sanctions, such as warnings, fines, and suspension of data processing activities. Our understanding, however, is that enforcement actions must go hand-in-hand with strategies for awareness-raising, education, and constructive engagement.
In terms of emerging trends, artificial intelligence regulation is one of the most important topics on the agenda. Many of the principles currently discussed in connection with AI, such as accountability, fairness, transparency, and non-discrimination, have strong roots in the field of privacy and personal data protection. Furthermore, there seems to be a trend towards adopting binding legislation and regulation in several countries and it is still not clear what the role of data protection authorities will be in this new scenario.
In terms of challenges to gender equity in the field, while technological professionals are still mostly masculine, many women work with data protection in Brazil, particularly in the legal profession. The challenge, however, is to ensure that these women are not only included in teams to provide legal and regulatory advice, but also have opportunities to take on leadership positions and have seats at the tables where relevant decisions are taken. This is still an issue in Brazil, where women are still a minority among top executives, despite, in general, having higher qualifications than their male peers.
At ANPD, approximately 50% of our staff is female and two out of five members of the board of directors are women. We also have several women in leadership positions in the organisation. I believe that an important aspect of promoting gender equity is to create an environment in which balance can be found between private life and professional demands, and this may include establishing mechanisms such as flexible arrangements for remote and hybrid work.
A piece of advice I would give aspiring data regulators and professionals: Firstly, communication skills are a key aspect. It is essential to be a good listener and maintain an open dialogue with different stakeholders, creating opportunities to exchange points of view between regulators, industry, civil society, and academia. It is also necessary to communicate priorities and decisions clearly and effectively.
Secondly, technical skills are crucial. To work with data protection, professionals should be willing to continuously develop a skill set that combines knowledge in different fields such as law, computer science, and economics. For data regulators, this translates into building interdisciplinary teams with opportunities for collaboration between individuals with expertise in different fields.