The effects on local innovation arising from replicating the GDPR into the Brazilian General Data Protection Law
Abstract
Following the implementation of the European General Data Protection Regulation (GDPR), Europe exported its data protection standards to Brazil’s data protection legislation. Besides its manifest aim of providing data privacy rights, the GDPR also fosters economic benefits by incentivising the innovation of privacy-enhancing technologies. Therefore, using a TWAIL-based de-colonising methodology, this research article assesses the effects for innovation in Brazil arising from reproducing the European data regulation. It argues that this replication provided the LGPD with the principles that compel firms to innovate in the Brazilian privacy-enhancing technologies market. However, the Western firms, to the detriment of Brazilian firms, appropriate the resulting economic benefit of innovation because the former excel at introducing and securing technology monopolies in the Brazilian market. To rebalance opportunities for Brazilian firms, this paper advocates implementing local content policy for privacy-enhancing technologies, which requires firms to purchase a portion of their operations’ inputs in the domestic market.Introduction
Rampant personal data collection in a digital world may cause severe consequences for privacy and dignity interests, including unconsented profiling (Kosinski, 2021), algorithmic discrimination (Hakkarainen, 2021) and other manifestations of surveillance capitalism (Zuboff, 2019). Many countries have legally responded to these privacy challenges by enacting data protection regulations that entitle individuals to restrict personal data processing by third parties (Determann, 2018). Furthermore, although data protection regulations explicitly aim to ensure the fundamental right to data privacy, they also change the market structure and the incentives for innovation, revealing an unattended economic function: stimulating innovation of privacy-enhancing technologies.
In 2018, privacy calls led to the implementation of the European General Data Protection Regulation (GDPR). Due to European influence, the GDPR exported European data protection standards to the Brazilian data protection law (LGPD), implemented in 2020. Scholars and practitioners conducted comparative studies between the LGDP and the GDPR concerning the explicit function of protecting data privacy, concluding that both regimes equate rights, scope, unlawful conduct and non-compliance penalties (Erickson, 2018; Lorenzon, 2021). Nonetheless, the comparative scholarship overlooks comparisons between both data protection regimes regarding the unattended function of stimulating innovation. Discussion as to whether and how replicating the European data protection regime into its Brazilian counterpart stimulates regional innovation remains unanswered.
This paper fills this gap and contributes to the intersectional debate between data protection regulations and innovation studies. I argue that replicating principles from the GDPR into the LGPD compels firms to innovate in the Brazilian privacy-enhancing technologies market. Nonetheless, it is Western rather than Brazilian firms that appropriate the consequent economic benefit of innovation as the former has competitive advantages to introduce and secure technological monopolies in the Brazilian market. Ultimately, the inequity of opportunities for domestic firms increases the technological gap between Brazil and the so-called Western world.1 Upon debating how stimulating innovation through data protection regulations favours firms in Western countries, one may think this paper refuses such regulations. This thought keeps with the overspread claim that de-colonising studies draw on nihilism to criticise and refrain from proposing reforms (Gathii, 2011). Fortunately, this paper diverges from this commonplace approach. Instead, it acknowledges the positive effects of such a regime on innovation, and proposes local content policies to rebalance market opportunities for domestic firms.
Five sections follow the introduction. Section 2 contextualises the replication of the GDPR into the LGPD, and highlights the data protection regime’s latent function of fostering innovation. Also, the section presents the methodology, namely Third World Approaches to International Law (TWAIL). Section 3 debates how replicating the GDPR positively impacts innovation in Brazil. Section 4 sheds light on how this innovation stimulation benefits firms located in Western developed countries. Hereafter, the section provides policy advising to address this issue. Finally, section 5 concludes the paper with remarks on how Brazil’s example is a lesson for other Third World2 countries.
Stimulating innovation through data protection regulations
Data protection regulations aim to ensure data privacy for natural persons (Determann, 2018). This objective is known as the manifest function of a law (Merton, 1968) because legislators clearly recognise it in the statute, informing judges on how to interpret the regulation (Michaels, 2016). Nevertheless, legal statutes and regulations often present functions that are unknown to lawmakers or judges. These unintended functionalities are known as the latent functions of law, opposing the manifest function (Merton, 1968). Though previously unrecognisable, latent functions provide researchers with fruitful insights into the studied legal regime, disclosing non-obvious outcomes as well as non-perceived obstacles imposed by the legal subject matter (Michaels, 2016).
Keeping with this distinction of the law’s functionality, scholars assess an interesting latent function of data protection regulations: modulating technological innovation (Zarsky, 2015; Lishout & Emmert, 2018; Li et al., 2019; Bachlechner et al., 2020; Niebel, 2021). More specifically, such regulations impact two technological branches differently: data-driven innovation and data protection innovation. Data-driven innovations consist of “the use of big data to improve production or distribution and better match customer preferences” such as Artificial Intelligence, blockchain and cloud computing. In turn, data protection innovation “creates market value through greater protection of personal data” (Zingales, 2018).
Regarding the first branch, a stricter data protection regulation raises the standards and costs for data processing, hindering new data-driven innovations (Li et al., 2019). Also, big corporations in various economic sectors adopt data monopolies as a core strategy to prevent emerging competitors from accessing the large datasets that function as fuel for data-driven innovation. Incumbent companies, not only in social media but also traditional sectors such as agriculture, have consolidated such practices (Bronson & Sengers, 2022). In this case, data protection regulations incentivise data-driven innovation because they empower data subjects to contest large personal data concentrations through two rights, namely Portability and Erasure Rights (Niebel, 2021).
Concerning the second branch, firms demand more data protection innovation to comply with data protection law (Zarsky, 2015). Also, data protection policies compel firms to stand out from their competitors, encouraging entrepreneurs to innovate and thus demonstrate to their customers that they more effectively protect sensitive data (Bachlechner et al., 2020). Both arguments lead to stimulating data protection innovations known as privacy-enhancing technologies (PETs) (Lishout & Emmert, 2018). Privacy-enhancing technologies are “technological solutions for organisations working towards data protection accountability, compliance and [data protection] risk-assessment and mitigation” such as anonymisation and encryption (IAPP, 2017, p. 6). Not surprisingly, the privacy-enhancing technologies market bourgeons following the worldwide enactment of data protection legislation (Polonetsky & Sparapani, 2021). In 2017, before the introduction of most data protection regulations, 51 privacy technology vendors operated in the worldwide market. This has risen to 365 in 2021 (IAPP, 2021). Furthermore, the data privacy tools market will grow from USD 1 billion in 2020 to almost USD 18 billion in 2028 (Fortune Business Insights, 2021).
Replicating the GDPR into the LGPD
In 2016, data protection calls led to the implementation of the GDPR in the European Union (EU), which came into full effect in 2018 and replaced Directive 95 (Allen et al., 2019). The EU frequently expands its data protection regulations on a global scale and its requirements become a model for data protection in many countries throughout the world (Bygrave, 2021; Greenleaf & Cottier, 2022). In turn, amid the turmoil caused by the Cambridge Analytica case in 2018, Brazil also took the decisive step to implement the Brazilian General Data Protection Law (LGPD), fully implemented in August 2020 – which mimics the European data protection regime (Erickson, 2018).
Legal regimes naturally influence each other (Kennedy, 2003), and data protection regimes are no exception. Therefore, it is not a surprise that Brazil has reproduced the European data protection regime. Nonetheless, GDPR’s influence over its Brazilian counterpart stems from the long-lasting European dominance over the Third World. Scholars emerging from developing countries posit that modern forms of domination over the Third World are a continuation of the previous ones practised in the precolonial and colonial periods (Gathii, 2011). These scholars belong to a political and intellectual movement named Third World Approaches to International Law (TWAIL) (Mutua, 2000).
Firstly, TWAIL scholars claim that after an extensive period of political and economic domination over the Third World during colonisation, the European worldview was entrenched in the imaginary of former colonies by the naturalisation of three invented hierarchies in which Europeans occupy the top rank: knowledge, culture and race (Quijano, 2000). Because Eurocentrism dominates the imaginaries of these countries, the European power lingers even after the destruction of colonisation as a political order (Gathii, 2011). Imaginaries are structures of subjectivity that inform the collective discourse. In turn, social institutions such as the legal corpus, for not existing separately from collective discourses that give meaning to them, are also informed by these imaginaries (Gatens & Lloyd, 1999). Europe embedded its worldview in Third-World legal institutions, and Eurocentric topics command the Third World’s teaching of Law and Governability, disconnecting legal reasoning with local problems (Restrepo & Prieto-Ríos, 2017). Consequently, the Third World sees the European legal system as a role model, and lawmakers there, whenever they face legal claims, will search for legal inspiration in Europe. This mechanism is called emulation, or lesson-drawing (Rose, 1991).
Secondly, replicating European regimes in the Global South takes place through indirect imposition since the EU threatens Third World countries with sanctions if they flout European rules. Therefore, Third-world countries voluntarily transplant exogenous European legal rules into their legislation (Morin & Gold, 2013). Scholars called this the Brussels effect, and it refers to the fact that the EU can expand its legislation across borders and set new standards in international governance, causing “unilateral regulatory globalization” (Bradford, 2020). In the context of data protection regulations, the Brussels effect occurs through economic sanctions, since countries that refuse to comply with minimum European data protection requirements are sanctioned from doing business in the EU (Kuner, 2020). Therefore, the EU expands its data protection standards beyond its borders (Gstrein & Zwitter, 2021)
TWAIL methodological approach and the functional comparative method
The Third World Approach to International Law (TWAIL), as a research methodology, aims to deconstruct the solid structures of Eurocentricity in modern Law, particularly concerning Third-World legislations and reconstructing alternatives to it, accounting for the Global South’s worldview (Escobar, 2008). TWAIL's methodological approach informed this paper’s research through three principles. First, the TWAIL approach historicises the unbalanced relationship between former colonies and colonising countries and uses it as a lens to analyse current issues in law scholarship (Burgis-Kasthala, 2016). Therefore, it perfectly fits this research, which accounts for the subaltern relationship between Brazil and European countries in replicating data protection regimes. Secondly, the TWAIL approach embraces that transdisciplinarity allows for learning (Mickelson, 1998). Thus, this essay keeps with this principle by using the theoretical framework of innovation studies to explain the causal relations between data protection regulation and the firms’ innovative performance. Third, the TWAIL methodology posits that scholars should suspect universalising narratives (Burgis-Kasthala, 2016), a principle which is followed by this paper upon contesting that the EU model is per se the ultimate efficient version of data protection regulation to the entire world.
This essay assesses the effect on local innovation arising from reproducing the GDPR into the LGPD by comparing the commonalities and divergences between both regimes using doctrinal law through primary sources, which are: on the EU’s side, the European Data Protection directive 2016/679 (EU, 2016), which settled the GDPR; on Brazil’s end, the LGPD (General Personal Data Protection Law, 2018) and the LGPD’s Guide to good practice (Ministério da Gestão e da Inovação em Serviços Públicos, 2020). The comparison between both regimes draws on the function of stimulating innovation; therefore, this research uses the functional method (Kennedy, 2003).
Beyond the legal comparison between both regimes, this paper uses non-doctrinal non-legal resources to debate the exportation of European innovation values to Brazil: The OECD Oslo Manual (OECD & Eurostat, 2018), the OECD Patent Statistics Manual 2009 (OECD, 2009), the WIPO Global Innovation Index 2021 (WIPO, 2021), the LGPD (General Personal Data Protection Law, 2018) and the Brazilian Digital Transformation Strategy (Ministério da Ciência, Tecnologia, Inovações e Comunicações, 2018).
Evidence of innovation stimulation relies on market reports: the Privacy Tech Vendors Report 2021 (IAPP, 2021), from the International Association of Privacy Professionals (IAPP); 2021 Data Privacy Benchmark Study, from CISCO; the 2021 Brazilian Software Market: scenario and trends (ABESS, 2021), from the Brazilian Association of Software companies; and the Worldwide Data Privacy Management Software 2021 (IDC, 2021), from IDC.
Stimulating privacy-enhancing innovation in Brazil
This section identifies that the reproduction of the GDPR into the LGPD stimulates privacy-enhancing innovation in Brazil through two different mechanisms: The openness of the purpose limitation principle and the requirement for the state of the art in the data protection by design principle.
The openness of the purpose limitation principle
GDPR’s article 5 establishes an important principle concerning data processing: purpose limitation. This principle requires that personal data must be collected “for specified, explicit, and legitimate purposes, and not be processed further in a manner incompatible with those purposes” (EU, 2016, art. 5). The principle shifts the costs from data subjects to entrepreneurs, because individuals avoid privacy-threatening data processing while entrepreneurs are vetoed from using customers’ data for purposes unanticipated at its collection (von Grafenstein, 2018). However, as data-driven innovation depends on new unforeseen insights over the same available resources, the purpose limitation principle hinders innovation (von Grafenstein, 2018).
The conundrum of data protection regimes hampering innovation mirrors the overspread concept that public regulations and innovation are opposing actors. However, Michael Porter and Claas van der Linde contested this opposition in the so-called Porter Hypothesis. These authors heavily drew on the environmental regulations landscape to posit that regulations may incentivise rather than hinder innovation (Porter & van der Linde, 1995). They argue that neoclassical economics’ mainstream analysis of the dichotomy regulation versus innovation relies on a very static concept, ignoring competition as a dynamic framework. Entrepreneurs disregard all profit-increasing possibilities when regulations are implemented, and innovation can move the for-profit boundaries (Porter & van der Linde, 1995). This seems to be the case for privacy-enhancing technologies, whose market has flourished since the implementation of data protection regulations.
Porter and van der Linde advocate two principles that should drive well-designed regulations to foster innovation. Firstly, regulations should stimulate non-specific technological advancement rather than focusing on one particular type of technology. Therefore, regulations’ aim should be open enough to allow entrepreneurs to choose the most convenient technological path to accomplish it. Secondly, regulations should avoid misleading requirements and be able to legislate over not-yet invented technologies (Porter & van der Linde, 1995). Well-crafted for-innovation regulations should be able to catch up with emerging technologies since the enactment or amendments of laws take time in a democratic economy. This future-proof feature is particularly important for the fast-paced branch of information technology (Hildebrandt & Tielemans, 2013).
The GDPR fits both requirements of well-crafted public regulation for innovation (Niebel, 2021). First, the GDPR does not require any specific technology to accomplish the principle of purpose limitation. The principle’s openness leaves room for diverse privacy-enhancing technical solutions, allowing entrepreneurs to choose the best solution on their own terms (von Grafenstein, 2018). Secondly, the GDPR set the European Data Protection Board (EDPB), who guides the interpretation of the GDPR and has already published more than 172 recitals on clarifying principles and concepts entrenched by the GDPR. The board’s guidance circumvents confusing requirements on emerging technologies, providing the GDPR with a future-proof feature.
As expected by the Porter hypothesis, evidence of the GDPR’s positive effects on innovation flourishes. 73% of GDPR-complying firms have bolstered their innovative performance (CISCO, 2021). Furthermore, there is a strong connection between new firms’ entry rates and innovative performance in the high-technology sectors, specifically that innovation can be proxied by assessing these entry rates in the markets (Foster et al., 2018). Given this, since the implementation of the GDPR in 2016, EU-based privacy-enhancing technology firms made a quantum leap from 43 to 148 (IAPP, 2021).
Upon transplanting the main values of the GDPR, Brazil’s LGPD also abides by the two requirements of the Porter hypothesis for innovation-stimulating public regulations. Firstly, LGPD’s article 63 sets the principle of purpose limitation with a GDPR-like wording. LGPD’s article 6 reproduces the openness of the purpose limitation principle, not requiring any specific technology to accomplish its goal. Therefore, like GDPR, the article leaves it to innovators to decide the best technical solution to accomplish the purpose limitation principle. Secondly, in 2020 the LGPD implemented the Brazilian Authority for data protection (ANPD, in the Portuguese acronym) (Ministério da Gestão e da Inovação em Serviços Públicos, 2020). The ANPD accounts for “overseeing, implementing and supervising compliance with this Law throughout the national territory” (General Personal Data Protection Law, 2018, art. 5). Since then, the authority has already published guiding documents to elucidate the LGPD’s principles and rights, mitigating misleading information about incumbent and emerging technologies. Most importantly, the ANPD only legislates over basic standards, highlighting that the authority will not set standards on specific technologies (General Personal Data Protection Law, 2018, art. 2). Therefore, the ANPD fits the objective to clarify the regulations and ensure the future-proof feature of the Brazilian data protection regime without limiting it to specific technological paths.
The state-of-the-art requirement in the principle of data protection by design
GDPR’s article 25 introduced a pioneer principle concerning data privacy regulations: Data Protection by design.4 The principle requires innovators to add technical data protection features when conceiving data processing technologies. Therefore, data controllers must incorporate data protection principles from the beginning of technological development (EU, 2016, recital 78). Furthermore, the GDPR informs the conditions for applying the principle: “Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing […]” (EU, 2016, art. 25, italics added). The Oxford Dictionary defines state of the art as “the most recent stage in the development of a product, incorporating the newest technology, ideas, and features”. Upon being forced to consider the state of the art, data processors must implement the best available techniques in designing new data-treatment technologies. Consequently, introducing data protection by design compels European firms to innovate in the privacy-enhancing market to exploit regulation opportunities (Hildebrandt & Tielemans, 2013); firms increase their innovative efforts to commercialise privacy-enhancing technologies and sell state-of-the-art privacy-enhancing solutions to data processors (von Grafenstein, 2018).
The European data protection legislation inspired Brazil’s LGPD to incorporate a privacy-by-design-like principle.5 Although avoiding the term Data Protection by design, LGPD’s article 46 advocates that data protection “must be observed from the product or service conception phase until its execution” (General Personal Data Protection Law, 2018, art. 46). Likewise, the LGPD considers the current state of technology, a synonym for state of the art, as a requirement for article 46 (General Personal Data Protection Law, 2018, art. 46). Furthermore, to reinforce the argument that the principle of privacy by design was replicated from the GDPR into the Brazilian legislation, the LGPD’s Guide for good practice, launched by the Federal Committee of Data Governance, explicitly quotes the term privacy by design from the European regulation to explain the principle under the LGPD’s article 46 (Ministério da Gestão e da Inovação em Serviços Públicos, 2020, p. 50). Therefore, like the European compliant firms, Brazilian entrepreneurs must introduce cutting-edge data protection technical solutions to data-treatment technologies, compelling entrepreneurs to develop state-of-the-art innovations and exploit the Brazilian privacy-enhancing market.
This section has theoretically demonstrated that replicating the GDPR’s principles into the LGPD fosters privacy-enhancing innovation in Brazil. In fact, empirical evidence points in the same direction: because of the LGPD firms bolstered efforts towards innovative privacy-enhancing technologies, 2021 spending on security solutions surpassed USD 900 million in Brazil, a yearly increase of 12.5% (ABESS, 2021). Also, before implementing the Brazilian law, no privacy technology vendor company operated in Brazil, but it skyrocketed to 17 in 2021 (IAPP, 2021).
Therefore, at least on a superficial level, one may conclude that looking beyond Brazil’s borders to the European territory when facing data privacy legal challenges seemed righteous to Brazilian policy makers. However, we must deepen this paper’s analysis to address what firms benefit from this regulation-based innovation stimulation. Does replicating the GDPR into the LGPD foster privacy-enhancing innovation for domestic firms in Brazil?
Western firms appropriating the benefits of the Brazilian privacy-enhancing technologies market
Section 4 extrapolates the analysis that reproducing European principles yields positive results in stimulating privacy-enhancing technologies in Brazil. This section argues that Western firms appropriate the economic benefits of the Brazilian privacy-enhancing technologies market to the detriment of Brazilian firms. The first part of the section posits that because Western firms have better access to knowledge and innovation funding they excel at introducing new privacy-enhancing technologies in emerging markets. The second part advocates that after introducing new technologies Western firms can secure technological monopolies through the Western-based Intellectual Property system. The last part demonstrates the hegemony of Western firms in the Brazilian market and proposes local content policies to address the inequity of opportunities for domestic firms.
Advantage to introduce privacy-enhancing technologies
Western countries, in general, have high economic development levels, drawing on high-value goods and services that require high human capital and technology, known as knowledge-intensive industries (Malerba & McKelvey, 2020). The West has significant worldwide competitive advantages in knowledge-intensive industries, particularly in Computer and information services (Wyszkowska-Kuna, 2016).
On the other side, Third-world countries focus their economic activity on less knowledge-intensive sectors related to natural resources. These sectors add less value to outputs and disfavour exchange relations, reflecting the Third World’s economic underdevelopment (Cassiolato & Lastres, 2000). It is generally acknowledged that fostering technological innovation increases a country’s international competitiveness, leading to economic development (Fagerberg et al., 2010). Therefore, a common solution to the Third Worlds’ underdevelopment relies on incentivising domestic technological innovation to catch up with central economies.
The Privacy-enhancing technologies sector, a branch of Computer and information services, is a knowledge-intensive industry because its innovative efforts draw on software developers and their know-how. The emerging market of privacy-enhancing technologies creates economic opportunities for countries that succeed to invest technologies in it, and Brazil’s market has already reached USD 3 billion (ABESS, 2021). Therefore, by incentivising domestic firms’ innovation, Brazil could increase its privacy-technology firms’ competitiveness and appropriate this market’s economic benefits, diminishing the technological distance to developed Western countries. Nonetheless, innovating in knowledge-intensive industries depends on two conditions that are more favourable to Western firms: access to knowledge and access to innovation funding (Malerba & McKelvey, 2020).
First, to develop high technology innovation, firms must seek knowledge from external sources such as universities, organisations, governments and stakeholders (Malerba & McKelvey, 2020). Therefore, access to knowledge bolsters firms’ innovative capabilities in high-technology sectors such as privacy-enhancing technologies (Choi et al., 2021). These knowledge sources, as well as the ease of access to them, closely relate to the country where the firm is based (Malerba & McKelvey, 2020). Western developed countries demonstrate much higher levels of knowledge (Fagerberg et al., 2018) and the absorptive capabilities to tap into this knowledge stemming from their high human capital (Wagner and Leydesdorff, 2005). Briefly, firms in Western developed countries manage to competently interconnect with such external sources of knowledge to innovate, overcoming Third-World countries (Asim & Sorooshian, 2019). Secondly, any new firm’s project entails inherent risks, but technical innovation projects involve additional uncertainties (Freeman & Soete, 1997). To overcome the risks inherent to the innovative process, firms require special funding instruments, such as venture capital (Kim & Park, 2017). The more access to venture capital, the better it is for knowledge-intensive innovative firms. Western countries rank higher in venture capital’s international landscape: developed EU countries, the UK, the US and Canada rank among the top 20 in market sophistication and innovation investment. In turn, the Third World lags behind, in fact Brazil ranks 75th among 132 countries (WIPO, 2021). Consequently, venture capitalists target Western developed economies rather than the Third World as they prefer more sophisticated and reliable capital markets (Devigne et al., 2018). This poses considerable difficulties for entrepreneurs in the Third World to access venture capital. For instance, Western privacy technology leaders have received significant funds over the last few years: OneTrust, more than USD 510 million in 2021; BigID: USD 165 million; Securiti.ai: USD 50 million; and WireWheel: USD 23.6 million. Therefore, Western privacy-enhancing technology firms have more access to using venture capital to fund innovative activities and introduce new technologies to the world.
Securing technological monopolies in the Brazilian market
The charmed circle of the Organisation for Economic Cooperation and Development (OECD) represents the West’s interests, embedding Western values in their international manuals (Kuhlmann & Ordóñez-Matamoros, 2017). Regarding innovation, the OECD advocates that intellectual property rights, upon conferring a temporary exploitation monopoly of the protected invention, compels inventors to invest in technological development because they will appropriate the economic benefits of their invention (OECD, 2009). OECD countries materialised their interest in establishing a worldwide intellectual property system by requiring countries to sign the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) to participate in the World Trade Organisation (WTO). TRIPS, created in 1994, sets minimum intellectual property requirements that countries should implement in their national legislation. By 2022, 164 countries signed the TRIPS; Brazil implemented its TRIPs-complying industrial property law in 1995.
Through the TRIPS, the global North set Western-based standards for intellectual property worldwide (Chimni, 2006), and TWAIL scholars have strongly critiqued the implications of intellectual property rules towards the third World. A global intellectual property system permits Western firms to possess intellectual property over their inventions in any WTO signatory country, securing global properties (Braithwaite & Drahos, 2000). Furthermore, it allows Western firms to accumulate multiple patents on a specific technology in the global market. Consequently, domestic firms in the Third World face market entry barriers because some of their products and services rely on these technologies, which are protected by multiple patents. This entry barrier, known as patent thickets, decreases the entry of new firms, particularly in technological fields such as the Privacy-enhancing technologies market (Hall et al., 2021).
Through the multiple patents that block competition from domestic firms, Western firms, who already have advantages in introducing privacy-enhancing technologies to emerging markets, can secure technological monopolies. As an example, OneTrust, the world leader in privacy-enhancing tools and the fastest-growing company in America, relies on more than 200 different patents to secure the technological monopoly of its privacy management platform (OneTrust, 2022).
Furthermore, to reinforce the OECD’s value that patents incentivise innovation and legitimise a global intellectual property system, the organisation has been advocating for the use of patents as an innovation indicator since the 1970s; the latest revised document being the OECD Patent Statistics Manual 2009 (OECD, 2009). For the OECD, by default, patents measure innovation output. Also, the highly influential OECD Oslo Manual advocates that good innovation is what is new to the world. Following this, international indicators, notably the Global Innovation Index from the World International Property Organisation, reproduced this OECD’s value. Therefore, the West set western-based universalised standards on what is good innovation and how to measure it through patents.
Reproducing Western innovation policies is a common practice in the Third World, and it is also called isomorphism. In Latin America, countries reproduced theoretical frameworks suitable for applying to developed OECD countries that did not account for the region’s own particularities (Vasel, 2011; Delvenne & Thoreau, 2017). Brazil is not an exception. Beyond implementing the TRIPS, the country has replicated the Western-based model of measuring innovation output through the patent count in its innovation policy for privacy-enhancing technologies.
Two policy documents guide the Brazilian innovation policy for privacy-enhancing technologies: the LGPD and the Brazilian Digital Transformation Strategy (Digital strategy). The digital strategy, a trans-ministerial policy document, aims to offer a broad diagnosis of the challenges to be faced, strategic actions and indicators to monitor the progress in accomplishing an effective digital transformation in Brazil. Both documents praise “the economic and technological development and innovation” (General Personal Data Protection Law, 2018, art. 2).
The digital strategy states that “[…] as a reference, existing and consolidated international indicators such as the Global Innovation Index can be used” (Ministério da Ciência, Tecnologia, Inovações e Comunicações, 2018, p. 36). Consequently, the digital strategy relies on patent applications to evaluate the strategy’s effectiveness and to diagnose the privacy-enhancing innovation landscape. Also, under the section diagnosis of the Digital strategy, the document states that “[i]t should be noted that in technologically dynamic sectors, such as the information and communication technologies sector, where the degree of obsolescence of technologies is high, the agility in the process of patent registration assumes central importance” (Ministério da Ciência, Tecnologia, Inovações e Comunicações, 2018, p. 33), which reinforces the idea that intellectual property protection equates with innovation and should be incessantly pursued.
The isomorphism of Western-based concepts of innovation undermines Brazilian innovative activity since the principle of new-to-the-world and patent as a measure for innovation places barriers to regional and non-world-class technologies developed in the country and legitimates an intellectual property system that allows for Western firms to dominate emerging markets through multiple patent monopolies.
Local content policies
The spread of EU data protection standards to the world incentivises data protection innovation and facilitates a worldwide market for privacy-enhancing technologies (Niebel, 2021). Nonetheless, different countries yield different results depending on their competitive advantages to introduce and secure privacy-enhancing technologies. As expected, Western firms are prevalent in the privacy-enhancing technologies market, representing almost half of all companies, while third-world firms represent an insignificant part of it (IAPP, 2021). Seven Western firms hold more than 70% of the Worldwide privacy software market share: OneTrust (US), Collibra (US), TrustArc (US), BigID (US), Securiti.ai (US), Exterro (US) and WireWheel (US) (IDC, 2021).
In the Brazilian market, western firms dominate. Western firms operating in Brazil increased from zero to 17 in 2021, largely outnumbering the four domestic firms: Modulo Security, Privally, Rocket.Chat and Privacy Tools (IAPP, 2021). Innovation in the privacy-enhancing technologies sector accumulates wealth in the hands of a few Western countries. The winner(s) take(s) it all. The Western dominance in the Brazilian market keeps with the scenario of the Brazilian IT market: International companies hold more than 70% of the software industry market share (ABESS, 2022, p. 10).
There is an inequality of opportunities between domestic and foreign firms in accessing the Brazilian privacy-enhancing market. Unequal market opportunities between domestic and foreign firms advance the technological gap between the Global North and South (Soares & Podcameni, 2018). The laissez-faire market fails to accomplish a rebalance for domestic firms. As a solution, this paper argues that the Brazilian legislator should introduce local content requirements for privacy-enhancing technologies.
Local content policies require that companies, to operate in the country, should purchase a portion of their operations’ inputs in the domestic market (OECD, 2015). By creating a forced demand for domestic products, local content policies strengthen the domestic market and develop high-potential technology-intensive domestic firms (Confederação Nacional da Indústria [CNI], 2017). Consequently, they foster technological development as well as the technological know-how of domestic firms (Qiu e Tao, 2001). Local content policies also create national champions, which are national companies that produce local technology and eventually export their products (Veloso, 2006). Local content requirements have already effectively bolstered innovation in many sectors in Brazil. The most advanced discussion on the impact of local content policies on innovation in Brazil relates to the Gas and Oil sector. Due to the inequality of opportunities between national and international companies, the National Oil Agency (ANP), since 1999, has implemented local content policies to rebalance the opportunities, with minimum local content percentages required, ranging between 60% and 85% (Piquet et al., 2016). Furthermore, the local content policy fostered a surge in new domestic firms in the Eolic sector after its implementation (Rennkamp et al., 2020). Furthermore, local content policies revitalised the Brazilian Naval sector in the years after 2000 (Pereira et al., 2021).
Likewise, local content policies may boost the Brazilian privacy-enhancing technology market for domestic firms. Local content requirements for privacy-enhancing technologies could be applied through auctions such as the local content requirements in the Oil and Gas sector. The government could set percentages in the bid process, requiring a certain percentage of firms’ costs to be represented by domestically developed privacy-enhancing technologies. Further research is necessary to assess these percentages because, if too high, they may increase the price of the technology required, while if too low, it may not accomplish the proposed goals of developing the national privacy-enhancing technologies industry.
Conclusion
Reproducing the GDPR into the LGPD stimulates privacy-enhancing technologies in the Brazilian market by providing principles that compel entrepreneurs to innovate. Nonetheless, it is Western firms rather than domestic firms who have taken over the Brazilian market. First, the Western firms benefit from better access to knowledge within their national innovative environment. Second, they have easier access to venture capital, facilitating knowledge-intensive innovation, such as privacy-enhancing technologies. Finally, the West exports their innovation metrics, legitimating a Western-based intellectual property system; ultimately, it allows room for Western firms to secure technological monopolies in Brazil by means of patent thickets. Therefore, although this paper posits data protection regulation as a significant innovation policy for privacy-enhancing technologies, it has different effects on countries depending on their competitive advantages to develop new technologies.
All this being said, to increase opportunities for domestic firms and decrease the technological gap between industrialised Western countries and Brazil, local content requirements for privacy-enhancing technologies should be implemented. Brazil should critique the reproduction of data protection regulations from Western countries. The country must reflect on whether such transplants fit local specificities. Although promoting innovation is one of the principles of the Brazilian data protection regime, it is not clear what Brazil's objectives are in stimulating innovation through its data protection Law. Is it to tackle internal problems, such as technological underdevelopment? Social inequality and poverty? What has been shown so far is that, upon transplanting the European model, it tends to increase the technological gap between Brazil and Western Countries, increasing global technological inequality. Luckily, I hope this article may compel students and activists to address the right problems for Brazil such as the abyssal technological gap between the South and Global North.
Finally, to do business in Brazil, the largest Latin American economy, neighbouring countries will abide by Brazilian data protection norms, setting a domino effect that will export GDPR standards to the entire Third World. Therefore, this essay may expand its insights to other parts of Latin America and the Global South, inspiring solutions to the inequity of opportunities for domestic firms in these countries.
Acknowledgements
I thank Elizabeth Judge, Professor in the Faculty of Law, Common Law Section at the University of Ottawa, for her comments that greatly improved the manuscript.
References
ABESS. (2021). Brazilian software market: Scenario and trends 2021 (pp. 1–39) [Report]. Associação Brasileira das Empresas de Software. https://abessoftware.com.br/wp-content/uploads/2021/08/ABES-EstudoMercadoBrasileirodeSoftware2021v02.pdf
ABESS. (2022). Brazilian Software Market: Scenario and trends 2022 (pp. 1–29) [Report]. Associação Brasileira das Empresas de Sof- tware. https://abes.com.br/en/download/51169/
Allen, D., Berg, A., Berg, C., & Potts, J. (2018). Some economic consequences of the GDPR. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3160404
Aoki, K. (2000). Space invaders: Critical geography, the Third World in international law and critical race theory. Villanova Law Review, 45(5), 913–957.
Asim, Z., & Sorooshian, S. (2019). Exploring the role of knowledge, innovation and technology management (KNIT) capabilities that influence research and development. Journal of Open Innovation: Technology, Market, and Complexity, 5(2), 21. https://doi.org/10.3390/joitmc5020021
Bachlechner, D., van Lieshout, M., & Timan, T. (2020). Privacy as Enabler of Innovation. In M. Friedewald, M. Önen, E. Lievens, S. Krenn, & S. Fricker (Eds.), Privacy and identity management. Data for better living: AI and privacy(Vol. 576, pp. 3–16). Springer International Publishing. https://doi.org/10.1007/978-3-030-42504-3_1
Blancheton, B., & Chhorn, D. (2019). Export diversification, specialisation and inequality: Evidence from Asian and Western countries. The Journal of International Trade & Economic Development, 28(2), 189–229. https://doi.org/10.1080/09638199.2018.1533032
Bradford, A. (2020). The Brussels effect: How the European Union rules the world (1st ed.). Oxford University Press. https://doi.org/10.1093/oso/9780190088583.001.0001
Braithwaite, J., & Drahos, P. (2000). Global business regulation. Cambridge University Press. https://www.amazon.com/Global-Business-Regulation-John-Braithwaite/dp/0521784999
Bronson, K., & Sengers, P. (2022). Big tech meets big Ag: Diversifying epistemologies of data and power. Science as Culture, 31(1), 15–28. https://doi.org/10.1080/09505431.2021.1986692
Burgis-Kasthala, M. (2016). Scholarship as dialogue? TWAIL and the politics of methodology. Journal of International Criminal Justice. https://doi.org/10.1093/jicj/mqw044
Bygrave, L. A. (2021). The ‘Strasbourg Effect’ on data protection in light of the ‘Brussels Effect’: Logic, mechanics and prospects. Computer Law & Security Review, 40, 105460. https://doi.org/10.1016/j.clsr.2020.105460
Cassiolato, J. E., & Lastres, H. M. M. (2000). Local systems of innovation in Mercosur countries. Industry and Innovation, 7(1), 33–53. https://doi.org/10.1080/713670250
Chimni. (2006). Third world approaches to international law: A manifesto. International Community Law Review, 8(1), 3–27. https://doi.org/10.1163/187197306779173220
Choi, S.-K., Han, S., & Kwak, K.-T. (2021). Innovation capabilities and the performance of start-ups in Korea: The role of government support policies. Sustainability, 13(11), 1–14. https://doi.org/10.3390/su13116009
CISCO. (2021). Data privacy benchmark study. Forged by the pandemic: The age of privacy (pp. 1–21) [Study]. https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/cisco-privacy-benchmark-study-2021.pdf
Confederação Nacional da Indústria. (2017). Políticas de Conteúdo Local: Experiências Internacionais Recentes (pp. 1–84) [Report]. Confederação Nacional da Indústria (CNI). https://static.portaldaindustria.com.br/media/filer_public/7e/a9/7ea99d2b-f2ad-428f-af2b-2afa951e5df3/cni_politicas_de_conteudo_local_web.pdf
Delvenne, P., & Thoreau, F. (2017). Dancing without listening to the music: Learning from some failures of the ‘national innovation systems’ in Latin America. In S. Kuhlmann & G. Ordóñez-Matamoros, Research handbook on innovation governance for emerging economies (pp. 37–58). Edward Elgar Publishing. https://doi.org/10.4337/9781783471911.00007
Determann, L. (2018). No one owns data. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3123957
Devigne, D., Manigart, S., Vanacker, T., & Mulier, K. (2018). Venture capital internationalization: Synthesis and future research directions. Journal of Economic Surveys, 32(5), 1414–1445. https://doi.org/10.1111/joes.12276
Erickson, A. (2018). Comparative analysis of the EU’s GDPR and Brazil’s LGPD: Enforcement challenges with the LGPD. Brooklyn Journal of International Law, 44(2), 859–888.
Escobar, A. (2008). Territories of difference: Place, movements, life, redes. Duke University Press.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), 2016/679 (2018). https://eur-lex.europa.eu/eli/reg/2016/679/oj
Fagerberg, J., Lundvall, B.-Å., & Srholec, M. (2018). Global lalue chains, national innovation systems and economic development. The European Journal of Development Research, 30(3), 533–556. https://doi.org/10.1057/s41287-018-0147-2
Fagerberg, J., Srholec, M., & Verspagen, B. (2010). Innovation and economic development. In Handbook of the economics of innovation (Vol. 2, pp. 833–872). Elsevier. https://doi.org/10.1016/S0169-7218(10)02004-6
Fortune Business Insights. (2021). Global market analysis. Insights and forecast, 2017-2028 [Report]. Fortune Business Insights.
Foster, L., Grim, C., Haltiwanger, J., & Wolf, Z. (2018). Innovation, productivity dispersion, and productivity growth(Working Paper No. w24420; p. w24420). National Bureau of Economic Research. https://doi.org/10.3386/w24420
Freeman, C., & Soete, L. (1997). The economics of industrial innovation (3rd ed). The MIT Press.
Gatens, M., & Lloyd, G. (1999). Collective imaginings: Spinoza, past and present. Routledge.
Gathii, J. T. (2011). TWAIL: A brief history of its origins, its decentralized network, and a tentative bibliography. Trade, Law and Development, 3(1), 26–64.
Greenleaf, G., & Cottier, B. (2022). International and regional commitments in African data privacy laws: A comparative analysis. Computer Law & Security Review, 44, 105638. https://doi.org/10.1016/j.clsr.2021.105638
Gstrein, O. J., & Zwitter, A. J. (2021). Extraterritorial application of the GDPR: Promoting European values or power? Internet Policy Review, 10(3). https://doi.org/10.14763/2021.3.1576
Hakkarainen, J. (2021). Naming something collective does not make it so: Algorithmic discrimination and access to justice. Internet Policy Review, 10(4). https://doi.org/10.14763/2021.4.1600
Hall, B. H., Graevenitz, G. von, & Helmers, C. (2021). Technology entry in the presence of patent thickets. Oxford Economic Papers, 73(2), 903–926. https://doi.org/10.1093/oep/gpaa034
Hildebrandt, M., & Tielemans, L. (2013). Data protection by design and technology neutral law. Computer Law & Security Review, 29(5), 509–521. https://doi.org/10.1016/j.clsr.2013.07.004
IAPP. (2017). Privacy tech vendor report 2017 (pp. 1–67) [Report]. IAPP. https://iapp.org/media/pdf/resource_center/2017TechVendorReport.pdf
IAPP. (2021). Privacy tech vendor report 2021 (pp. 1–242) [Report]. IAPP. https://iapp.org/media/pdf/resource_center/2021TechVendorReport.pdf
IDC. (2021). IDC MarketScape: Worldwide data privacy management software 2021 vendor assessment [Report]. https://www.onetrust.com/resources/idc-marketscape-2021/?utm_source=blog&utm_medium=onetrust&utm_campaign=idcmarketscape2021&utm_term=idcmarketscape2021
Kennedy, D. (2003). The methods and the politics. In P. Legrand & R. Munday (Eds.), Comparative legal studies: Traditions and transitions (1st ed., pp. 345–434). Cambridge University Press. https://doi.org/10.1017/CBO9780511522260.011
Kim, J. Y. (Rose), & Park, H. D. (2017). Two faces of early corporate venture capital funding: Promoting innovation and inhibiting IPOs. Strategy Science, 2(3), 161–175. https://doi.org/10.1287/stsc.2017.0032
Kosinski, M. (2021). Facial recognition technology can expose political orientation from naturalistic facial images. Scientific Reports, 11(1), 1–7. https://doi.org/10.1038/s41598-020-79310-1
Kuhlmann, S., & Ordóñez-Matamoros, G. (2017). Introduction: Governance of innovation in emerging countries: Understanding failures and exploring options. In S. Kuhlmann & G. Ordóñez-Matamoros, Research handbook on innovation governance for emerging economies (pp. 1–34). Edward Elgar Publishing. https://doi.org/10.4337/9781783471911.00005
Kuner, C. (2020). Article 44. General principle for transfers. In C. Kuner, L. A. Bygrave, C. Docksey, & L. Drechsler (Eds.), The EU General Data Protection Regulation (GDPR): A commentary (pp. 755–770). Oxford University Press. https://doi.org/10.1093/oso/9780198826491.003.0084
Li, H., Yu, L., & He, W. (2019). The impact of GDPR on global technology development. Journal of Global Information Technology Management, 22(1), 1–6. https://doi.org/10.1080/1097198X.2019.1569186
Lorenzon, L. N. (2021). ANÁLISE COMPARADA ENTRE REGULAMENTAÇÕES DE DADOS PESSOAIS NO BRASIL E NA UNIÃO EUROPEIA (LGPD E GDPR) E SEUS RESPECTIVOS INSTRUMENTOS DE ENFORCEMENT. E Seus Respectivos Instrumentos de Enforcement. Revista do Programa de Direito da União Europeia, 1, 39–52.
Malerba, F., & McKelvey, M. (2020). Knowledge-intensive innovative entrepreneurship integrating Schumpeter, evolutionary economics, and innovation systems. Small Business Economics, 54(2), 503–522. https://doi.org/10.1007/s11187-018-0060-2
Merton, R. K. (1968). Social theory and social structure. Free Press.
Michaels, R. (2006). The functional method of comparative law. In M. Reimann & R. Zimmermann (Eds.), The Oxford handbook of comparative law (pp. 339–382). Oxford University Press. https://doi.org/10.1093/oxfordhb/9780199296064.013.0011
Mickelson, K. (1998). Rhetoric and rage: Third World voices in international legal discourse. Wisconsin International Law Journal, 16(2), 353–419.
Ministério da Ciência, Tecnologia, Inovações e Comunicações. (2018). Estratégia Brasileira para a Transformação Digital [Strategy]. https://www.gov.br/mcti/pt-br/centrais-de-conteudo/comunicados-mcti/estrategia-digital-brasileira/estrategiadigital.pdf
Ministério da Gestão e da Inovação em Serviços Públicos. (2020). Guia de Boas Práticas – Lei Geral de Proteção de Dados (LGPD) [Guidelines]. https://www.gov.br/governodigital/pt-br/seguranca-e-protecao-de-dados/guias/guia_lgpd.pdf
Morin, J.-F., & Gold, E. R. (2013). An integrated model of legal transplantation: The diffusion of intellectual property law in developing countries. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.2335531
Mutua, M. (2000). What is TWAIL? 94 Proceedings of the ASIL Ann. Meeting 31, 94, 31–38. https://doi.org/10.1017/S0272503700054896
Niebel, C. (2021). The impact of the general data protection regulation on innovation and the global political economy. Computer Law & Security Review, 40, 105523. https://doi.org/10.1016/j.clsr.2020.105523
OECD (Ed.). (2009). OECD patent statistics manual. OECD. https://www.oecd.org/sti/inno/oecdpatentstatisticsmanual.htm
OECD. (2015). Local-content requirements in the solar- and wind-energy global value chains. In OECD, Overcoming barriers to international investment in clean energy (pp. 47–87). OECD. https://doi.org/10.1787/9789264227064-6-en
OECD & Eurostat. (2018). Oslo Manual 2018: Guidelines for collecting, reporting and using data on innovation (4th edition). OECD. https://doi.org/10.1787/9789264304604-en
OneTrust. (2022). About us. The market-defining leader for trust intelligence. OneTrust. https://www.onetrust.com/company/about-us/
Pereira, E. G., Baleroni, R. B., Delgado, F., Duncan de Miranda, J. V., Koenck, A., & Neves, P. H. (2021). Local content and sustainable development in Brazil. In D. S. Olawuyi (Ed.), Local content and sustainable development in global energy markets (pp. 300–319). Cambridge University Press. https://www.cambridge.org/core/books/local-content-and-sustainable-development-in-global-energy-markets/local-content-and-sustainable-development-in-brazil/45448876D857D1CBFC729186E1A375FD
Piquet, R. P., Hasenclever, L., & Shimoda, E. (2016). O desenvolvimento e a política de conteúdo local na indústria petrolífera: Visões divergentes. Revista Tecnologia e Sociedade, 12(24). https://doi.org/10.3895/rts.v12n24.3194
Polonetsky, J., & Sparapani, T. (2021). A review of the privacy-enhancing technologies software market. IEEE Security & Privacy, 19(6), 119–122. https://doi.org/10.1109/MSEC.2021.3108295
Porter, M. E., & van der Linde, C. (1995). Toward a new conception of the environment-competitiveness relationship. Journal of Economic Perspectives, 9(4), 97–118. https://doi.org/10.1257/jep.9.4.97
General Personal Data Protection Law, No 13.709 (2018). https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm
Qiu, L. D., & Tao, Z. (2001). Export, foreign direct investment, and local content requirement. Journal of Development Economics, 66(1), 101–125. https://doi.org/10.1016/S0304-3878(01)00157-2
Quijano, A. (2000). Coloniality of power, eurocentrism, and Latin America. Nepantla: Views from South, 1(3), 533–580.
Rajagopal, B. (1999). Locating the Third World in cultural geography. Third World Legal Studies, 15(2), 1–20.
Rennkamp, B., Westin, F. F., & Grottera, C. (2020). Política de conteúdo local e incentivos financeiros no mercado de energia eólica no Brasil. In Investimentos transformadores para um estilo de desenvolvimento sustentável: Estudos de casos de grande impulso (Big Push) para a sustentabilidade no Brasil (pp. 185–200). CEPAL. https://repositorio.cepal.org/handle/11362/45598
Rose, R. (1991). What is lesson-drawing? Journal of Public Policy, 11(1), 3–30. https://doi.org/10.1017/S0143814X00004918
Soares, M. C. C., & Podcameni, M. G. (2018). Inequality, innovation system and development: The Brazilian experience. In M. Scerri, M. C. C. Soares, & R. Maharajh (Eds.), Inequality and development challenges: BRICS national systems of innovation. Routledge India.
Veloso, F. M. (2006). Understanding local content decisions: Economic analysis and an application to the automotive industry. Journal of Regional Science, 46(4), 747–772. https://doi.org/10.1111/j.1467-9787.2006.00476.x
von Grafenstein, M. (2018). The principle of purpose limitation in data protection laws: The risk-based approach, principles, and private standards as elements for regulating innovation (1st edition). Nomos.
Wagner, C. S., & Leydesdorff, L. (2005). Network structure, self-organization, and the growth of international collaboration in science. Research Policy, 34(10), 1608–1618. https://doi.org/10.1016/j.respol.2005.08.002
WIPO. (2021). Global Innovation Index (GII). World Intellectual Property Organization. https://www.wipo.int/global_innovation_index/en/index.html
Wyszkowska-Kuna, J. (2016). Competitiveness of the new European Union member states In international trade in knowledge-intensive business services. Comparative Economic Research. Central and Eastern Europe, 19(3), 5–26. https://doi.org/10.1515/cer-2016-0018
Zarsky, T. (2015). The privacy–innovation conundrum. Lewis & Clark Law Review, 19(1), 115–168.
Zingales, N. (2016). Data protection considerations in EU competition analysis: Funnel or straightjacket for innovation? SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3158008
Zuboff, S. (2019). Surveillance capitalism and the challenge of collective action. New Labor Forum, 28(1), 10–29. https://doi.org/10.1177/1095796018819461
Footnotes
1. The Western World – or simply ‘the West’ – is understood in this paper to comprise EU members and Anglo-Saxon countries such as the UK, the US and Canada (Blancheton & Chhorn, 2019).
2. TWAIL scholars claim that, although the term Third World seems outdated after the collapse of the USSR, it may be used to represent an ideological category that accounts for a diversity of contexts (Rajagopal, 1999). It refers to internationally marginalised nations that lag behind in terms of political power and influence, as well as economic prosperity. Therefore, the term is used interchangeably with global South, developing, less developed, or underdeveloped (Mickelson, 1998). For a comprehensive discussion, see Aoki (2000, pp. 924-993).
3. “Art. 6. Personal data processing activities must observe good faith and the following principles: I – purpose: processing for legitimate, specific, explicit and informed purposes, without the possibility of further processing in a manner incompatible with these purposes” (General Personal Data Protection Law, 2018, art. 6).
4. “[…] the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures […] in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects” (EU, 2016, art. 25).
5. Art. 46. “Data processors must adopt security, technical and administrative measures capable of protecting personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or any form of inappropriate or unlawful treatment”. § 1 The national authority may provide for minimum technical standards to make the provisions of the caput of this article applicable, considering the nature of the information processed, the specific characteristics of the treatment and the current state of technology, especially in the case of sensitive personal data, as well as the principles provided for in the caput of art. 6 of this Law. § 2 The measures mentioned in the caput of this article must be observed from the product or service conception phase until its execution (General Personal Data Protection Law, 2018, art. 16).
Add new comment