Privacy Talk with Thiago Guimarães Moraes, PhD candidate in a joint-degree program between Universidade de Brasilia (UnB) and Vrije Universiteit Brussels (VUB): How does the personal data protection culture in Latin American countries is influenced by the Brussels Effect ?
“This interview has been recorded on 16th July 2024 and discusses AI and data protection legislation.”
- Why did you start to work on data protection space?
- What did you research during PhD?
- How do you connect your research with the mission at Data Protection Authority in Brazil?
- How does the personal data protection culture in Latin American countries is influenced by the Brussels Effect ?
Kohei: Thank you for everybody joining the privacy talk. I’m so honored to invite Thiego from Brazil. He is doing exclusive research. Today, we’re gonna discuss his practice and missions. So that was so exciting. Well, Thiago, thank you for joining today.
Thiago: Yeah, thanks for inviting me. Kohei-san.
Kohei: Thank you. First of all, I introduce his profile. Thiago Moraes is a PhD candidate in a joint-degree program between Universidade de Brasilia (UnB) and Vrije Universiteit Brussels (VUB).
He holds an LLM in law and technology (Tilburg University), an MSc in information science (UnB) and two BScs in law and in network engineering (UnB). Furthermore, he is the Coordinator of Innovation and Research at the Brazilian Data Protection Authority — ANPD, and was also its first Data Protection Officer. He is cofounder of the Laboratory of Public Policy and Internet (LAPIN), and is also a member of IAPP, with CIPP/E, CIPM, CIPT and CDPO.br.
So that’s going to be a very good conversation. Thiago, thank you for joining.
Thiago: Yeah, I’m looking forward to it.
Kohei: Thank you. First of all, let’s go to today’s agenda. I’d like to ask about your activity, because you keenly work on the Data Protection space right now. So could you tell us why did you started to work in the Data Protection sector?
- Why did you start to work on data protection space?
Thiago: Great. That’s a great question. It’s interesting because it has to do with my personal academic trajectory. As you just mentioned, I first have done a bachelor’s in network engineering, and by that time, I started doing a master information science, because I have been a lot of interest in how technology connects with people like make people connect with how it impacts society.
And maybe because of that, that was a natural process for me to start going to humanity scores. So I started to do law, a bachelors in law, and from there, I kept researching more and more of the connection between law and technology, which the master that I did after work.
So in principle, I was looking a lot at intellectual property when I was at my bachelor’s in law, because it’s also a topic that has a lot of technology and law related but the thing for me is that IP didn’t sound to me so appealing as what we have in data protection, which is a fundamental right, which directly relates with people, not only with assets of a company.
So that’s why, and when I moved to the Netherlands to do my master’s, my second master, I decided that I would focus on data protection. And I think it was a very nice, good decision, because at the same time in Brazil, the data protection environment was developing, we were advancing the data protection legislation. It was still not approved.
It was actually approved while I was abroad. But that was a perfect timing, because by the time I finished my master the we were like waiting to the data protection authority to be created, so everything was connected in the end.
Kohei: That sounds like an interesting history. So as for now, you like doing many of the research at this moment. So could you briefly explain what you have been researching for your PhD?
- What did you research during PhD?
Thiago: Yeah, great, yeah. So my PhD, which I just started, like last year, it was the result of my last activities within the Data Protection Authority. Since I started working there, I’ve been getting closer and closer to specific technology, which is artificial intelligence.
Since there’s a lot of connection between artificial intelligence and some concepts of data protection legislation. Because, of course, it’s not all the case, but in many situations AI systems process personal data, and usually the high risk cases are related with personal data processing like what I mean is that usually, when we see in legislation such as the AI Act that sensitive data, sensitive personal data, is being processed, usually is high-risk.
This is the context where we are worried as a high risk AI system. So because of that, at the same time, I understand that we need to have a good regulation protecting our rights, rights of citizens on AI.
I also think it’s very important that we guarantee that this set of regulatory enviroments continues to be innovative, right? We don’t want to hinder innovation, and that’s when I decided that I would like to find this balancing ground and one specific regulatory tool that exists nowadays that has been taught more and more.
It started in the financial sector, but nowadays not every sector have initiatives related with that is the Regulatory Sandboxes. So basically, if I could say a single sentence, what I’m going to research in my PhD is how we can use Regulatory Sandboxes to foster responsible AI innovation.
Kohei: That sounds very awesome, and about the Regulatory Sandboxes. We want to touch after the topic, so that is being a very important as well. So you are involved as part of the ANPD, Data Protection Authority in Brazil. So how has your research been connected to your work at the Data Protection Authority?
- How do you connect your research with the mission at Data Protection Authority in Brazil?
Thiago: Okay, that’s a great question as well, because, you know, it’s very challenging to do a PhD and not be like exclusively focused on your PhD, and in my case, I am working at the ANPD at the same time and doing the PhD, so which can be very challenging.
So a way of like trying to guarantee my focus on both activities is to merge what I’m doing in one place with the other, and that’s what I’ve been doing for now.
And so at the Brazilian Data Protection Authority, ANPD, we have been designing a regulatory sandbox pilot on AI and that protection so as you see, if things go well, and this project comes out of the paper, because we’re still in the designing phase, we’re still looking for the right resources and the right legal rules for allowing it to be implemented.
But if things go well, I’ll have a very interesting use case for my own research. And of course, this means that a lot of these goals that I have in my PhD are trying to see, for example, if we can promote algorithmic transfers within a sandbox or something like that, I also bring into the work that I am doing there.
It’s not, of course, it’s not the only project that I had to coordinate at the Brazilian Data Protection Authority, but since it’s the one that’s closer related with my PhD, is the one that I have been trying to give more attention to.
Kohei: Thank you for your explanations. So that’s been a very interesting history why you are involved in this work at this moment. So from this term, I gonna ask for a more deeper research of some of the papers in your work.
So in terms of the data protection cultures in Latin America. It’s evolving related to some influences such as from Europe, Brussels, especially.
So one of your papers. It’s very interesting to take an overview of these new movements. So how does a personal deal protect culture in Latin America countries influenced by Brussels effects? So could you tell us about your overview?
- How does the personal data protection culture in Latin American countries is influenced by the Brussels Effect ?
Thiago: Yeah, okay, yeah. Thanks for making this question, because this is related with research that I have participated in together with other colleagues from the University of Brasilia from 2020 to 2023 so it was a three-four year research.
It took a bit longer because of the pandemics, right. But this was a very interesting research which was coordinated by Professor Alexandre Veronese from UNB.
I can introduce you to him in another time, if you want, because he has been one of the leading researchers on data protection at the University of Brasilia. So he coordinated with a team of researchers, some PhD scholars.
At that time, I was still not a PhD student, but I read was interesting on I started my PhD path, so I joined this research group, and it was a very throughput research because we looked to all the countries in Latin America that had a Data Protection Authority or data protection legislation by the time we started.
Because it’s important to say that, because since we have started the research, other countries have approved that protection, they are owing protection legislation. So of course, we couldn’t, like keep adding more, because we need planning, etc.
So at that time, when we started the research, there were eight countries that we have studied. So sorry if I don’t recall them, but it’s Colombia, Chile, Argentina, Uruguay, Brazil and Mexico, Costa Rica and Peru.
Yeah, these were the countries. So what we’ve done was to research both literature, academic literature about these countries. This was very important, because we didn’t want to have a research just based on the perspective of the Global North.
We wanted to know how Latin America researchers and academics understand the data protection ecosystem in these countries. So it was very nice because we looked at the territory of like Dr Pablo Palazzi from Argentina, Nelson Remolina from Colombia.
We’ve done like assess with many scholars, you know, from these countries, and we also conducted interviews with both of these scholars and with other representatives from government, civil society, and the private sector.
So it was a very multi-stakeholder interview. It included some fields, field visits to some of these countries. We visit all these countries, we share, like the team split up and we visit the data protection authorities in each one of these countries, which was also very nice.
And from this very throughput research, we have published some papers. So this one that you mentioned is a specific one from one of the insights that we got. Because, of course, when we conducted this research, we wanted to understand more how different data protection cultures influence one another.
So it was inevitable to look at the Brussels effect, right? Because we had, we know that the European continent has a long history of data protection. It had a directive before and then the GDPR.
So of course, we wanted to see this influence. And it was very curious, very interesting to see. Because, contrary to what some people might think, it is not exactly about the Brussels effect, because the scenario is way more complex than just that.
I’m not saying that the Brussels effect doesn’t doesn’t happen, but it’s not the only factor. So you understand my point. In Latin America, many countries had led data protection legislation way before GDPR, even the EU Directive 95.
It didn’t have the impact as, for example, the Spanish data protection law, which was the one that influenced several of the Spanish speaking countries in Latin America.
At the same time, all the countries that data protection culture, privacy culture, so we were also influencing so for example, it was very interesting to find out that the landscape in US and also in the Asia Pacific region, influenced a lot some countries from Latin America, like Mexico
Because Mexico has a lot of connection with us, with Asian countries, also Chile, Colombia, these countries all had some influence from, for example, the APEC-CBPR or the US approach.
(Video: Business and Consumers Win with the APEC Cross-Border Privacy Rules System)
So what I mean by that is that the scenario and the puzzle is way more complex than just associating to a specific region. And just to conclude this, this reflection, what was also interesting to realize is that these own countries, these Latin American countries, were impacting and influencing one another.
For example, the region in the Caribbean that has been starting to develop. So we looked at Costa Rica, but there was also, like Honduras, Guatemala, all of these countries now are developing.
So this region is developed, and they are looking a lot to the Mexican experience, because Mexico is just right there, right? It’s way closer in economic relationship, geographic proximity.
At the same time, we see that Brazil, for example, is having some influence in some countries to update the legislation, like what we see in Argentina. So what is interesting is that there is a lot of exchange, and especially nowadays, that the Latin American countries, they have enforcing this group called the well in English, it will be the data protection iberoamerican network to enforce Latin America protection the data.
So this group meets several times per year to guarantee collaboration in enforcement, in exchanging experience and knowledge. So I see that, of course, the Brussels Effect has an influence, but it’s not the only one. You know,
Kohei: It’s a very interesting history that Latin America’s countries has been passed in the in several years ago, due to this, some of my Spanish and Italian friend is said, it’s Brazil is really advanced to take a step of a head of the fundamental rights for all the citizens, just to coordinate it with the network within Latin America.
So your research and your leadership is really interesting for us in Asia as well. So the next topics about the AI specific, because the AI is everywhere, the coming like the balances of the using the AI respecting privacy or fundamental rights.
So maybe just started more practical discussion in Europe. And Brazil is also one of the countries that try to start regulatory topics. So how does Brazil work for responsible AI at this moment from your publication, so could you share about the idea?
Thank you for reading and please contact me if you want to join interview together.
Privacy Talk is the global community with diversified expert, and contact me below Linkedin if we can work together!
