Article | AI with Rights | Digital Platforms and Markets

International cooperation in data protection: getting to know the Ibero-American Network for Data Protection and its Civil Society Forum

by Thaís Aguiar

Complex thematic issues such as privacy and data protection, which require the exchange of information for more effective law enforcement and sharing of best practices, benefit from international cooperation mechanisms. In regions like Europe, which has historically been more attentive to these rights, there are famous examples such as the guidelines from the Council of Europe (CoE) and the Organization for Economic Co-operation and Development (OECD). Did you know, however, that there are a number of other areas dedicated to international cooperation for data protection – including in the Global South?

In Latin America, the most prominent mechanism in this regard is the Ibero-American Network for Data Protection (RIPD). Formed nearly 20 years ago, the RIPD consists of bodies from various sectors and has a number of initiatives and activities aimed at strengthening the exchange of information and the development of effective data protection policies in the region. Focused on dialogue among different sectors, the RIPD even has its own Civil Society Forum (FSC-RIPD), of which the Data Privacy Brazil Research Association is a member.

In 2021, the RIPD gained attention in Brazilian news when the National Data Protection Authority (ANPD) became a member of the Network, but it is still relatively unknown in the country. In this post, we will explain a bit about the Ibero-American Network for Data Protection, a regional mechanism for cooperation in the field of privacy and data protection, involving organizations from various sectors, to understand its history, structure, functioning, and contributions to promoting the data protection rights of citizens in the Ibero-American region.

The Ibero-American Network for Data Protection

• Emergence and History

International cooperation is a powerful tool for coordinating between states and organizations to achieve a common goal, ranging from political to economic issues, and applicable to various fields. In multifaceted topics such as personal data protection, the importance of international cooperation becomes evident through practical challenges: issues like the extraterritorial application of norms and the implementation of safeguards for international data flows are examples of how cooperation between countries is necessary to ensure that these rights are properly exercised.

Beyond being a necessity, attention to the international context also represents an opportunity for personal data protection. The movement towards regionalization allows the identification of geopolitical and socioeconomic similarities with neighboring countries, which represents a potential for overcoming shared challenges and building policies and practices that are more efficient and suited to the local population.

Both for convenience and necessity, 14 countries in the Ibero-American region recognized, as early as 2003, the potential for joint action to promote personal data protection for their citizens and consolidate it as a fundamental right, while also stimulating regional socioeconomic development. To this end, they held the Ibero-American Data Protection Meeting (EIPD) in that year, where an agreement was reached that led to the creation of the Ibero-American Network for Data Protection (RIPD). This result was also reinforced in 2003 in the Final Declaration of the XIII Summit of Heads of State and Government of Ibero-American countries.

In addition to being a tangible result of these meetings, the creation of the RIPD was a landmark for the region as it established a framework for permanent collaboration: from the outset, the Network set out to be a forum for integrating actors from various sectors to bring together projects and initiatives on personal data protection in a continuous exchange of knowledge and experiences. Through these exchanges, the Network seeks to promote normative developments for advanced personal data protection regulation in a democratic context that strengthens ties between these countries.

More than just enthusiasm, the initial proposal proved to be consistent and yielded relevant results: over its 19 years of existence, the Network has annually promoted Meetings and Seminars on various topics of interest in data protection, from the study of new technologies to international transfers. Today, the Network has consolidated itself as the main promoter of dialogue and data protection initiatives in the Ibero-American region, and in terms of impact, it benefits more than 350 million Latin American citizens who now have personal data protection laws and local authorities to safeguard them.

Among the RIPD’s regulatory advancements, in addition to supporting local processes for formulating data protection laws since 2003, a highlight is the “Personal Data Protection Guidelines for Ibero-American States,” approved in June 2017 at the XVI Ibero-American Meeting in Santiago, Chile. These guidelines, which received support from the European Commission during their development, serve as a regional reference model for the right to data protection — both for reviewing existing norms and for creating future regulations.

The guidelines approved in 2017 are of fundamental importance for the RIPD because they brought with them the reinforcement of objectives that the Network aims to fulfill: establishing a set of common data protection principles and rights that Ibero-American states can adopt in their national legislation; ensuring the protection and exercise of the right to data protection for any individual in the region; facilitating the flow of personal data between Ibero-American states and across borders; and promoting international cooperation among authorities. These objectives reflect the Network’s effort and commitment to harmonizing local data protection laws to favor the economic and social growth of the region.

It is worth noting that the Network has a strong interest in developing international data flows within the region — in fact, obtaining the Adequacy Declaration from the European Commission is one of the factors that drives the Network to encourage the development of regulatory frameworks for the institutions that comprise it.

In addition to the 2017 guidelines, the Network has a Regulation that details its objectives and organization. This Regulation was approved in 2008 at the VI Ibero-American Data Protection Meeting and revised at the XVI EIPD in 2018 in San José, Costa Rica.

• Composition

As observed in the history of the formation of the RIPD, the creation of the Network is the result of agreements between governments in the Ibero-American region. Reflecting this movement, the RIPD is composed of governmental and intergovernmental entities – generally, data protection authorities, but also other agencies connected to the theme.

It is important to highlight that, despite the RIPD being composed of public sector entities, there is a notable dialogue with other sectors in the development of its activities. This is evidenced, for example, by the existence of the RIPD Civil Society Forum, a communication and engagement channel between the Network’s member authorities and civil society organizations that are interested in the topic.

In 2021, the National Data Protection Authority (ANPD) joined the RIPD, making Brazil a member country of the Network. Other member countries include: Andorra, Argentina, Chile, Colombia, Costa Rica, Spain, Mexico, Panama, Peru, Portugal, and Uruguay.

In addition to its members, the Network includes observer entities from Cape Verde, El Salvador, Guatemala, Honduras, Ecuador, Paraguay, São Tomé and Príncipe, the Dominican Republic, and also international organizations such as FIIAPP, EDPS, OAS, Council of Europe, and the Inter-American Institute of Human Rights (IIDH).

• Structure and operation

Presented here in a summarized form, the structure and organization of the RIPD are elements that also help to understand how the Network’s commitments can be achieved and the political challenges for the future. In greater detail in Title III of its Regulation, the organization of the RIPD is divided into the Presidency, Permanent Secretariat, Executive Committee, and Closed Sessions of the Network members.

The Presidency of the RIPD is responsible for representing the Network institutionally and in data protection forums; engaging in legislative initiatives for data protection in the Ibero-American region; and presiding over the meetings of the Executive Committee. Renewed every two years and decided by a simple majority of the members present in the Closed Session, the RIPD is currently chaired by the Superintendency of Industry and Commerce of Colombia (SIC) for the 2021-2022 term.

Meanwhile, the Permanent Secretariat of the Network is held by the Spanish Agency for the Protection of Data (AEPD). The functions of the Secretariat concentrate on decision-making and executive aspects essential to the activities of the Network. Among its duties, the AEPD is responsible for establishing contact with national and international organizations for technical and logistical support for the Network’s activities; executing decisions and projects approved in Closed Sessions; serving as the communication channel between RIPD members; promoting and coordinating working group activities; evaluating the incorporation of new members and inviting experts and observers to the Network’s events.

The Civil Society Forum (FSC-RIPD): the voice and role of civil society in the Ibero-American Data Protection Network

A brief analysis of the history and structure of the RIPD reveals the intense mobilization of the government sector to promote the protection of personal data in the Ibero-American region. However, it is well known that political development benefits from the diversity of sectoral perspectives, leading to more favorable results for the protection of the fundamental rights of the population. Furthermore, the third sector, whose existence is focused on solving social problems, includes civil society organizations with expertise in digital rights, which have much to contribute in building the data protection culture within the RIPD.

Indeed, civil society organizations have been present at events and milestones throughout the RIPD’s formation. However, until 2018, they did not have a formal space to foster dialogue between sectors and felt the lack of participatory mechanisms and transparency regarding the Network’s activities. In that year, an intense campaign led by activists and organizations seeking broader work on the protection and promotion of fundamental rights highlighted that the RIPD, the largest regional reference for data protection regulation, still lacked a broader and more participatory debate.

In the campaign letter sent to the RIPD in March 2018, the campaign emphasized that “the contribution of civil society organizations is fundamental, as they offer a human rights defense perspective and represent the demands of neglected or minority sectors, who would otherwise be unable to be heard in such areas and influence decision-making.” Furthermore, it highlighted that the protection of personal data “is one of the pillars of contemporary internet governance and that, according to the ‘Global Multi-Stakeholder Meeting on the Future of Internet Governance’ of 2014, decision-making processes must include multiple stakeholders and be inclusive and equitable.”

The third sector campaign was also emphatic about the potential contribution of civil society to the Network’s goal of achieving a regulatory framework that fully respects individuals’ rights. Highlighting even the commitments made in the 2017 guidelines at the meeting in Chile, the effort resulted in the formalization of a participatory space within the RIPD: thanks to the campaign, the Network included a specific section in its Regulation (Article 15, modified version of 2018) formalizing the Civil Society Forum.

A product of this achievement and with strategic importance, the Civil Society Forum (FSC) of the RIPD is the space that creates this communication and collaboration channel between civil society organizations and the authorities and members that make up the RIPD. The FSC seeks to bring a human rights perspective and a citizen-based approach to the protection of personal data and privacy across Ibero-America.

Today, the Civil Society Forum of the RIPD is composed of 12 organizations dedicated to studying and working on human rights and information and communication technology projects, all from Latin America. These include: ADC – Asociación por los Derechos Civiles; Data Privacy Brazil Research Association; Datos Protegidos; Hiper Derecho; Idec – Instituto Brasileiro de Defesa do Consumidor; InternetLab; Ipandetec; Fundación Karisma; Privacy Latam; R3D – Red en Defensa de los Derechos Digitales; Sulá Batsú – Cooperativa; TEDIC – Tecnología y Derechos Humanos. Other organizations interested in joining can consult the entry and admission process to the FSC, which recognizes the importance of the rights to be protected while acknowledging the scale of the challenges ahead and the potential for more collaboration.

Since its establishment, the Civil Society Forum has carried out a series of activities in partnership with the RIPD, aiming to contribute to regulatory improvements and the dissemination of information to strengthen a data protection culture in the region. From a normative collaboration perspective, three main technical contributions have been sent to the network on the prevention of digital gender-based violence, personal data management in cloud services, and the processing of personal data using artificial intelligence technologies.

The FSC has also been dedicated to spreading information on various topics related to fundamental rights concerning data protection. In its second cycle of webinars, the FSC has held events discussing, among other things, reflections on artificial intelligence and human rights, changes in privacy policies by big tech companies, and reports on impact assessments and human rights – the latter conducted by the Data Privacy Brasil Research Association.

Why should we pay more attention to the Ibero-American Data Protection Network?

The more spaces and actors dedicated to improving regulation and practices around data protection, the more benefited the population will be. Throughout its nearly 20 years of existence, the RIPD has proven to be more than a commitment to this ideal: it is a true project that has been realizing achievements for citizens in the region. In this sense, there are both opportunities and challenges for data protection in Brazil that make a regional perspective and an attentive look at the RIPD indispensable.

On one hand, the recent entry of the National Data Protection Authority (ANPD) into the Network points to more activities to be developed at the regional level. At the XIX RIPD Meeting, the ANPD’s first participation, Director-President Waldemar Gonçalves Ortunho Junior indicated perspectives for collaboration with countries and other Authorities, signaling the strengthening of relationships and the exchange of experiences.

At the same time as it joined the RIPD, the National Data Protection Authority signed a Memorandum of Understanding with the AEPD, the Permanent Secretary of the Network. The Memorandum, or MoU, defines the basis for collaboration between the Authorities and aims, among other things, to ensure joint cooperation on the protection of personal data, promote the dissemination of the right to the protection of personal data and establish exchanges of knowledge and best practices for training the internal teams of both institutions.

Another highlight of the MoU between ANPD and AEPD is that the document acknowledges the “need to ensure the proper processing of personal data and the risks in the cross-border flow and exchange of personal information, the increasing complexity of information technologies, and the consequent need for increased international cooperation”—precisely one of the main areas of focus for the Network since its inception. In addition to showing a closer relationship with the RIPD itself, the ANPD demonstrated that it shares similar values with its Permanent Secretariat: by signing the MoU, Gonçalves mentioned a shared commitment to privacy, informational self-determination, freedom, and the free development of individual personality.

In addition to the National Authority’s alignment with the Network, the potential of this space for other sectors, particularly civil society, is a factor that cannot be overlooked, especially when considering political context. The fact that Brazil shares similar socioeconomic frameworks with its neighboring countries represents an opportunity to strengthen the national data protection regulatory framework on at least two fronts: on one side, learning from foreign experiences; on the other, articulating to unite the voices of the Global South in broader contexts and project the real needs of the local situation to promote the exercise of fundamental rights, especially for minority groups.

The objectives, activities, and events carried out by both the RIPD and the FSC are available on their respective pages. The RIPD website can be accessed via the link. The FSC website, recently created and translated into Portuguese by the Data Privacy Brazil Research Association, can be accessed here.