New Brazilian financial sector regulations will subject cloud service providers to greater scrutiny by the country's central bank, but stop short of banning bank data from being sent abroad.
The regulation is the first issued by Brazil's National Monetary Council (CMN) to deal with cybersecurity issues, and the first that forces organisations of any kind in Brazil to appoint data protection officers.
It is the latest set of rules in Brazil to address data protection in a sector-specific way. The country's regulators currently use the country's internet law, consumer code and others to enforce data protection standards. Brazil's Congress is considering passing broader federal data protection regulation.
The CMN, which is composed of two government ministers and the central bank governor, issued resolution 4658/2018 on 26 April that forces financial institutions to have cybersecurity policies in place by 6 May 2019, and be fully compliant with the regulation detailed by the resolution by 31 December 2021.
The resolution gives the central bank unfettered access to data hosted by third parties anywhere at any time. It also allows the central bank to block deals with third-party data handlers located abroad and urges financial institutions to only send information to countries that have information-sharing agreements with Brazil.
Pinheiro Neto Advogados partner Bruno Balduccini in São Paulo told Latin Lawyer's sister publication Global Data Review that he is relieved the CNM climbed down from an initial proposal to ban all data storage and processing abroad.
"The [CNM] has listened to market … [the resolution] is a smart way to allow innovation, but ensure data security," Balduccini said.
Balduccini said the central bank initially wanted to impose data localisation rules as it feared its banks' increased use of foreign data handlers hindered its ability to check bank information. It was once unable to access bank information that was hosted on third-party servers abroad, he said.
Thiago Sombra, a partner at Mattos Filho Veiga Filho Marrey Jr e Quiroga Advogados in Brasília, called the regulation "innovative", praising the central bank's pragmatism in abandoning its planned data territoriality requirements.
Sombra said it was "very important" that the banking industry had avoided this territoriality measure, since the EU's GDPR does not include any similar restrictions.
The idea of restricting cross-border data flows took hold in Brazil in the wake of 2013 revelations by US whistleblower Edward Snowden that US intelligence agencies had hoovered up data on the country's citizens and organisations.
Since then, various countries have enacted data localisation laws, including Russia, which places restrictions on personal data flows, and China, which bans all personal, business and financial information from leaving the country.
The new Brazilian financial sector regulation also requires contractors to obtain central bank approval before stopping any data-hosting or processing service they may be providing to a financial institution, even if the payment for the service stops.
Financial institutions will have to conduct regular audits of third-party providers and provide an annual report to the central bank detailing any cybersecurity incidents, as well as any measures they have taken to improve cybersecurity.
Other new requirements include that financial institutions enact data breach response plans; and ensure new cybersecurity policies are accessible and easy to understand.
The regulations do not specify deadlines for data breach notifications, but say regulated entities must do so "very quickly".
This story was written for Global Data Review, a new service by Latin Lawyer's publisher, Law Business Research. Find out more about GDR here.