Marcelo Crespo ( marcelocrespo@pgadvogados.com.br) is a lecturer, professor, and partner at PG Advogados in São Paulo, Brazil, where he performs legal services concerning digital law. Guilherme Beloto (guilhermebeloto@pgadvogados.com.br) is a political scientist and graduating law student currently involved with privacy and data protection projects at PG Advogados, assisting national and international companies based in Brazil.

• linkedin.com/in/marcelocrespoadv/

• twitter.com/professorcrespo

• linkedin.com/in/guibeloto/

Speaking of privacy compliance is much more difficult than it appears initially. From the complex regulatory scenario regarding personal data, to the incremental need for this same data for decision-making, this topic is a mix of such diverse subjects as governance, compliance, information security, user experience, and others.

Although it's hard to determine exactly when privacy compliance became a hot topic, surely, since 2013 it came into the spotlight when Edward Snowden leaked details about PRISM, a surveillance program run by the National Security Agency (NSA) that had direct access to Google, Facebook, Apple, and other internet giants. British newspaper The Guardian and American newspaper The Washington Post revealed the information of the secret program in 2013, unleashing a chain reaction that would later change the public’s perception on data collection by government authorities and shaped the debate in the following decade. The electronic eavesdropping of the PRISM program was part of a larger NSA system for massive data collection, sniffing data from a variety of individuals (targets), ranging from normal people to presidents. As information became public, we learned that PRISM allowed US intelligence to gain access from internet companies to a wide range of digital information on foreign individuals from outside the United States.

It was aimed to grow into a ubiquitous spying apparatus, able to monitor all the world’s citizens,^[1] and the fact that it wasn’t necessary to obtain individual authorizations from a judge to include someone as a target just made the program more dangerous for the privacy of individuals. Snowden’s revelation was scandalous, because PRISM didn’t need individual warrants. It was operating under a broad authorization from federal judges who oversee the use of the Foreign Intelligence Surveillance Act (FISA).^[2]

At that time, privacy compliance wasn’t subject to law, but it was a justified concern, considering people could have been spied on by the NSA. The revelation that PRISM allowed officials to access history, emails, file transfers, live chats, and documents made the world pay strict attention to it. For instance, Brazil seized the moment and passed its federal general law to regulate the internet, nº 12.965/14, which became known as Marco Civil da Internet (MCI),^[3] in a clear effort by the Brazilian government to demonstrate that there were laws regulating the digital environment. It was even rumored that President Rousseff had been targeted.

Since 2012, The European Parliament and the Council of Europe, in turn, were discussing the need to update their Data Protection Directive (95/46/EC) to face the new challenges arising from the development of the internet and the new technologies that allowed governments and companies to know so much about individuals. So, not long after, the General Data Protection Regulation (GDPR)^[4] came into force in 2018 and explicitly prescribed a global territorial scope, regulating what was already becoming a trend. The court case Google Spain and Google v. Agencia Española de Protección de Datos (CJEU C‑131/12)^[5] broadened the territorial scope of the Directive, allowing the court to judge the global challenges being faced in this new context.