ITIF Filing to the Central Bank of Brazil on Cybersecurity and Data Processing Requirements

Data is central to the modern economy, whether firms are in goods sectors (such as agriculture, manufacturing, and mining) or in services. Of the latter, the financial sector is among the most data intensive, as technological innovation has fundamentally changed how people access and use financial products and services. As such financial services firms, especially ones with operations in more than one nation, require the ability to move data between nations. Combined with the fact that a country’s financial sector plays a crucial intermediary role in its broader economy, this means that elements of this draft resolution on cybersecurity that limit cross-border financial data flows have the potential to exert negative impact across the Brazilian economy.

The proposal raises a number of major concerns for Brazil’s financial sector, not to mention Brazil’s broader potential to develop a data-driven economy (appendix lists relevant provisions). The main issue is that the cybersecurity proposal would force firms to store their data locally (article 11). There are also concerns with its requirement for firms to indicate where the actual data centers are located (article 12:1) and the requirement for cloud companies to provide the Brazilian Central Bank with physical access to the data centers (article 12:7). 

The draft proposal’s focus on geography—by forcing financial firms to use or setup local cloud services, a concept known as “data localization”—would negatively affect Brazilian firm competitiveness and productivity, and would actually raise potential cybersecurity risks. Financial firms, and the sector as a whole, would be less competitive as the rules would potentially cut them off from cheaper and better global cloud service providers. This would ripple throughout the Brazilian economy by reducing productivity, as any increase in financial firms’ information and communications (ICT) costs would likely be passed onto users, whether these are individuals, companies, or the government. From a cybersecurity perspective, this local data storage requirement may force financial firms to use local cloud services that are not best-in-class in using the latest protective measures. Furthermore, forcing firms to store data locally may also increase cybersecurity risk as it forces firms that operate across multiple countries to spread their data across more data centers—losing the benefits of centralized and more effective management.

This submission outlines why the notion at the heart of this proposal—that data must be stored domestically to ensure that it remains secure and private—is false and how the Central Bank’s focus should be on ensuring that financial firms use best-in-class data storage cybersecurity measures (regardless of where the data is stored). Likewise, the Central Bank should be focused on ensuring the regulatory framework provides the transparency and accountability about how firms manage their ICT infrastructure and data management so that they’re able to fulfil their reporting responsibilities (in terms of providing data to authorities), rather than focusing on the location of data and physical access to data centers.