Análise da proteção da privacidade e dos dados pessoais do usuário da CBDC brasileira
| Ano de defesa: | 2024 |
|---|---|
| Autor(a) principal: | |
| Orientador(a): | |
| Banca de defesa: | |
| Tipo de documento: | Dissertação |
| Tipo de acesso: | Acesso aberto |
| Idioma: | por |
| Instituição de defesa: |
Universidade Federal de Minas Gerais
Brasil DIREITO - FACULDADE DE DIREITO Programa de Pós-Graduação em Direito UFMG |
| Programa de Pós-Graduação: |
Não Informado pela instituição
|
| Departamento: |
Não Informado pela instituição
|
| País: |
Não Informado pela instituição
|
| Palavras-chave em Português: | |
| Link de acesso: | http://hdl.handle.net/1843/69450 |
Resumo: | Based on material collected up to February 2024, through normative analysis and literature review, we sought to verify the hypothesis that the technological and regulatory structure adopted by the Central Bank of Brazil (BCB) to issue the Drex, the Central Bank Brazilian Digital Currency (CBDC) offers risks to privacy and data protection of its user's natural person. First, it was necessary to understand the models that can be used to issue CBDCs, and in particular, the one chosen by the BCB to prepare and execute the Drex Pilot. Afterwards, variations of distributed ledger technology (DLT) technology were studied, with an emphasis on the wholesale format with the adoption of issuing tokens in a decentralized, permissioned and private database, in which proof of authority is used, the Proof of Authority (PoA), to authorize access and participation only by members selected by the central authority, characteristics chosen by the BCB for the Drex structure. It was also crucial to define the Brazilian legal regime applicable to the protection of privacy and personal data. In the end, it was clear that the BCB expressly assumed the commitment to respect, when issuing and circulating the Drex, the general and special legislation that regulates privacy and the protection of personal data in Brazil. However, it was not possible to state with certainty that the risks of committing data processing activities are completely ruled out, which in turn generate information about records and activity patterns such as currency values and services used that can lead to undue surveillance, the abusive manipulation of national and international databases and the profiling of Drex users. This is because, considering its evolutionary stage of creation, even in the Pilot Project phase, whose tests have not been completed, the definition of the types of Drex user data that can be accessed and processed was not found, nor was it the delimitation of the extent of authorization for its processing and sharing has been identified. Although a provision was made for attributing powers to the Drex Pilot Management Executive Committee and its members to ensure the protection of data that the committee gathers, it was also not clear how accountability for improper data processing would be carried out and what approach will be adopted in relation to data anonymization and the performance of the National Data Protection Agency (ANPD) in the Drex structure, especially with regard to the delimitation of standards for the elaboration of terms of use for international data transfer in the planned cross-border payments. All these uncertainties will need to be considered by the National Monetary Council and the Central Bank of Brazil in the regulation of Brazilian digital currency, as well as new phases of investigation will be necessary to understand how privacy and data protection by design and by default techniques with the implementation of Privacy Enhancing Technologies (PETs) studied by the BCB would allow the effective informational self-determination of individuals, removing them from the position of victims of data processing, and placing them as effective holders of power over their personal data. |