The thirteenth BRICS Summit took place on 9 September 2021 and cybersecurity featured prominently amongst the priorities identified by BRICS leaders. The BRICS – Brazil, Russia, India, China, and South Africa – are explicitly advocating for enhanced cooperation on cybersecurity issues, both at the international and intra-BRICS level. The facility with which cooperation can be enhanced remains unclear, but BRICS priorities and regulatory agendas are increasingly converging with a shared interest in data protection, content regulation and cybercrime.
Cybersecurity was a prominent feature of the priorities identified by BRICS leaders at the thirteenth BRICS Summit, held on 9 September 2021. Over the past years, the BRICS countries’ engagement with and initiatives regarding cybersecurity have gained remarkable relevance.
Governments from this unusual grouping have approved cybersecurity legislation that could have major impacts at the international level, including on data security, online content regulation and cybercrime.
Although their approaches feature several points of overlap and tend towards convergence, they remain significantly different in many respects. This post provides some context on the BRICS’ cybersecurity agenda(s) and suggests potential areas for cybersecurity cooperation, which the BRICS leaders are now explicitly advocating for.
In 2021, BRICS is celebrating its fifteenth birthday, under the Indian rotating presidency. Its first informal meeting took place on the margins of the 2006 UN General Assembly and, while the grouping has always kept a relatively low profile, BRICS leaders have constantly applied high relevance to the partnership. No president has missed a single meeting since the first head of state reunion in 2009; in 2014 they established their own institution, the BRICS-led New Development Bank; and more than 100 high-level events, partnerships and formal initiatives promoting BRICS cooperation are organised every year.
Digital matters have increasingly gained relevance for the group, with special attention paid to cybersecurity. The need to cooperate on cybersecurity was recognised at the BRICS Summit in 2013 in Durban, South Africa. The 2013 eThekwini Declaration recognised how important it was “to contribute to and participate in a peaceful, secure, and open cyberspace” and called for the elaboration of “universally accepted norms, standards and practices”.
The revelations of Edward Snowden triggered enhanced cooperation on digital policies among the BRICS countries. Since 2013, the BRICS countries have elaborated and implemented a broad range of strategies, laws and regulations, aimed at constructing and experimenting with their own conceptions of cybersecurity. Following the 2015 Ufa Declaration, BRICS leaders established a Working Group on Security in the use of ICTs, with the aim “to develop practical cooperation with each other in order to address common security challenges in the use of ICTs” while “sharing information and case studies on ICT policies and programs”. This latter point is particularly relevant: it explains the increasing similarity between the policy issues identified and, increasingly, solutions proposed in the agendas of the BRICS governments.
The same year, the BRICS ICT ministers signed a Memorandum of Understanding on Cooperation in Science, Technology, and Innovation, to promote cooperation in these fields and “co-generate new knowledge and innovative products”. Several concrete outputs followed these developments, including the BRICS Digital Partnership, the BRICS Partnership on New Industrial Revolution (PartNIR), the Innovation BRICS Network (iBRICS Network) and the BRICS Institute of Future Networks. They all contributed to the construction of an enhanced cooperation process, combining policy, technology and research initiatives.
Despite the initial divergent approaches to cybersecurity in the BRICS, over the past two years, there has been a renewed alignment of digital policy agendas over key priorities, such as data protection and data security, online content regulation and cybercrime.
In 2020, Brazil adopted a new Cybersecurity Strategy, enacted a new Data Protection Law (LGPD in its Portuguese acronym) and tabled regulation of social media content in the form of the “Fake News Bill”. Over the past two months, Brazil has created a new Cyber-incidents Response Network for federal public administrations and adopted, overnight, Executive Order 1068/2021 which regulated content moderation, altering the intermediary liability framework set by the Brazilian Internet Rights Framework (Marco Civil da Internet).
The results of these policy updates are mixed. The new Federal Cyber-incidents Response Network is welcome, but the Cybersecurity Strategy has been criticised for lacking defined objectives, budgets, responsibilities and deadlines, which are indeed the strategic elements of a strategy. The LGPD, strongly inspired by the EU GDPR, and entered into force in September 2020, represents a major step forward by introducing obligations to bake privacy and data security measures into products and services: so-called data protection and data security by design. However, considerable work still needs to be done in terms of implementation. Despite the creation of a new Data Protection Agency, Brazil lacks a “data protection culture” and witnesses major data leakages with remarkable frequency. In January, personal data of the entire Brazilian population were leaked.
The proposed social media regulation has been criticised for introducing traceability requirements that weaken encryption, and for a thorny issue related to user-identification requirements. The recent Executive Order, meanwhile, has been unanimously criticised, as it prohibits social networks from removing misinformation with content of a “political, ideological, scientific, artistic or religious nature,” even when it is contrary to the platform’s terms of service. The Brazilian Supreme Court has already imposed the suspension of the Order, which is considered unconstitutional by most observers, as it alters the existing intermediary liability framework, unduly affecting freedom of expression and business initiative.
Russia has enacted its Internet Sovereignty Law, and recently amended its Data Protection Law and the Law on Information, IT and Protection of Information. The Internet Sovereignty Law purportedly aims to protect the country from cyberattacks and, if needed, allows for disconnection of the Russian segment of the Internet, the “Runet”, from the global Internet. While the extent to which Russia can implement effective infrastructure-embedded control over Runet remains unclear, its aim is overtly to be able to cut off its Internet from the rest of the world.
The amendments to the two other laws entered into force in March 2021. The Data Protection Law amendments create new requirements for personal data sharing and gives new oversight abilities to Roskomnadzor, the federal media and information regulator. The Information Law amendments require social networks to monitor content and “restrict access immediately” for users who share information about sensitive matters – which can include state secrets, terrorism, the promotion of violence or riots, and the use of obscene language. These latter requirements do not seem to carefully consider the objections raised by the European Court of Human Rights in June 2020, which criticised the Information Law for allowing online content to be removed or blocked without a court order.
India has hit the headlines for its new Information Technology Intermediary Guidelines and Digital Media Ethics Code Rules, 2021 (IT Rules) and is generating much suspense in the data protection community, as it is expected to introduce the latest version of its Personal Data Protection (PDP) Bill at the upcoming parliamentary session. The IT Rules have established a broad range of requirements, especially regarding social media platforms. The provisions that have invited the most criticism concern the new content takedown framework, criticised for being excessively broad, and the new traceability mandate. According to the latter, major social networks (those with more than five million users) now have an obligation to enable the tracing of message originators. This provision, an analogue to the proposed Brazilian Fake News Bill, has been criticised for its potential to jeopardise end-to-end encryption.
It is still impossible to predict when and in what form the PDP Bill will be approved, but, when enacted, it will help provide legal certainty on a variety of issues that intersect with those above.. The first version of the PDP Bill was proposed by the government in 2018, in the aftermath of the Puttaswamy case, which created a new fundamental right to privacy in India. However, the Bill, which has been pending for almost three years now, has been altered substantially, leading the original drafter of the Bill, retired Supreme Court Justice B N Srikrishna, to call one of the most recent versions of the Bill “a blank cheque to the state”.
China has been busy developing a wide range of data-related policies and seems to be the only place on earth where policymaking is outpacing technological developments and regulation is enforced strictly. The Chinese emphasis on data-related policies follows from Beijing’s realisation of the benefits brought by data protection and data security and consideration of (personal) data as an increasingly essential asset – of which China is the largest producer globally – from both an economic and strategic perspective. After enacting its new Civil Code in January 2021, creating new legal rights to privacy and protection of personal information, in August, the Chinese National People’s Congress adopted the new Personal Information Protection Law (PIPL) and the Cyberspace Administration of China has released a draft Regulation on Automobile Data Security for comments. The PIPL, which may be seen as a GDPR with Chinese characteristics, defines China’s comprehensive data protection system, setting out general rules that will be specified according to sector. In this context, Beijing has also adopted its new Data Security Law (DSL), defining more stringent requirements for processing “important data”, “core state data” and “sensitive data” and extending to all automated data-processing the requirement to comply with the Multi-level Protection Scheme mandated by the 2017 Cybersecurity Law.
China has had data localisation requirements since introducing the 2017 Cybersecurity Law, probably inspired by its neighbour Russia’s own data localisation provisions, which were introduced in 2015.The DSL extends data localisation obligations to important data. In October 2020, China also announced its willingness to launch a Global Data Security Initiative, but so far, the initiative has not gained much traction. Importantly, in 2020 China also adopted the Provisions on Governance of the Online Information Content Ecosystem, which play a major role in regulating online content. The Provisions define what categories of content are considered illegal and what content producers are encouraged to develop and publish, and also introduce an obligation to prevent the production of undesirable types of content.
Over the past year, South Africa has also undergone significant digital policy updates, enacting two major pieces of legislation. In July 2021, the one-year grace period of POPIA, the South African Protection of Personal Information Act, ended, thus making the law fully enforceable. POPIA finally entered into force after an eight-year gestation period: the law was formally approved in 2013, but its implementation was subsequently put on hold while a new Information Regulator was established and South Africans prepared for compliance.
In June 2021, president Ramaphosa signed the new Cybercrimes Act of South Africa, bringing the country up to date with international best practices. The Cybercrimes Act creates new crimes of unlawful access and interception of data, unlawful acts in respect to software or hardware tools and unlawful interference with data or computer programmes. Interestingly, there are several points of intersection between POPIA and the Cybercrimes Act. It is also interesting to note that South Africa is a signatory to the Budapest convention, despite not being a member of the Council of Europe, while Russia, which is a member, has never signed the Convention and has been actively promoting international efforts to create a cybercrime treaty within the UN.
Enhanced Cooperation at the International Level?
The BRICS countries’ approaches to most cybersecurity issues have become increasingly compatible and similar, while the countries have started recognising explicitly the value of enhanced cooperation on these issues. Indeed, in the 2021 Declaration, the BRICS leaders expressed their intention to “advance practical intra-BRICS cooperation in this domain, including through the implementation of the BRICS Roadmap of Practical Cooperation on ensuring Security in the Use of ICTs and the activities of the BRICS Working Group on Security in the use of ICTs, and underscore[d] also the importance of establishing legal frameworks of cooperation among BRICS States on this matter and acknowledge[d] the work towards consideration and elaboration of proposals, including on a BRICS intergovernmental agreement on cooperation on ensuring security in the use of ICTs and on bilateral agreements among BRICS countries.” [emphasis added]
The BRICS have consistently emphasised that the UN is the most appropriate venue for cybersecurity and cybercrime policy development. The BRICS national security advisors recently reiterated their willingness to enhance cooperation on such topics, within the UN. Some members of the group have also explicitly expressed interest in working on a “pentalateral” agreement to create a comprehensive system for countering cyber threats. These intentions have now been put on paper by the BRICS heads of state.
However, the facility with which cooperation can be enhanced remains unclear. Cybercrime, for example, is a particularly sensitive issue, considering that what constitutes a crime is the quintessence of domestic legal culture and national idiosyncrasies. While South Africa has signed the Budapest Convention and Brazil has declared its intention to join, China, India and Russia have clear preferences to coordinate their cybercrime initiatives within the Shanghai Cooperation Organisation and the UN.
Russia has called for the development of an internationally binding treaty on cybercrime at the UN level since the early 2010s. In December 2018, the UN General Assembly approved a resolution, sponsored by Russia and a group of aligned countries, establishing an Open-ended Ad Hoc Intergovernmental Committee of Experts to draft “international legal or other responses to cybercrime” under the auspices of the UN. The first substantial meeting of the Committee is planned for January 2022.
Reaching agreement on the content of internationally binding norms on cybercrime and cybersecurity is far from a trivial task, and it could easily be complicated by intra-BRICS frictions, such as the recent China-India skirmishes and India’s subsequent ban of 200-plus Chinese apps. However, the BRICS’ enhanced cooperation on cybersecurity is already ongoing. The current political conjuncture – including the BRICS’ increasingly similar domestic priorities; the consensus found within the UN Group of Governmental Experts (GGE), saluted by the 2021 BRICS Declaration; and the mandate to elaborate international and intra-BRICS responses – may make this an easier time than ever to come to such an international agreement.