FPF Welcomes Senior Fellows Covering Data Protection in Latin America and Japan
FPF welcomes two new Senior Fellows to the Global team that will provide ad-hoc insight into the state of play of data protection and privacy law developments in their regions: Pablo Palazzi for Latin America, with a focus on Argentina, and Takeshige Sugimoto for Japan.
Pablo A. Palazzi, who will oversee developments in Argentina and Latin America, is currently a law professor at the University of San Andres in Buenos Aires, Argentina, where he is the Director of the Center for Technology and Society (CETyS).
He is also a partner of Allende & Brea, a law firm in Buenos Aires, where he practices data protection law and internet law. He previously worked as a foreign associate at Morrison & Foerster, LLP in New York. He is admitted to practice law both in Argentina and in New York State.
The challenges for Latin America are finding a proper and adequate model to regulate data privacy, considering the region’s particularities. Latin America is a region that includes 33 countries and 660 million people.
Currently, first-generation laws are 20 years old, and only a handful of laws are based on GDPR, such as in Brazil and Ecuador. The remaining laws that were correct 20 years ago are not up to date to face the challenges that modern society requires. There is much room to enhance cooperation between DPAs in the region and to work on harmonizing the legal frameworks.
Palazzi participated actively as an external consultant in the European Commission’s adequacy assessments of Uruguay and Argentina, where he was also actively involved in drafting a data protection bill based on the GDPR in the years 2017-2018. He was a consultant for the “Red Iberoamericana de Protección de Datos” , drafting SCCs for Latin America. He is doing similar work for SCCs under the Council of Europe modernized Convention 108.
He was involved in drafting the Regulations of the national data protection act and the data protection law for the city of Buenos Aires (Law 1,845), and the drafting of the Computer Crimes Act in the year 2008. He was a member of the Advisory Committee of the Cybercrime Program of the Ministry of Justice of Argentina, helping to internalize the Budapest Convention.
Palazzi has written several books on data protection matters in Spanish, including: “International transfer of personal data to Latin America” (Ad Hoc, 2003, LL.M thesis with prologue by Prof. Joel Reidenberg), “Credit Reporting Law” (Astrea, 2007), “Computer Crimes” (Abeledo, 2014), and “Delitos contra la intimidad informática” (CDYT, 2019). He also edited a two-volume book with several authors to celebrate the 20th anniversary of the data protection law of Argentina (“Protección de Datos: Doctrina y Jurisprudencia,” CDYT, 2021). In Europe, Palazzi coordinated the book “Challenges of privacy and data protection law – Perspectives of European U.S. law” (Larcier, 2008), edited with Prof. Yves Poullet and María Verónica Pérez Asinari.
He is a member of the editorial board of International Data Privacy Law (Oxford University), a founding member of the Latin American Data Protection Law Review (annual law review on data protection, 2012-2018), and a member of the International Association of Privacy Professionals (IAPP) where he was the KnowledgeNet chair for the Buenos Aires chapter. Palazzi also collaborated in drafting the Model Data Processing agreement at IAPP´s Privacy Bar Section. In 2022, Palazzi was awarded the Vanguard Award by IAPP for his work in the region of Latin America. He has been a frequent speaker at the CPDP conferences in Brussels and Latam, at PLI seminars in New York, the IAPP summit in Washington, DC, and the Privacy Laws & Business conference at Cambridge University.
Palazzi obtained his law degree at the School of Law of Universidad Católica. In May 2000, he received an LL.M. from Fordham Law School, where he also worked as a research assistant for Prof. Joel Reidenberg. Pablo wrote his LL.M. thesis on international transfers of personal data and the adequacy of Latin American countries.
Takeshige (“Take”) Sugimoto, who will oversee developments in Japan, is the Managing Director and Partner of S&K Brussels LPC, a Japanese boutique law firm specializing in data protection, privacy laws, and AI regulations in the US, EU, UK, China, and Japan. He is qualified to practice law in Japan and New York State and is a member of the Brussels Bar Association (B-List). He also serves as the Director of the Japan DPO Association, which he co-founded
Japan’s Act on the Protection of Personal Information (APPI) is as vigorous as the GDPR in protecting individuals’ rights to person data. The APPI has established two sets of rules: one for the private sector, which stipulates obligations and penalties for the person information handling business operators, and another for the public sector, which stipulates obligations and penalties for administrative organizations and incorporated administrative agencies.
Starting in April 2023, local governments’ personal information protection systems will also enforce commons rules. This will position the APPI as the single comprehensive data protection law applicable to private and public sectors, including local governments.
It will be interesting to see how Japan can continue to play an important role in discussing the emerging risks surrounding personal data protection, such as data localization and unlimited government access.
Sugimoto’s data protection practice includes establishing and reviewing clients’ global data protection compliance systems, representation, and defense in disputes involving global data protection law issues, including but not limited to negotiations with European, UK, US, Chinese, and Japanese data protection supervisory authorities. As a Japanese lawyer, he regularly advises various clients on the APPI, taking into account his paralleled ongoing practical experiences with the EU General Data Protection Regulation (GDPR), UK GDPR, US California Consumer Privacy Act (CCPA) / Consumer Privacy Rights Act (CPRA), and China’s Personal Information Protection Law (PIPL).
As a former Brussels resident between 2013 and 2020, he has practiced European data protection laws, including both EU member states’ data protection laws under the EU Data Protection Directive of 1995 and EU GDPR as a member of major law firms’ Brussels offices. He has successfully represented numerous clients over the years in obtaining European data protection supervisory authorities’ approvals of EU Binding Corporate Rules (BCRs) for Controllers and Processors under the EU GDPR, following each of the European Data Protection Board (EDPB)’s opinions on the respective authorities’ draft approval decisions for those BCRs. Furthermore, he represents clients in their applications for approval of UK BCRs under the UK GDPR to the UK Information Commissioner’s Office (ICO). He has also assisted clients in preparing for the UK’s International Data Transfer Agreement, a new data transfer mechanism.
Since adopting the CCPA in 2018, followed by the CCPA Regulation issued by the California Attorney General, Sugimoto has advised several major companies on their CCPA compliance projects. He has also assisted clients in updating their CCPA compliance mechanism in line with the CPRA. In addition, he has been closely following legislative activities of US federal privacy bills, including COPRA (Consumer Online Privacy Rights Act), SAFE Data Act, and ADPPA (American Data Protection and Privacy Act), as well as US Federal Trade Commission (FTC)’s rulemaking efforts on privacy and data security.
Sugimoto has assisted several clients in complying with China’s data-related laws, including the PIPL, Data Security Law, and Cybersecurity Law. His ongoing work includes helping clients carry out personal information protection impact assessment under the PIPL, preparing PIPL-compliant consent forms, personal information entrustment addendums, data transfer agreements (SCCs), guidance on data protection management systems, internal security rules, privacy policies, data subject rights request manuals, personal information breach response manuals, and handling large data mapping projects in bilingual languages in collaboration with major Chinese law firms.
Outside of direct dealings with clients, Sugimoto has also been invited as a speaker at various data protection-related events organized by data protection supervisory authorities. In October 2021, he was invited to speak at the “Global Privacy Assembly 2021 Mexico,” where he participated as a panelist in “Panel IV: The Challenge of Compliance: The Perspective of Data Protection Officers.”
Sugimoto received an LL.B. degree from Keio University, Faculty of Law in 2004; an LL.M. degree from the University of Chicago Law School in 2012; and an MJur degree from the University of Oxford, Faculty of Law (Pembroke College) in 2013.