Redação
The global financial landscape is shifting, and the arrival of UnionPay in Brazil marks a significant moment in this transition. As the Chinese payment giant expands its footprint in South America, it brings both new commercial opportunities and complex challenges regarding data security.
Recently, the specialized outlet Diálogo Américas highlighted these issues in a detailed report, featuring insights from Léo Rosenbaum, an expert in Digital Law and CEO of Rosenbaum Advogados.
While the integration of UnionPay into the Brazilian payment ecosystem — including its connection with local systems like Pix — promises greater ease for international transactions, it also triggers a necessary debate about information security.
The core of the discussion lies in the differences between Brazilian legislation, which prioritizes user privacy, and Chinese regulations, which have different mandates regarding state access to data.
The growth of UnionPay in Brazil and legal implications
UnionPay is not just another credit card company; it is a financial behemoth that surpasses Visa and Mastercard in the number of cards issued globally. Its entry into the Brazilian market is part of a broader strategy to internationalize the Chinese currency and financial infrastructure.
However, as the use of UnionPay in Brazil becomes more common in stores and online platforms, the volume of sensitive financial data flowing through these systems increases exponentially.
For Brazilian consumers and companies, the convenience of using a global card must be weighed against the potential risks of data exposure. In the Diálogo Américas article, the focus is placed on how this expansion interacts with Brazil’s robust legal framework, specifically the General Data Protection Law (LGPD). This law was designed to ensure that the personal data of Brazilians is handled with the strictest confidentiality and security standards.
The challenge arises when this data crosses borders. When a transaction is processed by a Chinese entity, the data may become subject to the jurisdiction of China. This creates a legal gray area that requires careful analysis by cybersecurity experts to ensure that Brazilian sovereignty over its citizens’ data is not compromised.
Léo Rosenbaum, providing his legal expertise in the matter, highlights the specific legislative tools that create this concern.
“From a legal standpoint, this involves issues of sovereignty and transnational regulation. While Visa and Mastercard operate under Western jurisdictions with frameworks such as Europe’s GDPR [General Data Protection Regulation] or U.S. privacy laws, UnionPay is subject to Chinese laws, which prioritize state control over data. This implies a greater risk of government access to personal information without the same due process safeguards seen in Western systems, especially in contexts of geopolitics or international sanctions”.
Léo Rosenbaum
Understanding the privacy conflict: Brazil vs. China
The fundamental issue discussed by experts involves the “asymmetry” between the laws of the two countries. In Brazil, the Civil Rights Framework for the Internet and the General Data Protection Law establish that the user is the owner of their data. Companies are merely custodians who must prove they have adequate security measures in place to prevent leaks or unauthorized access.
In contrast, the legal environment in China operates under different principles. The article in Diálogo Américas points out that Chinese laws can compel private companies to cooperate with government intelligence gathering. This distinction is crucial for understanding the risks associated with the mass adoption of UnionPay in Brazil.
“Legally, SWIFT is a global standard with international compliance protocols. CIPS, conversely, is aligned with Chinese state standards, which means less transparency for users outside China. For the end user, the difference lies in the risk of exposure to jurisdictions with different levels of legal accountability: In the event of a dispute, resorting to a Western system may offer more options for international arbitration, while CIPS may complicate cross-border resolutions”
Léo Rosenbaum
This quote summarizes the central conflict. If a company operating in Brazil is legally obliged by its home country to share data with intelligence services, does this violate the rights of Brazilian consumers? This question is at the heart of the current debate on digital sovereignty.
The role of the National Intelligence Law
To understand the severity of the situation, one must look closely at the Chinese National Intelligence Law, enacted in 2017. This legislation is broad and has been a point of contention in international relations, affecting everything from telecommunications (like 5G) to financial services.
When we discuss UnionPay in Brazil, we are discussing a direct financial link. Financial data is among the most sensitive types of information a person can generate. It reveals spending habits, travel locations, health expenses, and political affiliations.
“The risks for users mainly include the leakage of personal and financial data, which can lead to fraud, identity theft, or improper monitoring. Legally, this violates principles of confidentiality and data integrity”.
Léo Rosenbaum
This conflict implies that, theoretically, data generated by a purchase in a São Paulo shopping mall could be accessed by foreign authorities without the judicial warrants or transparency reports that would be required if the data were requested by Brazilian authorities. This lack of “legal interoperability” creates a vulnerability in the data privacy architecture that Brazil has worked hard to build.
Cybersecurity in the age of fintech
The expansion of Chinese fintech companies in Latin America is often referred to as a “second China shock,” moving from the export of manufactured goods to the export of services and infrastructure. While this brings technological advancement and competition, which is generally good for the market, it demands a higher level of vigilance regarding cyber defense.
The infrastructure of payment systems is critical. If the integrity of the data is not guaranteed, or if the data can be mined for “commercial espionage” or geopolitical intelligence, the cost of cheap transactions becomes too high. The General Data Protection Law imposes heavy fines on companies that fail to protect data, but enforcing these fines on foreign entities that claim compliance with their own national security laws is a complex legal battleground.
It is vital for Brazilian companies partnering with these payment processors to understand their liability. Under Brazilian law, the local partner can be held responsible for damages caused to the consumer, even if the “leak” or access occurred abroad. This makes legal due diligence essential before adopting these new payment methods.
The importance of legal protections for consumers
Navigating this complex landscape requires more than just installing antivirus software; it requires a legal shield. The average consumer often clicks “accept” on terms of service without realizing the geopolitical and legal ramifications of their choice.
This is where the role of a specialized lawyer becomes essential. Digital Law specialists are the professionals equipped to interpret these international treaties and conflicts of law. They ensure that contracts, privacy policies, and data handling practices comply with Brazilian standards, regardless of the service provider’s origin.
Protecting consumer rights in the digital age involves proactive measures. It means understanding where your data goes, who has access to it, and what laws protect it. While litigation is a tool for when things go wrong, the primary goal of legal advisory in this field is prevention — ensuring that the architecture of the payment system respects the fundamental right to privacy.
Conclusion and further reading
The arrival of UnionPay in Brazil is a reality that reflects the increasingly interconnected global economy. However, as the analysis by Diálogo Américas and Léo Rosenbaum suggests, this integration must be approached with eyes wide open regarding security risks.
“To protect themselves, users should adopt practices such as regularly monitoring statements, using two-factor authentication whenever available, avoiding sharing data on unsecure networks, and, in Brazil, invoking rights provided for in the LGPD [General Data Protection Law] to question the processing of their data by the card issuer. In addition, it is advisable to opt for cards with fraud insurance and immediately report any suspicions to authorities such as the Central Bank of Brazil.”
Léo Rosenbaum
The convenience of seamless cross-border payments should not come at the expense of data privacy. As the market evolves, so too must our understanding of the laws that govern our digital lives.
For a deeper understanding of this topic and to see the full scope of the investigation, we invite you to read the original article on the Diálogo Américas website. It provides a comprehensive look at the geopolitical factors at play and further details on the security assessments discussed here.
Read the full article at Diálogo Américas here
