Recent developments from the ANPD provide insight into the path ahead.
On July 7, 2022, Brazil’s National Data Protection Authority (ANPD) published its semiannual Regulatory Agenda Monitoring Report. This report updated the public on the current status of the ANPD’s regulatory agenda. With the comment period for regulations on international data transfers officially closing June 30, 2022, the ANPD has started all “phase two” regulations. This progression indicates that 2023 may be a pivotal year for Brazil’s new data privacy law, the General Personal Data Protection law (LGPD).
Phased Approach
When the LGPD passed in 2020, the ANPD chose a “phased” approach of implementation, meaning that the ANPD was required to pass regulations to supplement the main statute in distinct phases. In January 2021, the ANPD published Ordinance No. 11, which outlined the LGPD’s two-year regulatory process for 2021 and 2022 broken into three phases.1
Item |
Phase |
ANPD Internal Regulations |
1 |
ANPD Strategic Planning |
1 |
LGPD Application to Small and Medium Sized Companies |
1 |
ANPD Regulations for Inspection and Fines2 |
1 |
Incident Reporting Notification Guidelines and Rules |
1 |
Personal Data Protection Impact Report |
1 |
Regulations on Data Protection Officers |
2 |
Regulations on International Data Transfers |
2 |
Legal Hypotheses for Processing Personal Data |
3 |
Rights of Personal Data Subjects |
3 |
In order to become law, each phase item must go through several steps including public comment, internal consultation, and deliberation by the ANPD board of directors, among several other steps. Until an item goes through this full process it is advisory in nature only.
As of July 2022, all phase 1 and 2 items within the 2021-2022 regulatory agenda have started and are currently in the administrative process, with two being fully completed.3
Phase One
In late 2021 and early 2022, the ANPD published several agenda matters that apply to companies that have operations within Brazil or offer goods or services to people within Brazil, even if the company has no physical presence there.4
Specifically, the ANPD released a regulation on LGPD applicability, clarifying that the law will apply to small businesses and nonprofits, including, “micro-companies,” “small companies,” “startups,” and “legal entities governed by private law.” 5 While these entities do not need to appoint a data protection officer, they still must comply with most LGPD items, albeit in a simplified format.6
In addition, in October 2021, the agency approved the Regulation on Inspection and Enforcement Administrative Procedures. This resolution covers the inspection process for the ANPD covered entities and provides rules and procedures the agency must follow during the administrative process, including application of sanctions.7
The ANPD also released an operational guide for incident response (Portuguese only) to help companies properly respond to security breaches. The guide offers best practices, required documentation, circumstances when a personal data protection impact report should be prepared, and containment and recovery plans.8
Phase Two
The ANPD released an updated guidance document on Data Protection Officers (DPO) as part of its phase two guidance (Portuguese only). The new guidance aligns DPO responsibilities with the LGPD and defines the DPO’s tasks as “play[ing] an important role in fostering and disseminating the culture of data protection in the organization, such as, when receiving requests from data subjects and the national government authority and adopting measures or when guiding employees and contractors regarding the practices to be taken concerning the protection of personal data.”9
As with the guidance document for DPOs, it is anticipated guidance documents for international transfers will be released prior to regulations becoming final law. Moreover, with the 2021-2022 regulatory agenda coming to an end, companies should expect a more active ANPD in 2023 with respect to enforcement.
Mike Summers also contributed to this article.
FOOTNOTES
1 Although Ordinance No. 11 initially contained 10 agenda items, the Regulatory Agenda Monitoring Report has only discussed eight items in its phases 1 and 2 regulatory agenda.[1] Rights of Personal Data Subjects and Legal Hypotheses for Processing Personal Data, which are listed under phase 3 in Ordinance 11, were left out of the July 2022 Regulatory Agenda Monitoring Report.
2 While initially this was one regulation, it was divided into two regulations: one for inspection and application of sanctions and the other for methodologies for calculating the among of fines.
3 Regulation for Protection of Personal Data for small processing agents and the Regulation of the Inspection Process and the Sanctioning Administrative Process have been finalized and are official regulations.
4 Ordinance No. 11, Jan. 27, 2021.
5 Ordinance No. 2, Jan. 27, 2022.
6 Id.
7 Resolution CD/ANPD No. 1, Oct. 28, 2021.