Brazil: The first year of operation of the ANPD
The Brazilian data protection authority ('ANPD') was established by the Article 55-A of Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD'). This brought Brazil in line with other countries around the world with specific legislation for data protection, as well as a supervisory authority dedicated exclusively to subjects such as data protection, privacy, cybersecurity, and related matters.
This article addresses the first operational year of the ANPD in 2021, and analyses some of its main achievements.
Prior to the creation of the ANPD, there was some debate around its creation, performance, perspectives, budget, and responsibilities. Despite these debates, the ANPD has, in its first year, maintained a broad debate with society through public consultations, signing numerous technical cooperation agreements, as well as releasing various guidance documents, resolutions, and guides to facilitate any gaps in the LGPD and to further the protection of privacy. In particular, on 6 November 2021, the ANPD released a summary containing the main activities performed by it since its creation, where it stated that it complied with the entirety of its Regulatory Agenda proposed for the year 2021. This included activities such as:
- 17 ordinances published;
- four technical cooperation agreements signed;
- 100% of the first phase of the Regulatory Agenda for 2021 being completed;
- 15 deliberative circuits completed;
- six educational materials including guides, booklets, issues, and articles released;
- 313 external events held;
- seven consultations carried out with society; and
- 3,100 demands, including doubts and queries, received via the ANPD's communication channels.
As the first steps towards the ANPD's activities in 2021, it issued, on 28 January 2021, Ordinance No. 11 for its Biannual Regulatory Agenda (2021-2022), highlighting the main priorities, targeted over three phases:
Phase 1, by the end of the first half of 2021:
- publish the ANPD internal regulations;
- publish the 2021-2023 strategic plan;
- develop a differentiated regulation for small businesses;
- amend and publish regulations and procedures on personal data protection and privacy; and
- amend and publish regulations on reports of the impact of personal data protection in cases where the processing represents an elevated risk to guaranteeing the general principles of personal data protection.
Phase 2, by the end of the first half of 2022:
- launch a resolution on the question of the term required for reporting a security incident;
- create a resolution on the nature and size of an entity or the volume of data processing operations; and
- create guidelines on the international transfers of personal data.
Phase 3, by the end of the second half of 2022:
- launch a resolution on the rights of data subjects; and
- launch guides on best practices including the legal hypotheses for the legal bases for the processing of personal data.
Soon after this, the ANPD published, on 1 February 2021, its Strategic Plan for 2021-2023, and this was closely followed by other activities including:
- the publication of guidance on security incident reporting procedures;
- the appointment of the first ANPD data protection officer ('DPO');
- the publication of guidance on controllers, processors, and DPOs;
- guidance on LGPD enforcement following the initiation of fines from 1 August 2021;
- guidance on small processing agents;
- the publication of a regulation on the inspection and enforcement of administrative procedures; and
- guidance on data subjects' right to petition against controllers.
These are just a portion of the ANPD's developments in its first year of operation, and this article aims to address each one, briefly providing an overview of each of these key activities.
The Security Incidents Guidance
On 24 February 2021, the ANPD published guidance on the procedure for reporting security incidents ('the Security Incidents Guidance'), detailing obligations relating to data breaches and other types of incidents under the LGPD, while also providing data controllers and processors with a form to be completed in the event of an incident.
More specifically, the Security Incidents Guidance outlines the threshold of security incidents and what constitutes a security incident, as well as what companies should do when they detect a security incident. For instance, it clarifies that data processors are required to communicate with data controllers in the event of security incidents; however the obligation to notify the ANPD rests with the controller, although if the processor makes this communication, the ANPD will nonetheless respond. In this respect, the Security Incidents Guidance provides further information on the information which must be provided to the ANPD, within a deadline of two business days, as well as the circumstances under which any reporting to the data subject must take place.
Appointment of the first DPO
Moreover, on 9 April 2021, the ANPD appointed its first DPO and created the ANPD's Working Group, with the functions of:
- preparing and submitting the Privacy Governance Program to the ANPD;
- coordinating compliance with the LGPD and ANPD policies regarding the protection of personal data; and
- providing guidance, when requested, with respect to Data Protection Impact Assessment reports relating to the ANPD's personal data processing activities.
The Controller, Processor, and DPO Guidance
On 28 May 2021, the ANPD continued its trend of publishing explanatory and supportive guidance with the publication and call for public feedback on anticipated guidance to support controllers, processors, and DPOs ('the Controller, Processor, and DPO Guidance'). More specifically, the Controller, Processor, and DPO Guidance aims to resolve some of the main questions for these key roles, by outlining non-binding guidelines for data processing agents, information on who may exercise the role of data controller, operator, and/or DPOs, as well as their respective liability regimes, legal definitions, concrete cases that exemplify the ANPD's explanations, and frequently asked questions on the same.
In publishing the Controller, Processor, and DPO Guidance, and seeking public input, the ANPD highlighted the evolving nature of the guidelines themselves, which are likely to change and adapt as new regulations and understandings and published and established by the ANPD.
The Enforcement FAQs
Then, with the entry into effect of fines under the LGPD on 1 August 2021, the ANPD released, on 30 July 2021, frequently asked questions to support the commencement of the application of sanctions ('the Enforcement FAQs'). In particular, the Enforcement FAQs present a broad scope of answers, addressing topics such as:
- the types of sanctions, fines, or penalties that can be applied by the ANPD;
- the public bodies which can apply penalties;
- how the ANPD has been structuring itself to apply penalties;
- how public bodies will be penalised;
- that the ANPD cannot apply sanctions related to incidents that occurred before 1 August 2021, but will apply to continuing offences initiated before 1 August 2021; and
- how fines will be calculated.
The Small Processing Agents Guide
A little later in the year, the ANPD published a guide, on 4 October 2021, relating to small processing agents ('the Small Processing Agents Guide'). The purpose of the Small Processing Agents Guide is to assist small processing agents in implementing information security measures for the protection of personal data which is processed by them, while also providing administrative and technical security information measures and a checklist to facilitate the understanding and realisation of the suggestions, such as on:
- security information policies;
- awareness and training;
- contract management;
- access controls;
- security of stored personal data;
- communications security;
- vulnerability management;
- mobile devices; and
- cloud services.
Regulation CD/ANPD No. 1
Later that month, on 29 October 2021, the ANPD approved Regulation CD/ANPD No. 1, on the Inspection Process and the Sanctioning Administrative Process ('Regulation CD/ANPD No. 1'). Regulation CD/ANPD No. 1, having taken effect on the date of its approval, was set out to complete an initial monitoring cycle from January 2022 onwards.
In this respect, Regulation CD/ANPD No. 1 aims to establish procedures for the inspection process and rules to be observed in the scope of the administrative process and sanctioning by the ANPD. It addresses various topics in relation to monitoring and inspections, and has the purpose of assisting in the ability to:
- plan and support inspection activities with relevant information;
- analyse the compliance of processing agents with regard to the protection of personal data;
- consider the regulatory risk based on the behaviour of processing agents, in order to allocate resources and adopt actions compatible with the risk;
- prevent irregular practices;
- foster a culture of protection of personal data; and
- act in the search for the correction of irregular practices and the repair or minimisation of any damages.
The DSR FAQs
Finally, the ANPD concluded 2021 and its first year of operation with another impactful resource in the form of FAQs on data subjects' right to petition controllers for their data subject rights under the LGPD ('the DSR FAQs'), which it released on 14 December 2021.
In addition to outlining procedures that should be observed by controllers, the DSR FAQs provide a more detailed and clear understanding on the flow of complaints that can be made by the data subject, the possible controller responses, and the types of sanctions that can be applied by the ANPD. In this respect, the DSR FAQs also outline a sequence of events that could act as guidance on the process in such circumstances, as detailed below:
- the data subject or legal representative submits an express request to the data controller to exercise their rights;
- the data controller does not respond, or based on its response, the data subject understands that the data processing is not in accordance with the LGPD;
- the data subject can submit a petition against the data controller to the ANPD using a dedicated petition system;
- the ANPD analyses the petition; and
- the ANPD decides what action to take against the data controller, which could include:
- inspection actions;
- regulatory improvements; or
- educational actions.
As seen from the various examples of activities conducted by the ANPD within its first year of operation, among several other equally valuable actions, it has been a busy first year for Brazil's data protection authority. 2022 will now bring additional possibilities for continued action by the ANPD as it further clarifies various aspects of the LGPD and as businesses work towards compliance.