The Brazilian Data Protection Authority (ANPD) has issued important guidance covering a variety of privacy aspects including security measures, determining controller and processor capacities, and how the ANPD administrative process will be applied to investigating companies and imposing penalties. We have gathered those we consider the most relevant.

Ordinance No. 11 of 2021

Publicizes the Brazilian National Data Protection Authority's (ANPD) regulatory agenda for the biennium 2021-2022.

A first glimpse into ANPD's activities plan. The agenda includes a number of issues as well as the ways through which the ANPD aims to discuss and disseminate them (resolution, guide or ordinance). Some publications are still scheduled for 2022, including resolutions on data subjects' rights, on the personal data protection officer (DPO) and international data transfers, as well as a best practices guide relating to the legal processing of personal data in the Brazilian General Personal Data Protection Law (LGPD).

Ordinance No. 1 of 2021

Establishes the ANPD's internal regulations

A thorough document for those who want to understand the authority's procedures and limitations, which are all internal regulations. The ANPD has a complex organizational structure that includes various boards with different areas of activity and competences. The internal regulation released by Ordinance No. 1/2021 covers the ANPD's whole organizational structure. The ANPD is described in Article 1 of the internal regulations as "a body of the Presidency of the Republic." The ANPD is now a special autarchy, with increased autonomy and procedural ability, thanks to Provisional Measure No. 1.124/2022. It is worth mentioning that the provisional measure has not yet been transformed into legislation and is presently being debated in Congress.

The National Consumer Defense Council's Data Protection Center's guidance, developed in collaboration with ANPD and SENACON

Simplifies the LGPD's most important aspects for consumer awareness. Also includes guidelines for public and private organizations' activities in regards to personal data processing in order to avoid violating consumer rights. An essential guide that symbolizes the ANPD's collaborative activity with consumer protection organizations, taking into account the Technical Cooperation Agreement between the ANPD and SENACON.

Information Security Guide for Small Processing Agents

Version 1.0

Directs small processing agents to preserve the bare minimum of information security, taking into account the processing agent's economic capabilities while applying legal requirements. Used as a general guide that establishes the minimum requirements for information security measures in Brazil, which must be surpassed by "medium" and "large" processing agents—which will not be defined by the ANPD.

Resolution CD/ANPD No. 1 of 2021

Approves the Regulation of the Supervision Process and the Administrative Sanctioning Process in the scope of the ANPD.

The ANPD has three different natures of action, according to Article 15 of the Resolution No. 1 of 2021: monitoring, enforcement and prevention. The main function of this resolution is to clarify how these actions will be conducted, which are the procedures to be followed by ANPD, and what we can expect to be the authority's next steps, especially regarding the sanctions. This resolution was the missing piece for the application of administrative sanctions by the ANPD to begin. Therefore, after the publication of the resolution as of August 1, 2021, it became possible to apply the sanctions listed in Article 52 of LGPD.

Guide: Personal Data Processing by Public Authorities

Intends to specify criteria that can offer legal certainty to operations that assist public organizations and bodies in the adaptation and implementation of activities arising from the LGPD, particularly related to the execution of policies and the provision of public services. An interesting guide for private parties because it specifies legal bases, such as consent and legitimate interest, and presents the ANPD's perspective on their application.

Resolution CD/ANPD No. 2 of 2022

The Regulation on the Application of the LGPD for Small Treatment Agents is approved. Once more, the ANPD tailors the LGPD criteria to the economic capabilities of each processing agent. Under current legislation, the resolution defines small-size treatment agents (Article 2, I) as: micro companies, small-size companies, startups and legal entities of private law, including non-profit enterprises. The principal impact of Resolution CD/ANPD No. 2 for other processing agencies is the definition of high-risk processing in Article 4. As a result of this resolution, we know what the ANPD considers high-risk processing, and we can more quickly determine when a Data Protection Impact Assessment (DPIA) is required.

Guide: Personal Data Processing Agents and Data Protection Officer Definitions

Version 2.0

This handbook contains a high level of practical application to which all processing agents (controllers, processors and joint controllers) are susceptible and provides a great support in assessing each processing capacity. It outlines the obligations and procedures of the agents more thoroughly than the LGPD and specifies who can fulfill each function Furthermore, it introduces the capacity of joint controllers, which is not directly addressed in the LGPD.

Guide: Application of the LGPD in the electoral context by data processing agents

Given that 2022 is an election year in Brazil, the ANPD has decided to produce a guide related to such circumstances and how the LGPD shall apply. It contains highly important information and security suggestions, mentioning the Information Security Guide for Small Processing Agents and reinforcing the assumption that it brings the criteria recognized as ANPD minimums. In addition, this guide covers the collection of cookies and how the legitimate interest may serve on a lawful basis for such processing activity.

Regulation of Dosimetry and Application of Administrative Penalties

The ANPD has submitted for public consultation the draft resolution that approves the Regulation of Dosimetry and the Application of Administrative Penalties. The authority's aim is to promote the effectiveness of administrative sanctions foreseen in the LGPD by establishing a methodology to apply the sanctions, with clear parameters and criteria. The methodology adopted by the ANPD for the application of sanctions is crucial to understand the infractions which the agency considers most serious as well as the most important compliance measures for businesses.

Guide: Preliminary Study of Processing Children's and Adolescents' Personal Data

The ANPD has submitted a preliminary study for public consultation regarding the legal bases applicable for the processing of children's and adolescents' personal data, as the lack of clarity of Article 14, Section 1, of the LGPD allowed for different interpretations on whether consent would be the only lawful basis for processing the personal data of minors. Based on the findings of the preliminary study, the ANPD asserts that the processing of children's and adolescents' personal data can be performed due to the legal bases provided for in articles 7 and 11 of the LGPD, observing the applicable legal requirements and the best interest principle.

Guide: Cookies

The Brazilian Data Protection Authority (ANPD) issued a non-binding guidance on cookies with several recommendations for controllers regarding this issue. Controllers are advised to implement a Cookies Notice and first-and second-level Cookies Banners. Special attention should be given to assessing the lawfulness of processing personal data obtained from cookies. The ANPD also stressed accountability requirements related to cookies, such as managing and documenting consent, as well as carrying out a legitimate interest assessment as needed.

Visit us at Tauil & Chequer

Founded in 2001, Tauil & Chequer Advogados is a full service law firm with approximately 90 lawyers and offices in Rio de Janeiro, São Paulo and Vitória. T&C represents local and international businesses on their domestic and cross-border activities and offers clients the full range of legal services including: corporate and M&A; debt and equity capital markets; banking and finance; employment and benefits; environmental; intellectual property; litigation and dispute resolution; restructuring, bankruptcy and insolvency; tax; and real estate. The firm has a particularly strong and longstanding presence in the energy, oil and gas and infrastructure industries as well as with pension and investment funds. In December 2009, T&C entered into an agreement to operate in association with Mayer Brown LLP and become "Tauil & Chequer Advogados in association with Mayer Brown LLP."

© Copyright 2020. Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. All rights reserved.

This article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.