In 2023, the Brazilian General Data Protection Law (LGPD) celebrates five years since its publication.
Since its entry into force in 2020, the LGPD has come a long way, but there are several legal issues relating to the protection of personal data that still need further refinement.
Brazilian Data Protection Authority
Among the main changes since the enactment of the LGPD has been the change in the legal nature of the National Data Protection Authority (ANPD), which represented an important step in the process of adapting Brazilian regulation to international data protection standards. Originally created as part of the Federal Public Administration and linked to the Presidency, the ANPD was recently transformed into an independent agency. This status has effectively given the ANPD technical and decision-making autonomy.
Regulation of Specific LGPD Topics
The ANPD is currently carrying out all of its inspection and sanctioning functions except for the application of fines, which was the subject of discussion in public consultation (as mentioned below). The ANPD has already issued the following resolutions:
- a 2021 resolution establishing the rules and procedures for the inspection process and the administrative sanctions process; and
- a 2022 resolution which approves the regulations for micro and small businesses and for startups and innovation companies.
In order to provide guidance to data processors on the subject of personal data protection, ANPD (alongside several other entities and authorities) has also published and updated several guidelines and technical documents on its official website, covering a variety of specific data protection topics.
Nevertheless, there are still several LGPD provisions pending clarification and/or regulation by the ANPD. In this regard, in August of 2022 the ANPD opened four public consultations on the following matters.
ANPD's Regulatory Agenda for the biennium 2023-2024
Aiming to confer greater publicity, predictability, transparency, and efficiency to its regulatory process, as well as to improve the relationship with processing agents, the agency published a call for public comments with the main topics pending regulation to be classified by the public in order of priority and relevance.
After the contributions by public, the ANPD approved its Regulatory Agenda for 2023-2024 at the end of 2022. Overall, 20 initiatives are foreseen in the Agenda that were classified into phases by order of priority.
Resolution On The Application Of Administrative Penalties
The draft Resolution on the Application of Administrative Penalties sets out a methodology for the application of the sanctions provided for in the LGPD, seeking to ensure that its decisions are effective, transparent, objective and consistent. Finalising this regulation is the main pending issue before the ANPD begins to apply fines. Among the most relevant points of the draft proposed by the agency are:
- the classification of penalties (e.g. warnings and fines, the publicising of the infraction, suspension of personal data processing activities);
- the establishment of criteria and parameters for the definition of sanctions (e.g. the gravity and nature of the act, degree of damage and the cooperation and good faith of the offender);
- the classification of infractions as light, medium or serious; and
- the application and calculation of the fine sanctions established by the LGPD.
Resolution on High-Risk Personal Data Processing
This consultation stems from the provisions of a 2022 regulation that provides the criteria for defining when the processing performed is of high risk to the data subjects. Although the regulation relaxes some of the obligations provided for in the LGPD, small-sized data processing agents who carry out high-risk processing will not be able to benefit from this differentiated legal regime. In light of this, the ANPD is preparing a guideline to assist small data processors in the evaluation of their personal data processing.
Regulation on the Processing of Children and Adolescents' Personal Data
Given the importance and controversial nature of this topic, the LGPD has reserved a specific section for the personal data processing of children and adolescents, establishing that such processing must be carried out in the best interests of these data subjects. To this end, the ANPD has prepared a preliminary study on the legal rules applicable to the personal data processing of children and adolescents. In this study, the agency addressed especially the mandatory collection of consent from legal guardians for the processing of children's personal data, as well as its implications.
What to Expect in the Future?
Recent surveys indicate that most Brazilian companies are not compliant with the LGPD. At the same time, incidents involving personal data continue to grow in the country, placing Brazil among the countries with the highest total number of data incidents. Although the ANPD has shown that it is aware of the need to invest time and effort in raising awareness about personal data protection before taking a more aggressive stance, organisations must commit to LGPD compliance.
In the first half of 2023, we expect:
- a study of compliance with the LGPD by the General Inspection Coordination;
- an increase in requests by data subjects directed to companies and the ANPD to exercise their rights;
- an ongoing increase in the number of cyber-attacks and security incidents, such as data leaks, due to the progressive growth in the volume of personal data circulating in digital environments and platforms.
We also expect regulation by the ANPD on:
- the application of administrative penalties;
- rights of the data subjects;
- deadlines for Information Security Incident reporting and notification;
- mechanisms for international transfer of personal data, including defining the content of Brazilian standard contractual clauses, among others;
- Data Protection Impact Assessment (DPIA) for cases where the processing poses a high risk; and
- the definition and duties of the Data Protection Officer, including cases of exemption from the requirement to appoint one based on the nature and size of the entity or the volume of data processing operations.
Although enormous challenges lie ahead for the full implementation and proper enforcement of the LGPD, the advances in these last four years have brought the certainty that data privacy and the protection of personal data are rights that are here to stay.
In light of these advances, it is expected that the gaps in LGPD will soon be filled, bringing greater legal certainty to organisations and more effective protection for personal data subjects in a global scenario of increasingly data-driven economies.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.