The National Telecommunications Agency (ANATEL) published Resolution No. 767 of August 2024 (the "Resolution"), which amended Resolution No. 740 of 2020, also known as the Cybersecurity Regulation Applied to the Telecommunications Sector ("R-Ciber"). The amendments to the Resolution will come into force on September 2, 2024, by which time the internal policies of telecommunication service providers must have been modified.
With regard to aspects of information security and data protection, the Resolution essentially changed two points:
1. Extension of the obligation to notify ANATEL of information security incidents
R-Ciber created an obligation to notify ANATEL of relevant
incidents that substantially affect the security of
telecommunications networks and user data. R-Ciber's specific
definition of an "incident" includes an event that
allows, or may allow, a breach of the confidentiality,
availability, or integrity of protected information, or an event
which involves a critical information asset or critical activity
for a period of time shorter than the recovery target time.
The Resolution extends this obligation, now requiring
telecommunications service providers, regardless of size, to notify
ANATEL of incidents that must also be notified to the Brazilian
Data Protection Authority (ANPD). It should be noted that no
effective prior notification to the ANPD is required – if the
Brazilian General Data Protection Law (LGPD)'s incident
notification trigger detailed below is met, ANATEL must be
notified.
The trigger for notification to the ANPD is provided for in Article
48 of the LGPD and applies to any incident that may cause relevant
risk or damage to data subjects. The ANPD considers an incident to
be any confirmed, adverse event that could affect confidentiality,
integrity, availability and/or authenticity of personal
data.1 In other words, the notification triggers for
ANATEL are more restricted and specific than under the LGPD.
Therefore, incidents that would previously only trigger
notification to the ANPD will now also have require notification to
ANATEL.
2. Expansion of the cybersecurity requirements of suppliers to be assessed by telecommunications service providers
As part of the supplier evaluation process, Article 7 of R-Ciber already required suppliers to carry out periodic independent audits and a compliance assessment of their cybersecurity policies – ensuring alignment with the principles and guidelines of R-Ciber. This evaluation process must be documented and presented to ANATEL upon request.
The Resolution deepened this obligation with regard to data processing and storage and cloud computing service providers, mirroring regulations in place for other Brazilian entities, such as the Central Bank of Brazil.2 requirements, such as the controls adopted by third parties to mitigate risks, should be assessed, covering critical network functions and the processing of personal data. In short, telecommunications service providers must assess the compliance of these third parties with the LGPD and ANPD.
Footnotes
1 Art. 3 of Resolution CD/ANPD no. 15, of April 24, 2024.
2 CMN Resolution No. 4,893 of February 26, 2021 and BCB Resolution No. 85 of April 8, 2021.
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2024. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.