The Brazilian General Data Protection Law (LGPD) has been effective for almost six months. Since then, there have been movements to form the National Data Protection Authority responsible for enforcing the law (ANDP), guidance on best practices for data security has been published and private enforcement of the LGPD is underway. This quick tip will shed some light on how Brazil’s landmark privacy legislation has made way despite the continuing COVID-19 pandemic.
In September 2020, President Bolsonaro appointed the 5 directors to the Board of the National Data Protection Authority, the highest governing body within the ANPD. Nominations have to be approved by the Senate (in public hearings), which means there are further steps before the ANPD is fully established and operational. As the founding directors, the terms will vary from two to six years as provided in the appointment, whereas the subsequent directors shall serve four-year terms. If approved by the Senate, the appointment composition – three militaries with the longest terms (including the Director-President), one public servant, and a lawyer – showcases that we should expect an ANPD more oriented to national security and cybersecurity.
According to the structure defined in August 2020, the ANPD will be responsible for inspecting and applying sanctions for processing violations, conducting processing audits, and requesting information from controllers to evaluate processing operations. The Board is responsible for authorizing international data transfers (including determining adequacy of third countries), providing standards and techniques for anonymization, and determining the deadline to report a data breach. The Presidency will have two years to review the ANPD structure, during which time it may convert the ANPD into an independent public authority.
Since then, the ANDP has issued guidance covering (i) appointing a DPO, (ii) legal bases, (iii) policies and notices, (iv) data subject rights; and (v) ANPD’s enforcement actions. The guidance mostly reaffirmed the LGPD’s core provisions, and clarified that the law came into effect in September 2020 and that sanctions from ANPD can only be imposed after August 2021. The Brazilian Federal Government also launched the ANPD website (https://www.gov.br/anpd/pt-br), which includes information on access to personal data, the structure of the ANPD, contact details, relevant legislation, and a specific channel to receive requests from data subjects.
Additionally, the Digital Government Office of the Ministry of Economy published a Guide on Security and Privacy Risk Assessments under the LGPD. The Digital Government Office of the Ministry of Economy is in charge of the Information Technology Resources Administration System of the Federal Executive Branch and is responsible for defining policies and guidelines, and for guiding activities of resource management of information technology. Although the Digital Government Office is not connected to the ANPD, it is possible that this Guide will be considered and have an impact on future analyses by the ANPD.
According to the Guide, risk assessments must: (i) analyze the existing systems for processing personal data; (ii) consider the various security and privacy risks (e.g., improper access to a physical or logistical environment, excessive collection, non-compliance with data subjects rights); (iii) consider that the level of risk is calculated by determining the probability that an event may happen and impact of the resulting event; and (iv) have proper controls weighted according to their applicability to help determine the impact of a risk.
Performing these risk assessments will be important to demonstrate compliance and mitigate possible sanctions, under Articles 48 and 52, paragraph 1, of the LGPD [Art. 52, paragraph 1. Specifically, the LGPD states that “[t]he penalties shall be imposed (…) considering the following parameters and criteria: (…) VI – repeated and demonstrated adoption of internal mechanisms and procedures that are capable of minimizing the damage, intended for secure and appropriate data processing.” While there is likely additional guidance to come from the ANDP on unsettled issues such as legitimate interest analyses and lawful bases for processing, companies should use this guidance to prepare themselves as much as possible for the forthcoming ability of the ANDP’s enforcement starting August, 2021.