Privacy and Data Protection Series nº7: Regulatory Scenario

1. Introduction

Since the Brazilian General Data Protection Act (“LGPD”) entered into force in September 2020, the Brazilian privacy and data protection legislation has gone through several developments.

Among the main progressions and developments, we highlight the following:

• The recognition of data protection as a fundamental right provided for by the Brazilian Federal Constitution
• A structural change in the Brazilian Data Protection Authority (“ANPD”), which has turned from a body subordinated to the Presidency of the Republic into an independent government agency of a special nature
• The proposal of a regulatory plan for 2021-2022 and 2023-2024 by the ANPD, the conduction of public hearings and the publication of regulations concerning the following topics:
  • Structure of the ANPD
  • Regulation on the procedures for monitoring, application of administrative sanctions, and calculation of sanctions
  • Flexible requirements for small and medium-sized organizations, startups, and individuals
  • Data subjects’ rights
  • Incident communication deadline
  • Data protection impact assessment
  • Data Protection Officer
  • International data transfer
  • Legal hypotheses for processing personal data
  • Legal hypotheses for processing children’s and adolescents’ data
  • Guidelines and forms issued by the ANPD
  • Creation of ANPD’s Digital Governance Committee
  • Dosimetry and application of administrative sanctions by the ANPD
• enactment of the ordinance that regulates the dosimetry and application of administrative sanctions by the ANPD in February 2023;
• publication of a list of ongoing administrative sanctioning processes in March 2023;
• first sanction issued by the ANPD in July 2023.

This material summarizes the main changes observed in the last few years, as well as the expectations for the current and following years.

2. Data protection as a fundamental right

 On February 10, 2022, amendment No. 115/2022 to Brazil’s Federal Constitution came into force to include data protection as a fundamental right amongst others in the Brazilian Federal Constitution.

Among the benefits of such a change, the Federal Senate and the House of Representatives will have exclusive jurisdiction to further legislate on privacy and data protection matters in Brazil.

Maintaining jurisdiction at the federal level will benefit the data protection ecosystem with greater uniformity. Individuals will also benefit from the status of data protection as a fundamental right under the Federal Constitution.

3. Brazilian Data Protection Authority (“ANPD”)

3.1.  ANPD’s operation

In its first years, the ANPD focused on creating a responsive regulation system, establishing cooperation agreements with other government entities, and educational actions. In contrast, the Public Prosecutor’s Office, regulatory agencies, consumer protection agencies, and courts have been actively enforcing both the LGPD and sectorial data protection laws at the administrative and judicial levels.

The ANPD has partnered with the National Consumer Secretariat (“Senacon“), the Antitrust Authority (“CADE“), the Internet Steering Committee (via “NIC.br“), the Superior Electoral Court (“TSE“), and other national and international entities for cooperation purposes.

The inspection activities began in October 2021, when the ANPD regulated the procedures for the supervision and application of administrative sanctions through Ordinance CD/ANPD No. 1. In February 2023 the Authority published Ordinance CD/ANPD No. 4 that approved the Regulation of Dosimetry and Application of Administrative Sanctions.

After publishing Ordinance CD/ANPD No. 4, the ANPD released the list of ongoing sanctioning administrative processes conducted by the General Coordination of Inspection (CGF) in early 2023, and applied its first sanction on July 2023. In the case, a warning and two simple fines were imposed, each in the amount of BRL 7,200, for a total of BRL 14,400, due to the violation of articles 7 and 41 of the LGPD, and Article 5 of the ANPD Inspection Regulation, to the call center and telemarketing company Telekall Infoservice (Process No. 261.000489/2022-62). Telekall Infoservice may still appeal the decision.

• ANPD’s Independence

The ANPD was initially created under the administrative structure of the Presidency of the Republic. Although technically independent since its creation, its full independence was only achieved with the publication of Provisional Measure No. 1,124 on June 13, 2022, converted into Law No. 14,460, on October 25, 2022, which modified the structure of the ANPD to make it an independent government agency of a special nature.

With this change, the Authority maintained its technical and decision-making autonomy to direct public administration and decentralized administrative and financial management.

The new legislation also provides for structural changes to enable the functioning of the Authority in its new formats, such as rules for requisitioning personnel and transferring assets and personnel from other public administration bodies or entities.

• ANPD’s Regulatory Actions for 2021-2024

Last updated: February 2023

In early 2021, the ANPD issued its strategic plan and proposed an initial regulatory agenda for 2021-2022 to map and determine the Authority’s priority regulatory actions. The LGPD still has many items to be further regulated, some of which were included in this regulatory agenda.

ANPD applied a responsive regulation regime whereby any regulation should come after (a) an open public contribution or public hearing, in which the entities can present important aspects to be regulated, and (b) an open public consultation, in which entities can criticize the regulation draft proposed by the ANPD. Such an approach resulted in many public contributions and hearings conducted during 2021-2022, but only a few regulations were issued.

In the end of 2022, a new regulatory agenda for 2023-2024 was published, describing the main topics that will be addressed by the ANPD in this biennium.

In early 2023, the ANPD established the ANPD’s Digital Governance Committee, which will be responsible for deliberating on how the technical actions aimed at services to be provided digitally by the government will be structured.

Below you will find the most important topics and discussions conducted by the ANPD during 2021 and July 2023, as well as the discussions that are expected to take place until 2024:

See table on pages 4 to 7

• ANPD’s Regulations

During 2021-2022, the ANPD published Ordinances No. 1 and No. 2 related to the interpretation of the LGPD. At the beginning of 2023, the ANPD published Ordinance No. 3, which deliberated on the creation of ANPD’s Digital Governance Committee, Ordinance No. 4, regulating the dosimetry and the application of administrative sanctions by the ANPD and reinforces its supervisory activity, as well as Ordinances No. 5 and 6, which approved the agenda for the Assessment of Regulatory Resolution and instituted the program on Management and Performance of the ANPD. Also in 2023, ANPD issued Statement CD/ANPD No. 1, regarding the processing of personal data of children and adolescents based on the LGPD.

We briefly detail below the content of such ordinances:

• CD/ANPD Ordinance No. 1: Issued on October 28, 2021, the CD/ANPD Ordinance No. 1, regulates the procedures for monitoring and application of administrative sanctions by the ANPD, including monitoring activities (Article 18), orientation activities (Article 27), preventive measures (Article 30), and repressive activities (Article 37). From these topics, the possibility of processing agents presenting a settlement proposal after the establishment of the sanctioning process stands out. Ordinance No. 1 informs the criteria for the application of sanctions.
• CD/ANPD Ordinance No. 2: Issued on January 27, 2022, the CD/ANPD Ordinance No. 2, facilitates compliance with the LGPD, reducing the number of obligations applied to small-sized businesses, startups (as defined in the Complementary Law No. 182/2021 – “Startup Act”), profit-making or non-profit legal entities, as well as depersonalized private entities and individuals (“Small-Sized Processing Agents“). The ordinance does not apply to Small-Sized Processing Agents that carry out high-risk processing activities. A processing activity is considered high risk when it meets at least one general (e.g., large scale) and one specific (e.g., use of new technologies, surveillance, etc.) criterion, as defined in the regulation.
• CD/ANPD Ordinance No. 3: Issued on January 25, 2023, CD/ANPD Ordinance No. 3 instituted the Digital Governance Committee of the ANPD as a permanent body. The committee will meet quarterly to deliberate on matters related to the implementation of digital government actions and use of information and communication technology resources only within the scope of the ANPD. It should be mentioned that the resolution has internal administrative effects and does not create or establish obligations for the personal data subjects, companies, or other public bodies.
• CD/ANPD Ordinance No. 4: Issued on February 27, 2023, CD/ANPD Ordinance No. 4 regulates the dosimetry and the application of administrative sanctions by the ANPD and reinforces its supervisory activity. This regulation is a requirement provided for in article 53 of the LGPD and its main objective is to establish criteria, parameters, and methods for the application of sanctions by the ANPD in case of non-compliance with the LGPD rules, as well as parameters that allow the calculation of the amount of the fines.

• CD/ANPD Ordinance No. 5: Issued on March 14, 2023, the CD/ANPD Ordinance No. 5 approves the Regulatory Outcome Assessment Agenda (“ARR”) from 2023 to 2026. The ARR aims to provide greater predictability and transparency to the ANPD’s regulatory activity. The approved agenda indicates that by December 2026 the ANPD will assess the effectiveness of the ordinances related to the procedures for monitoring and application of administrative sanctions by the ANPD (CD/ANPD Ordinance No. 1) and the dosimetry and application of administrative sanctions (CD/ANPD Ordinance No. 4).

• CD/ANPD Ordinance No. 6: Issued on April 5, 2023, CD/ANPD Ordinance No. 6 establishes the Management and Compensation Program under the ANPD and determines management guidelines to promote the expected performance of the regulatory agency.
• CD/ANPD Statement No. 1: This statement was issued on May 24, 2023 and sets forth important guidelines on the processing of data from children and adolescents, by allowing that the personal data of such group is processed upon the legal basis established under articles 7 and 11 of the LGPD, provided that the best interest of the child or adolescent is observed, in accordance with the terms of article 14 of the LGPD.
• CD/ANPD Ordinance No. 7: The Resolution was published on August 17, 2023 and approves the Authority’s Social Communication Policy. This ordinance sets out the objectives, guidelines, and rules governing the Authority’s communication with society, ensuring that the information provided on official channels serves the public and institutional interests.
• CD/ANPD Ordinance No. 8: The Resolution was published on September 5, 2023 and establishes the Authority’s Process Governance Policy. This resolution establishes the principles, guidelines, objectives, instruments, structure, and responsibilities relating to Process Governance within the ANPD’s organizational units.
• CD/ANPD Ordinance No. 9: Published on October 24, 2023, the Resolution establishes the privacy notice for the ANPD’s website. The purpose of this document is to explain to the data subjects how the Authority processes their data through the website.

• ANPD’s Guidelines

In addition to the regulatory actions determined above, the ANPD also issued the following guidelines during 2021-2023:

• Guidelines on the definition of controller, processor, and Data Protection Officer;
• Guidelines on information security for small and medium-sized organizations
• Guidelines on data protection and security incidents, produced with the Internet Steering Committee;
• Technical study on data processing for academic purposes and research;
• Guidelines on the LGPD applicability for the elections;
• Guidelines on the processing of personal data by government entities and public organizations;
• Technical study of a regulatory sandbox for Artificial Intelligence.

The guidelines on the definition of controller, processor, and Data Protection Officer (“DPO”) stands out, which clarifies how to define the controller, including joint and independent controllers, processors, sub-processors, and DPO. The definitions established by the ANPD are generally aligned with the concepts of controllers and processors under the General Data Protection Regulation (“GDPR”) in the European Union.

It must also be highlighted that the General Coordination of Inspection of the ANPD released in December 2022 a new form for reporting Security Incident Reports. The controllers of personal data must fill up the document to report any security incidents to the ANPD. The new form is available on the ANPD’s website and began to be implemented on the first day of 2023 to facilitate the recording of communications by controllers and the respective analysis by the ANPD.

4 The privacy context in Brazil in 2023 and the outlook for 2024

The ANPD has already proposed several actions to regulate open issues in the LGPD and establish the Authority as a fully independent government entity.

In the first semester of 2023, several Ordinances were published, such as CD/ANPD Nos. 4, 5, and 6 and Statement CD/ANPD No. 1. However, there are still several relevant aspects to be discussed and regulated in 2023, according to the regulatory agenda.

In the second semester of 2023, in addition to publishing Resolutions 7, 8, and 9, the ANPD also started a public consultation on the regulation of the international transfer of data. This is an important step by the Authority to be in balance with international regulations, but it has yet to be decided and concluded what level of data protection will be considered when there is an international transfer of personal data.

Heading into the final months of 2023, the ANPD has also published an analysis of the Artificial Intelligence Bill, thus trying to take a leading role in the matter. It also published a study on the application of a regulatory sandbox by the Authority itself to contribute to the regulation of technologies related to Artificial Intelligence.

Yet, although we are heading to the end of the year, based on the regulatory agenda published by the ANPD for the biennium of 2023-2024, we can expect the discussion of several important topics later this year, such as the regulation of data subjects’ rights andthe guidelines for the Nacional Policy of Privacy and the Protection of Personal Data..

The expectation is that in 2024 the topics that were opened for public contribution this year will be finalized and duly regulated by the Authority through Statements and Ordinances, such as the hypotheses of international data transfer. In addition, it is expected that other important issues will be brought to public contribution, such as regulating the hypotheses in which the collection of sensitive personal data – biometric data – is legitimate.

It is expected, based on resolutions and guidelines already issued by the ANPD in the last years, that the Authority will continue to align Brazil’s general privacy and data protection rules with international standards.

Finally, with the application of the first sanction by the ANPD, it is expected that the ANPD should gradually increase the number of enforcement actions and imposition of fines in the coming years.

share