The Brazilian Information Safety Company publishes a regulatory technique for 2021-2023
On January 28, 2021, International Data Protection Day, the newly formed Brazilian Data Protection Authority (Agência Nacional de Proteção de Dados, the “ANPD”) published its regulatory strategy for 2021-2023 and its work plan for 2021-2022 (in Portuguese). .
ANPD regulatory strategy
The ANPD’s regulatory strategy for the period 2021-2023 sets out the agency’s vision to become a national and international reference on data protection issues. In addition, the three main goals of the ANPD in its first years as a data protection authority are defined, which are linked to specific measures, schedules and key performance indicators (“KPIs”):
- Promote the strengthening of a data protection culture through events and workshops, the development of guidelines and recommendations, and working with public and private bodies as partners in developing best practices and investigating violations;
- Creation of an effective data protection environmentThis will be done by developing a procedure to manage individual complaints and notifications of data protection violations, as well as developing rules to regulate the Brazilian Data Protection Act (Lei Geral de Proteção de Dados Pessoais, “LGPD” open to public consultations) and elaborating the semi-annual work plan the ANPD; and
- Improvement of the ANPD’s ability to operate according to LGPD rulesThis will include the office, infrastructure, budget and staff of the ANPD as well as prepare a study on the legal transformation of the ANPD.
The ANPD applied a risk-based approach to its strategy when it recognized the need for constant monitoring of developments and a recalibration of priorities. It also concluded that its ultimate goals for publicizing the agency’s strategy are to improve transparency and allow the ANPD to be accountable to society.
ANPD work plan
The ANPD’s work plan for 2021-2022 sets immediate priorities and focus for the ANPD, which will be assessed and possibly recalibrated in late 2021:
- Work from the first half of 2021 that must be completed within one year:
- ANPD statutes
- Regulatory Strategy for 2021-2023
- Rules for Small and Medium-Sized Enterprises (“SMEs”)
- Rules for the enforcement and calculation of fines by the ANPD
- Rules for reporting data breaches to the ANPD and the data subjects
- Rules for Data Protection Impact Assessments (“DPIAs”)
- Work from the first half of 2022:
- Rules regarding the rights of the data subject
- Rules relating to the data protection officer (“DPO”)
- Rules for international data transfers
- Work from H2 2022:
- Legal basis guidelines for processing
The ANPD has also published an FAQ document (in Portuguese) with basic questions and answers about the new authority, the LGPD, basic data protection concepts (e.g. personal data, data processing and sensitive data), compliance obligations and other topics.
The ANPD has set up its official website (in Portuguese) which contains basic information on the structure, strategy and work plan of the ANPD, as well as the agenda of the Presidential Director and information on financial resources obtained through agreements and contractual arrangements and audits. In addition, the ANPD will publish a status report every six months on its progress on the work plan.
Coordination with other regulators
The Brazilian National Council for Consumer Protection (Conselho Nacional de Defesa do Consumidor, CNDC), which was established in July 2020 to facilitate cooperation and coordination on consumer issues between different public bodies in Brazil, has set up a working group dedicated to the protection of privacy and data protection. This working group will work closely with the ANPD and representatives of the ANPD will have a seat in the working group meetings. The working group is headed by Luciano Timm, former director of Senacon, and data protection lawyer and professor Laura Schertel Mendes. Mendes is also the founder and director of the Centro de Estudos de Direito, the Internet and society of the Instituto Brasiliense de Direito Público (the “CEDIS-IDP”), which is responsible for the effective implementation and regulation of the LGPD project together with Hunton Andrews Kurth’s Center coordinates for information political leadership (“CIPL”).
The five directors of the ANPD appointed by President Bolsonaro took office on November 6, 2020. The ANPD has also hired more than 19 of the 31 employees to which they are entitled under Presidential Decree 10.474 / 2020. These individuals are primarily from other public institutions (i.e., the Presidency of the Republic, Telecommunications Regulatory Agency, Consumer Regulatory Agency, Brazilian Attorney General and Attorney General). Three employees come from Telebras, the Brazilian telecommunications company that was once state-owned and where the President of the ANPD previously worked. One employee comes from the private sector and previously worked in a Brazilian think tank and as a data protection attorney.
Application procedure for the National Data Protection Council of the ANPD opened
On February 4, 2020, the ANPD opened the application process for the National Data Protection Council. This is a multi-stakeholder advisory board provided by the LGPD, which advises on the work of the ANPD and raises awareness of data protection issues.
Public consultation process
In the three months of its existence, the ANPD has already opened its first public consultation process (in Portuguese). The agency seeks to provide initial views on general data protection challenges and opportunities for SMEs, as well as specific issues such as the implementation of data protection compliance programs and risk assessments by SMEs, which provide information on future ANPD rules. Submissions must follow a template form and be sent (in Portuguese) to the ANPD’s Public Consultations Department by March 1, 2021.