The Brazilian data protection law's first anniversary – what to expect next

The Brazilian General Data Protection Law (Law No. 13,709/2018 or the LGPD) is the key legislation that regulates the processing of personal data in Brazil. It guarantees a series of rights to data subjects, as well as imposing important obligations on processing agents.

A lot has happened since the LGPD was signed into law on 14 August 2018, not only in terms of discussions regarding the LGPD’s effective date and the creation of the Brazilian National Data Protection Authority (the ANPD), but also the COVID-19 pandemic. This has greatly impacted the ability of processing agents, both private and public, to adopt all the legal, technical, and administrative measures required to ensure compliance with the LGPD.

The LGPD entered into force on 18 September 2020, and enforcement provisions became effective on 1 August 2021, under Law No. 14,010/2020. So, how effective has the LGPD been during its first year and what should we expect in the coming months?

Entry into force

The original text of the LGPD provided that companies would have 24 months to become compliant with the law. However, following the pandemic, the Brazilian Chamber of Deputies decided to delay empowering the ANPD to impose administrative sanctions until 1 August 2021. The President also amended Provisional Measure No. 959/2020, postponing the effectiveness of the other articles of the LGPD to 3 May 2021, following their complex entry into force on 18 September 2020.

Establishment of the ANPD

The creation of ANPD was finally enshrined into Law No. 13,853/2019 in July 2019. This is important because that law alters key provisions of the LGPD – in particular, the right of the data subject to request the review of decisions made solely by automated means (as per article 20 of the LGPD). It also resulted in the ANPD being left without any independent budget, as an entity part of the Federal Public Administration.

Law No. 13,853/2019 did, however, determine that the legal nature of the ANPD is transitional and may be transformed by the Executive Branch into an indirect Federal Public Administration entity within two years from the date of entry into force of the ANPD’s regulatory framework. The possibility of changing the status of the ANPD is beneficial to companies that transfer data to the European Union. It potentially makes an EU adequacy decision in favour of Brazil more likely given that one of the requirements is for the importing country to have an independent regulator.

In October 2019, the first members of the National Council for Personal Data and Privacy Protection were nominated. On 28 January 2021, Ordinance 11/2021 was published, establishing the ANPD’s regulatory agenda for 2021/2022 and listing the 10 priority topics to be regulated within the period.

Regulation of specific LGPD topics

The ANPD has already published various guidelines and technical documents on its official website. These cover a range of issues including data protection and data breaches and guidance on the definition of the roles of the processing agents and of data protection officers. It has also published:

• its bylaws
• the 2021/2023 Strategic Planning, containing the objectives and intended activities of the ANPD
• a public consultation on the resolution that aims to regulate the applicability of the LGPD to small and medium-sized companies, start-ups and individuals who process personal data for economic purposes, since the LGPD itself provides for differentiated regulation for micro and small businesses (as per article 55-J of the LGPD)
• instructions on reporting security incidents, including the specific notification timeframe to be observed.

Beyond that, even though it's not included under the scope of the regulatory agenda, the ANPD has also launched a public consultation on the Oversight Regulation, which provides for the enforcement and application of administrative sanctions by the ANPD.

Before the end of the year, the ANPD also intends to set out the rules concerning how and when administrative sanctions will be imposed and calculated, and look at data protection impact assessments and risk mitigation measures where a DPIA reveals a risk to the rights of individuals.

In 2022, the ANPD will:

• establish rules on the definition and attributions of the data protection officer ("encarregado")
• regulate the provisions of the LGPD on international transfers of personal data and data transfer mechanisms
• regulate data subject rights, including timeframes for petitions, review of decisions made solely based on automated processing and processing of personal data by legal entities of public law
• issue good practice guidelines to assist processing agents and data subjects in applying the LGPD.

Technical cooperation agreements

In March 2021, the ANPD and the National Consumer Secretariat (Senacon) signed a Technical cooperation agreement (TCA), with the objective of streamlining investigations into security incidents.

Under the TCA, Senacon will start sharing information about consumer complaints relating to data protection with the ANPD, but it will be up to the ANPD to set the necessary interpretations regarding the application of the LGPD on a case-by-case basis and provide Senacon with access to data and information necessary to contribute to the improvement of Senacon's activities.

The execution of the TCA is a very important step in improving the culture of privacy and data protection in Brazil, presenting a fundamental tool for the effective action of the ANPD to monitor compliance with the LGPD. The TCA is already in force and will last 24 months, a period that can be extended by the ANPD and Senacon.

The TCA does exempt processing agents from complying with the provisions of the Brazilian Consumer Defence Code (CDC) and all other rules of the National Consumer Protection System, in addition to the LGPD and other applicable data protection laws.

Another TCA was signed on 2 June 2021, with the Administrative Council for Economic Defence (CADE), aimed at fighting activities harmful to the economic order and promoting and disseminating the culture of free competition in services involving the protection of personal data. To that end, CADE and the ANPD will share information, and will participate in joint educational activities on procedures and practices to promote competition in personal data protection services.

It is also noteworthy that that the ANPD signed a Memorandum of Understanding with the Spanish Data Protection Agency on 5 October 2021. This establishes the bases for institutional collaboration between the two Authorities to exchange knowledge and share best practice.

What to expect next?

Recent research carried out in Brazil by consulting and risk management companies suggests most Brazilian private entities are not ready for the LGPD. Because of this, the ANPD seems aware of the need to invest time and effort in raising awareness rather than rigidly enforcing the law.

This does not mean that businesses do not have to engage with the LGPD. As mentioned, the LGPD is already in force and is widely applicable. Beyond that, other authorities in Brazil, such as the Public Attorney's Office and the Consumer Protection Office, have been applying the LGPD, following the landmark decision of the Federal Supreme Court which recognised data protection as a fundamental right of individuals.

Data protection and information security have never been more important than they are today. There has been a substantial increase in the number of cyberattacks, security incidents and data breaches, due to the greater volume of online information and digitalised documents, and increased exposure of online personal data during the pandemic. Ensuring compliance with data protection legislation is therefore one of the most important market assets a company can have.