5 years of the Brazilian General Data Protection Law
*This is an AI-powered machine translation of the original text in Portuguese
Since its enactment, the LGPD has supported the protection of individual rights and the promotion of responsible practices in the processing of personal data. The ANPD has stood out by establishing guidelines that complement and explain the provisions of the LGPD. Some of the important developments in recent years include greater clarity regarding the rules applicable to data processing agents and the demonstrated effort to regulate and cooperate with various authorities.
Below, we present the main highlights of ANPD's activities in the last five years since the publication of the LGPD, addressing issues divided into the following: (i) oversight and enforcement of the LGPD by ANPD; (ii) interpretation of provisions and modulation of the norm's effects; (iii) planning and cooperation in ANPD's activities.
Oversight and Enforcement
The first externally oriented regulation issued by ANPD was the Regulation of the Inspection Process and Administrative Sanction Process, published on October 29, 2021, through Resolution No. 1/2021. Subsequently, ANPD published the Regulation of Dosimetry and Application of Administrative Sanctions on February 27, 2023 (Resolution No. 4/2023), ensuring greater predictability and security in the application of sanctions provided by law.
More recently, these regulatory developments culminated in the application of the first fine by ANPD for non-compliance with the LGPD. According to ANPD's inspection, the company did not have a designated data protection officer and processed personal data without the proper legal basis, resulting in the imposition of a simple fine and a warning by the General Coordination of Inspection of ANPD.
Interpretation of Provisions and Modulation of Effects
As a general law, the LGPD requires its application and effects to be adjusted in different contexts so as not to make compliance with the law virtually impossible or excessively burdensome. For this reason, ANPD has promoted the issuance of norms and studies with the aim of modulating the application of the legislation to specific contexts.
Statement on Children
From a cold reading of Article 14, paragraph 1 of the LGPD, it could be concluded that the processing of personal data of children would only be authorized with the consent of one of the parents or legal guardian. Notably, such an interpretation would compromise the fulfillment of legal obligations and the development of activities where obtaining consent for each activity would be virtually impossible, as in the case of schools. Thus, after conducting a preliminary study on the subject and submitting it to public consultation, ANPD issued Statement No. 1/2023, recognizing the application of other legal bases for the processing of personal data of children and adolescents, provided that their best interests are observed and prevail.
Small-Scale Operators
ANPD also exercised its competence provided in Article 55-J, XVIII, which provides for the issuance of simplified and differentiated norms, guidelines, and procedures for small-scale operators regarding their obligations under the law. On January 28, 2022, it published Resolution No. 2/2022, providing for flexibilities in light of the reality of these operators, such as simplified record-keeping of processing activities, exemption from appointing a data protection officer, simplified information security policies, and extended deadlines for responding to data subjects and reporting incidents.
Data by the Public Sector
Another important context for the application of the LGPD concerns the processing of data by the Public Sector. Due to its specific contours and requirements, ANPD published the Guide to the Processing of Personal Data by the Public Sector in June 2022, aiming to assist public entities and agencies in complying with and implementing data protection rules, addressing important topics such as legal bases for the public sector, sharing of personal data by the public sector, and disclosure of personal data.
Data for Academic Purposes
On June 26, 2023, ANPD took another important step in parameterizing the application of the LGPD in scientific contexts by publishing the Orientation Guide on the processing of personal data for academic purposes and for conducting studies and research. The LGPD already establishes specific rules for the processing of personal data for exclusively academic purposes, and the publication of this guide offers recommendations and guidance to data processing agents involved in academic and knowledge production issues.
Incidents (in progress)
Finally, it is worth noting ANPD's initiative to regulate the reporting of incidents involving personal data. Regardless of how stringent an organization's information security procedures and controls are, they are always susceptible to incidents involving personal data. Regulation in this matter was extremely important so that data processing agents had guidance on the timelines involved and the obligation to report to ANPD and data subjects depending on the severity of the incident. The proposed Regulation on the Communication of Security Incidents with Personal Data was open to public consultation from May 2 to June 15, 2023, and its final version is expected to be published in the coming months.
Planning and Cooperation
Regulatory Agendas
For the proper institutional operation of ANPD, it is necessary to establish certain planning instruments. In this regard, the Regulatory Agenda stands out as the main mechanism related to external actions. The first Regulatory Agenda was published for the 2021-2022 biennium and included ten topics, with a focus on the internal regulations of ANPD, special rules for the processing of data by small-scale operators, and the establishment of regulations for the application of administrative sanctions.
For the 2023-2024 biennium, ANPD expanded its Regulatory Agenda with the inclusion of twenty topics for which the regulatory process is expected to begin by the end of 2024. The following topics are highlighted for this biennium: (i) international transfer of personal data, (ii) incident reporting and specification of notification deadlines, (iii) data protection officer, (iv) sensitive personal data - religious organizations, (v) data subject rights, (vi) artificial intelligence, and (vii) sensitive personal data - biometric data.
Governance Committee
To complement its institutional planning, ANPD established the Governance, Risks, and Controls Committee through the publication of Ordinance No. 15/2021. This committee has internal administrative effects and aims to implement digital government actions and the use of information technology and communication resources within ANPD's scope. The committee meets quarterly to deliberate, establish, and monitor the objectives, goals, plans, projects, and information technology actions of the authority.
Cooperation with CADE
It is recognized that data protection is not an isolated issue and, due to its breadth, it intersects with various other topics, requiring cooperation between ANPD and other authorities and public entities.
In the current scenario, where the importance of personal data in digital markets is increasingly emphasized, revealing the intersection between data protection and competition defense, it is important to note that personal data is often used to better understand consumer behavior, personalize services and products, and direct marketing strategies. Therefore, access to personal data can provide a significant competitive advantage to a company compared to its competitors. On the other hand, improper handling of personal data can also constitute situations where there is anti-competitive behavior.
With this in mind, on June 2, 2021, ANPD entered into a Technical Cooperation Agreement with the Administrative Council for Economic Defense (CADE) with the aim of facilitating coordinated action by the authorities in cases where data protection and competition defense intersect. The agreement establishes common obligations for the parties, such as sharing documents, studies, and research, promoting events and joint meetings, cooperating in concentration acts involving the processing of personal data, and cases of infringement of economic order involving personal data.
Cooperation with the Electoral Tribunal
Another point where the competencies of various authorities intersect is the processing of personal data in the electoral context. In order to assist the public, especially the agents of the electoral process, such as candidates, political parties, coalitions, and party federations, ANPD, in conjunction with the Superior Electoral Court, published an Informative Guide for the application of the LGPD by data processing agents in the electoral context at the beginning of 2022. The guide offers best practices for transparency, responsibility, and good faith to these agents and also provides practical cases clarifying the application of the LGPD in situations involving electoral legislation, as well as the competencies of ANPD and the Electoral Court in these situations. The document published is in line with the Technical Cooperation Agreement signed between ANPD and TSE on November 23, 2021, which provides for joint production of studies, research, and educational materials on procedures and practices necessary for the application of LGPD provisions in the electoral context.
In summary, regarding such a comprehensive law, it is necessary to recognize that despite all the development that has taken place in recent years, there are still regulatory aspects that need to be addressed soon, as acknowledged in ANPD's regulatory agenda for the 2023-2024 biennium. These include international transfer of personal data, further regulations regarding the exercise and response to data subject rights, regulations regarding the data protection officer, and the processing of sensitive personal data by religious organizations, among others. In recent years, ANPD has made significant progress in its institutional activities and in regulating LGPD since its publication, with clear efforts to guide and ensure greater legal security in the application of data protection rules, a commitment that should be continuously renewed.