*This is an AI-powered machine translation of the original text in Portuguese

On August 30th of this year, the National Data Protection Authority (ANPD) initiated a public consultation for its first draft resolution aimed at regulating, in accordance with Article 55, XVIII of the General Data Protection Law (LGPD), the application of the law to small-scale data processing agents, with the goal of easing the minimum governance requirements imposed on data processing agents in general. It is noteworthy that the draft resolution mentions religious organizations among its possible beneficiaries (Article 2, IV), while at the same time excluding data processing agents engaged in high-risk and large-scale data processing from these relaxations (Article 3).

Given this, where would religious organizations of various denominations, which inherently process data related to religious beliefs, considered sensitive under LGPD (Article 5, II), stand?

The draft resolution assigns data processing agents themselves the responsibility to determine their classification, with ANPD retaining the authority to review a data processing agent's self-declaration during its supervisory powers exercise. Thus, it falls upon religious organizations to assess whether the data processing they carry out can simultaneously be considered "high-risk" and "large-scale" as stipulated in Article 3, section 1, I.

According to the proposed draft in Article 3, section 1, I: "Processing that involves (…) sensitive data or data on vulnerable groups" will be considered high-risk for data subjects — a description that appears to encompass the activities of religious organizations. As for the "large-scale" requirement, the draft's definition is vague, stating it is present "when it covers a significant number of data subjects," considering the volume, frequency, duration, and geographic extent of the data involved.

In the case of religious organizations, it is likely that the duration of data processing will be lengthy, and the frequency high, despite the undeniable transformation of Brazil's religious landscape. The number of data subjects, the data involved, and the geographic extent will naturally vary case by case, depending on the organization's size. Smaller organizations will, of course, process a smaller set of data, but certainly, these data will be representative within the total information processed by the organization. ANPD recognizes the need for more guidance on these parameters, indicating that it will provide guides and instructions to assist data processing agents in assessing whether they engage in large-scale data processing.

Given the issues surrounding the treatment of personal data by religious organizations in Brazil, it is worthwhile to examine how other countries have regulated this matter from a comparative perspective.

In Europe, the General Data Protection Regulation (GDPR) also treats data related to religious beliefs as sensitive but recognizes the existence of pre-existing rules and national differences regarding the population's relationship with religion and religious entities. In this regard, the Charter of Fundamental Rights of the European Union recognizes data protection and religious freedom in Articles 8 and 10, respectively, with GDPR Recital 165 stating that the European data protection regulation "respects and does not affect the status enjoyed, in accordance with national constitutional law, by churches and religious associations or communities in the Member States."

In countries with a strong religious tradition like Poland and Spain, the respective authorities sought to regulate religious organizations in collaboration with them. While the Uodo (Polish Data Protection Authority) organized a partnership with the Catholic Church, in Spain, the AEPD (Spanish Data Protection Agency) operates in a scenario where Canon Law established new rules for data processing by religious congregations, seeking alignment with the provisions of GDPR.

On the other hand, other authorities, such as the UK's Information Commissioner's Office (ICO) and Italy's Garante per la Protezione dei Dati Personali (GPDP), addressed this issue seemingly independently of religious organizations in their respective countries. ICO provides detailed instructions on all types of personal data processing on its website, and in a dedicated section, the authority organizes and clarifies specific processing rules for non-profit organizations, including religious associations. GPDP, meanwhile, lists brief provisions regarding the requirements related to the processing of particular categories of data by associations, foundations, churches, and religious associations or communities, specifying which data subjects and general purposes the processing can be carried out for.

Regarding flexibility, the comparative experience suggests various approaches to address this issue, but any relaxations should take into account the rights of data subjects. Therefore, both those who interact with these organizations as members or former members and external individuals must have their rights preserved, preventing the necessary consideration of these organizations' difficulties in complying with LGPD from becoming a carte blanche for invasive data processing, such as undue prospecting of new members.

The alignment with these regulations led religious organizations in various European countries to develop their own models of compliance and interpretation of legal provisions and privacy notices. However, it is essential to consider the differences in religious practice in Brazil and other countries, as well as the presence or absence of a structure within the religious organization itself to establish these sector-specific models.

This model is expressly authorized by LGPD in Article 50, which allows data processing agents to formulate individual or collective rules of good governance that define conditions for the organization and processing of personal data. Self-regulation is particularly relevant for micro and small enterprises and non-profit institutions. These stakeholder categories often struggle to meet all the material and procedural requirements of LGPD, which, in some cases, can appear disproportionate.

Self-regulation in data protection has both proponents and critics. Among the benefits are lower costs associated with self-regulation when compared to external state regulation, precise adaptation to the specific realities of each data processing agent, and agility and dynamism in adapting to new technological changes. However, "pure" forms of self-regulation are sometimes criticized for their products — the rules proposed for self-regulation — failing to faithfully observe the objectives of the law they aim to regulate. Therefore, the available alternative of subjecting self-regulation to debate with ANPD for subsequent approval by the authority provides an effective solution to address the challenges of sector-specific specificity and legitimacy in the public interest.

This hybrid solution between self-regulation and government regulation is known as "regulated self-regulation," as it allows agents from a particular sector to determine the rules to be followed (self-regulation) while establishing basic indicators previously defined by the government to guide the creation of sector-specific rules (regulated). Thus, it is possible to ensure minimum protections established by the authorities while allowing each sector to develop its own way of fulfilling these objectives. With that said, it is essential for ANPD's draft resolution to exhibit some flexibility, but as a guide for self-regulation by small-scale data processing agents, the draft needs to clearly indicate its basic premises. Until the wording of the draft defines the concept of "large-scale," those covered by the text will not be able to propose rules that adhere to their realities and are effective in complying with the authority's guidelines.

Therefore, to address the peculiarities of religious organizations as small-scale data processing agents under the draft resolution or even with regard to the general rules of LGPD, it is important to observe international experience. In this scenario, the opportunity arises for "regulated self-regulation," as provided for in Article 50 of LGPD, enabling various religious denominations to formulate rules relevant to their specificities, with the endorsement of ANPD — ensuring an adequate level of protection for the rights of data subjects.

*Coauthored with Gabriel Sônego Borner. Originally published in Conjur.

**Image stockgiu.