*This is an AI-powered machine translation of the original text in Portuguese

The entry into force of the General Data Protection Law (LGPD) last Friday (9/18) consolidated the need for companies and public bodies to comply with personal data protection. Much is said about this compliance. However, there is another compliance that cannot be forgotten: Brazil's compliance with data protection for international transfers.

Since the enactment of the European General Data Protection Regulation (GDPR) in 2018, compliance with the protection of personal data can be perceived as a true market requirement. For many companies, data protection governance was already a market theme that allowed them a competitive advantage and a condition for survival. This is because companies subject to European regulation began to demand guarantees from their partners and suppliers in Brazil regarding their level of compliance. The requirement is made punctually, in each international transfer of personal data, precisely because Brazil is still not considered by the European Union a country with an adequate level of data protection. This point is central to the legal security of business and investments in Brazil.

Decisions on the adequacy of countries are made by the European Commission. In accordance with Article 45(2) of the GDPR, they take into account: "The rule of law, respect for human rights and fundamental freedoms, the relevant legislation in force, both general and sectoral, including matters of public security, defense, national security, and criminal law, and with regard to the access of public authorities to personal data" and the application of these rules. Brazil has constitutional protection of privacy (private life - article 5, X) and the confidentiality of communications (article 5, XII), in addition to the guarantee of habeas data (article 5, LXXII, and Law No. 9,507/97) and constituted a commission of jurists to present a bill on the processing of personal data concerning public security and national defense, themes that were outside the scope of the LGPD [2]. International commitments made regarding the protection of personal data are also considered. This refers to the Convention 108 on Data Protection (1981), of which Brazil has been an observer since October 2018 [3], also a relevant factor for joining the OECD as a member.

There is still a requirement to be considered: the "existence and effective functioning of one or more independent supervisory authorities," that is, the existence and effective functioning of the National Data Protection Authority (ANPD). On this point, the entry into force of the law contrasts with the absence of the authority. During the law's vacatio, the institutional design and the rules about the Authority underwent several changes. In the end, Law No. 13,853/2019 transformed the ANPD into a federal public administration body with transitory legal nature (article 55-A, §1st) and technical and decision autonomy (article 55-B); Law No. 14,010/20 postponed the effectiveness of the articles regarding administrative sanctions applied exclusively by the Authority (article 55-K), and its regulation was established only by Decree No. 10,474/20, on the same day that the law's effectiveness was voted in the Chamber of Deputies. The absence of the ANPD was felt, especially due to the lack of regulation on important LGPD issues, such as deadlines for compliance with data subjects' requests, the discipline of the legal basis of personal data, specific rules for micro and small enterprises, or the regulation on international transfers and their instruments.

Another challenge is the structuring of the technical and decision autonomy of the ANPD, which will be compared with the terms of independence established by the European Union and considered for adequacy decisions. For the European regulation (article 52), independence means independence in assignments; not being subject to external, direct, or indirect influences in the performance of its functions; not requesting or receiving instructions; that its members do not carry out incompatible activities; having the human, technical, and financial resources, facilities, and infrastructure necessary for the exercise of its assignments; selecting and having its own staff, which is under the exclusive direction of the authority's members and having financial control that observes its independence. In other words, the desirable approximation of technical and decision autonomy in relation to the requirement of independence will still depend on an appropriate institutional design. It is worth mentioning, in this regard, the adequacy decision of Argentina, in June 2003 [4], which recognized an adequate level of protection of personal data in terms of Directive 95/46/EC, the predecessor of the GDPR. At the time, the opinion of the Article 29 Working Party [5], the current European Data Protection Committee, made a reservation about the urgency to remedy specific points of independence of the Argentine authority that should be ensured [6]. In the context of a European directive, which does not have the normative force of the regulation, Argentina's adequacy was recognized. Today, Argentina has consolidated its data protection legislation and seeks to improve it legislatively in what has been conventionally called the second wave of personal data protection.

The omission in structuring the ANPD is, therefore, the main problem in implementing the LGPD, not only from an internal perspective, in terms of regulation and enforcement, but also from an external perspective, in terms of Brazil's recognition according to international standards of personal data protection.

[1] Ferraz Júnior, Tercio Sampaio. (1993). Data confidentiality: the right to privacy and the limits on the State's supervisory function. Revista Da Faculdade De Direito, Universidade De São Paulo, 88, 439-459. Available at http://www.revistas.usp.br/rfdusp/article/view/67231 and QUEIROZ, Rafael Mafei Rabelo and PONCE, Paula Pedigoni. Tercio Sampaio Ferraz Júnior and Data Confidentiality: the right to privacy and the limits on the State's supervisory function: what remains and what needs to be reconsidered. Internet & Society. Nº 01, vol. 01, Feb/2020. Available at https://revista.internetlab.org.br/edicoes/numero-1-volume-1-fev-2020/

[2] Available at https://www.conjur.com.br/2019-dez-16/camara-cria-comissao-juristas-projeto-dados-pessoais.

[3] Available at https://www.coe.int/en/web/data-protection/-/brazil-and-the-data-protection-commission-of-gabon-to-join-the-committee-of-convention-108-as-observers-

[4] Available at https://eur-lex.europa.eu/legal-content/PT/TXT/HTML/?uri=CELEX:32003D0490&from=EN.

[5] Available at https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2002/wp63_en.pdf.

[6] “In particular, the Working Party urges the Argentinean Authorities to ensure the effective enforcement of the legislation at provincial level by means of the creation of the necessary independent control authorities where they do not exist yet and, in the meantime, to look for appropriate temporary solutions in accordance with the Argentinean constitutional order.” Opinion 4/2002 on the level of protection of personal data in Argentina.

*Co-authored with Núria López, Ricardo Campos, and Juliana Abrusio. Originally published in Conjur.

**Image freepik.