Laura Aliende da Matta and Matheus Perez Matsuno

The week of the International Day for Personal Data Protection (January 28) brought news in the area of data protection in Brazil, with the publication of the Regulatory Agenda for the biennium 2021-2022,[1] through Ordinance No. 11/2021 of the National Data Protection Authority (ANPD). The agenda is a planning instrument that brings together the regulatory actions defined as priorities for the ANPD in the next two years, either as objects of study or regulation.

 This measure is of great importance to the business sector, as it provides the possibility of structuring adaptation strategies that go hand in hand with the regulatory advances of the Authority itself, allowing a scenario of greater predictability.

The agenda provides for semi-yearly reports on the monitoring of regulatory initiatives produced by the General Coordination of Standardization, without prejudice to the adjustment of initiatives and goals as necessary. At first, however, the Agenda listed ten priority topics in the area of data protection and reported the forecast for the start of regulatory activity related to them. The topics will be developed by the ANPD in three phases:

  • Phase 1: initiatives starting within up to one year (by the 2nd half of 2021);
  • Phase 2: initiatives starting within up to one year and six months (by the first half of 2022); and
  • Phase 3: initiatives starting within up to two years (by the 2nd half of 2022).

The initiative for transparency is to be commended, but the lack of a definition as to how some of the issues will be tackled until they are regulated is still worrying. It would be recommendable for the ANPD to at least disclose the goals for business continuity with a greater degree of legal certainty. An example of a topic to be addressed is that of the bases for the international transfer of personal data (in detail below), for which it is not yet possible to provide a strict and literal interpretation, which leaves them susceptible to relevant differences of opinion. In addition, for a large part of the market, doing business without some degree of international data transfer is practically impossible today and, for the time being, there are no scalable legal solutions that can be adopted by processing agents.

In any case, the balance of Ordinance No. 11/2021 is positive, since it brings in relevant elements for the planning of adjustment actions, as well as for monitoring and collection of regulatory initiatives that will be adopted by the ANPD. Please check out all the topics on the agenda below:

Internal Regulations of the General Data Protection Law (LGPD) and the ANPD’s Strategic Planning

These first two topics are prerequisites for the ANPD to begin operations, as well as for the definition of actions, objectives, and deadlines. The documents are of great value for civil society to follow the development of the ANPD, through rendering of accounts and comparisons with the calendar determined. The ANPD’s Strategic Planning for 2021-2023 has three strategic objectives:

  1. Promote strengthening of the culture of personal data protection;
  2. Establish an effective regulatory environment for the protection of personal data; and
  3. Improve the conditions for fulfillment of legal duties.

Protection of personal data and privacy for small and medium-sized enterprises, startups, and individuals who process personal data for economic purposes

This subject is in accordance with the regulatory competence established in article 55-J, subsection XVIII, of the LGPD. It is of special importance, as the burden of adjustment generated by the LGPD may mean a significant competitive constraint for these companies. In addition to dispensing with certain obligations in some contexts, such as appointing a data protection officer, it would be interesting if the regulations brought in elements of simplification from compliance with other obligations to facilitate adaptation to the law.

The rights of the holders of personal data

The fourth topic is scheduled to take place in Phase 3. The LGPD expressly defines some of the rights of data holders, but there are still many points of uncertainty, for example, in articles 9, 18, 20, and 23 of the law. For example, article 9 of the LGPD provides that data holders are entitled to information "made available in a clear, adequate, and conspicuous manner" concerning the processing of their data, but do not establish objective criteria for compliance with this requirement. With the regulation planned, it is expected that companies will be able to rely on objective protocols for the disclosure of information, which may greatly reduce costs related to implementation. In addition, article 18, which deals with the holder's requisition rights vis-à-vis the controller, is expected to have clearer guidelines on procedures such as anonymization, blocking, or elimination of unnecessary data, among other situations.

The establishment of rules for the application of article 52 et seq. of the LGPD

The fifth topic is planned for Phase 1. Article 52 et seq. of the LGPD discuss the administrative penalties applicable to controllers and operators. It is expected that the circumstances and conditions for the application of the penalties provided for will be better defined. In compliance with the foundation of economic and technological development and innovation stated in the law, it is necessary to provide information that enables controllers to understand the criteria for the application of administrative sanctions and adapt accordingly.

Reporting of incidents and specification of notice period

The sixth topic (also for Phase 1) is regulation of the items for incident reporting. Article 48 of the LGPD holds the data controller responsible for reporting to the ANPD and the holder the occurrence of safety incidents that may cause relevant risk or damage to the holders. However, there is no express provision of some essential elements for such reporting, such as specification of the notice period and format, which shall be described in a resolution of the ANPD.

Personal Data Protection Impact Report

Article 38 of the law, supplemented by article 55-J, subsection XIII, and §3, provides to the ANPD the option to require a Personal Data Protection Impact Report from data controllers. Despite the provisions of article 5, subsection XVII, there is still no standardized model for the report, as was provided by the European authorities, for example, when the General Data Protection Regulation (GDPR) was approved.

Personal Data Protection Officer

The eigth topic is planned for Phase 2. The personal data protection officer , also known as Data Protection Officer (DPO), shall be appointed by the controller to act as a means of communication between the processing agent, the holder, and the ANPD (article 5, subsection VIII, of the LGPD). Their appointment is mandatory for the controller, in accordance with article 48. However, paragraph 3 of the same article expressly states that the ANPD may establish supplementary rules on the definition, duties of the officer, and events in which their appointment is waived. Therefore, the ANPD will have the opportunity to assess the need to appoint an officer according to the nature and size of the entities or volume of data processing operations, as well as define the necessary duties of the professional allocated in each sector of activity.

International transfer of personal data

The agenda points to the need to regulate articles 33, 34, and 35 of the LGPD, an activity to be carried out in Phase 2. Article 33 provides for cases in which the international transfer of personal data is permitted, such as to countries or international bodies that provide an adequate level of data protection (article 33, subsection I, of the LGPD), while article 34 expresses which factors the ANPD will take into consideration in determining the level of personal data protection of these countries or bodies. The list of countries classified according to their degree of protection is not defined, however, as has been done by the European authorities. The ANPD is also expected to define guidelines for interpretation of what constitutes international transfer (which may include or exclude, for example, storage on international servers contracted for cloud service) and the content of standard contractual clauses (as per article 35 of the LGPD).

Legal scenarios for the processing of personal data

The tenth and last topic of the ANPD's Regulatory Agenda foresees for Phase 3 the publication of guidelines on the application of the legal bases and scenarios for data processing to the specific case. Legal bases such as legitimate interest and protection of credit are especially open to interpretation and lack clear guidelines that make it possible to satisfy the requirements of the law. The ANPD will publish a good practices guide with the guidelines for agents to proceed in a proper and lawful manner.

[1] BRASIL. National Data Protection Authority. Publishes the regulatory agenda for the biennium 2021-2022. Ordinance No. 11, January 27, 2021. Available at: http://www.in.gov.br/web/dou/-/portaria-n-11-de-27-de-janeiro-de-2021-301143313