Autoridade Nacional de Proteção de Dados (ANPD)
National Data Protection Authority
Location
Brasília, Federal District, Brazil
Useful pages on the regulator website
Main homepage: https://www.gov.br/anpd/pt-br
Assignments: https://www.gov.br/anpd/pt-br/acesso-a-informacao/institucional/competencias-da-anpd
General orientation regarding data protection: https://www.gov.br/anpd/pt-br/centrais-de-conteudo/legislacao
Key individuals
Waldemar Gonçalves Ortunho Júnior – Director President
Joacil Basilio Rael – Director
Nairane Farias Rabelo Leitão – Director
Arthur Pereira Sabbat – Director
Miriam Wimmer – Director
Regulatory oversight (political, social, legal)
The exponential increase in the uses of technologies and the expansion of the use of our personal data in different spheres, making it increasingly exposed to malfeasance, illustrates the growing global concern regarding our privacy and freedom to exercise full control of our data.
This concern is both for the generation of controls by all those who access the data, and for the awakening of the holders in relation to their rights, providing greater vigilance about what is requested of them and what purpose the information should serve.
In 1981, the European Council already expressed concern about the circulation of personal data, and then proposed the first convention on the subject of the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data. Years later, in 1995, the European Union would strengthen the protection of personal data through its Directive 95/46/EC.
In 1988, the Brazilian Constitution provided – in article 5, which deliberates on the declarations of fundamental rights – the right to the protection of privacy, even though the amount of data transmitted at that time was irrelevant compared to what we see today, 34 years later – either because of the increase in computerised processes or because of easier access to the internet.
With the growth of data transactability in the virtual sphere, emblematic episodes occurred and accelerated the regulation of the topic, such as in 2013, with the disclosure of details of the surveillance programmes of the American government – the National Security Agency – which had built data monitoring systems when an American website is accessed, such as Google or Facebook, for example. Or even, the case of Cambridge Analytica that, in 2018 and through psychological testing, collected very precious personal information for various purposes, including politics, which has already had its use reported in major campaigns, such as in the United States.
In this vein and in the search for virtual security, in 2012, the European Union began to devise a specific project for data protection and identity of its citizens, which would be approved in 2016 and would come into force in 2018 – repealing the then European Directive 95/46/EC. This project not only brought with it the best practices in personal data protection, but also inspired related legislation worldwide, such as the Brazilian legislation: the General Law on Personal Data Protection (LGPD), Law No. 13,709/2018.
In a brief summary, LGPD – approved in 2018 and, in a staggered manner, fully effective as of August 2021 – represents a historic milestone in the regulation on the treatment of personal data in Brazil (ie, how private companies, public institutions and physical persons collect, store and make available user data, on physical media or digital platforms).
Therefore, to guarantee adequate compliance with the law, the ANPD was created in Brasilia, Federal District, Brazil. Among its competencies, are:
- elaboration of guidelines for the National Policy on Personal Data Protection and Privacy;
- enforcement and application of sanctions in the case of data processing performed in non-compliance with the legislation;
- promotion of knowledge of the norms and public policies on the protection of personal data and security measures for the population; and
- editing regulations and procedures on personal data protection and privacy, as well as on personal data protection impact reports for cases in which processing represents a high risk to guaranteeing the general principles of personal data protection foreseen in the LGPD.
Reporting and disclosure obligations
In this context, it is of fundamental importance to point out the relevance of the implementation of procedures for the adequacy of business activities to the LGPD and the ANPD regulations, because an essential part of this adequacy is the definition of the procedures to be adopted in case of data leakage, especially sensitive personal data – that is, intimate data of an individual’s personality such as racial or ethnic origin, religious belief, political opinion and data on children and adolescents – and that bring relevant risk or damage to the subjects such as discrimination, violation of the right to image and reputation, financial fraud and identity theft.
It is known that even with the right procedures, the risk of a leak can never be 100 per cent ruled out, it is something inherent to the other risks of a business activity, so an assertive procedure of communication of this leak to the ANDP may contribute significantly to first contain the damage resulting from it and, second, mitigate the effects that this will have on the organisation, avoiding fines and suspensions, even warnings, demonstrating transparency and good faith, preserving the organisation in eventual inspections.
Monetary sanctions and recent behaviour
As for pecuniary sanctions, it is observed in the LGPD that the fine may reach the percentage of 2 per cent of the organisation’s turnover, limited to the amount of $50 million reais per violation – it is important to note that the law disciplines the limit per violation. The ANPD regulations have been taking shape, but nothing so far indicates a different interpretation (ie, if a company does not properly adapt to the legislation, it will be subject to penalties that may exceed this amount, if it repeatedly fails to comply with its responsibilities and infringes the rights of the holders of personal data processed in its organisation).
In August of this year, the ANPD opened a public consultation on the content of its regulation that will govern the dosimetry and application of its sanctions. This regulation also provides for the judgment of admissibility of any appeals and the course of their proceedings.
On 15 September 2022, the consultation was closed, with 2,504 contributions, and now the text will continue until it goes into effect. Although it may contain adjustments, this content available for public consultation contains an important indication of how the penalties will be handled by the ANPD.
Regarding penalties, the concepts of infraction and permanent infraction have been defined, as well as corrective measures, recidivism, specific and generic, among other important concepts for the understanding of penalties and their dosimetry.
One of the main themes of the regulation is in article 3 of the annex, which contemplates the dosimetry and application of administrative sanctions, in which it defines the penalties to which violators will be subjected:
- warning;
- simple fine;
- daily fine;
- publicising the infraction;
- blocking of personal data to which the infraction refers;
- erasure of personal data to which the infraction refers;
- partial suspension of the operation of the database to which the infraction refers;
- suspension of the exercise of the processing activity of the personal data to which the infraction refers; and
- partial or total prohibition from exercising activities related to data processing.
This list of infractions and their sequence show the path that the ANPD will follow when imposing sanctions on organisations – section 1 of this article even states that the most harmful sanctions for the organisation, which, although not directly pecuniary, are those that can directly influence its business, which are the suspensions and prohibition of data processing, can only be applied after at least one of the other sanctions, set out in clauses I to VI, has already been imposed.
Following the regulation, article 8 also disciplines the classification of the gravity of the infractions, between light, medium and serious, and disciplines the criteria for its determination.
It is fundamental to emphasise that, as foreseen in the Brazilian legal system, article 4 of this annex also guarantees the right to a broad defence and foresees the application of the penalty after all administrative procedures and by a grounded decision by the responsible authority.
In line with what has been previously commented, article 7 of the annex defines the points that must be considered in the application of the penalty, among them the good faith of the violator, reinforcing the importance of the process of adaptation to the law and, among the other items, we believe there are some that stand out – the cooperation of the violator, the adoption of good practices and governance, and the prompt adoption of corrective measures.
In short, it is clear how important it is to adapt business activities to the Brazilian General Data Protection Law and to adopt the practices recommended by the National Data Protection Authority to ensure the security both of its operations and of the personal data processed in its activity.
Non-monetary sanctioning powers and behaviour
Clarifying the issue of monitoring and possible sanctions, as previously mentioned, the law was implemented in a staggered manner, so that the administrative sanctions became effective in August 2021. In this sense, although in 2021, 176 procedures were reported or opened to investigate “security incidents”, it is up to the ANPD to evaluate whether such incidents would have occurred during the validity of the law or not, which would lead to the exemption of sanctions. However, it is essential to note that the LGPD brings with it administrative sanctions, administrative, activity restriction and pecuniary – with fines of up to $50 million reais for infringement, as stated in the previous item, which may be applied by the ANPD after administrative procedure that allows the broad defence.
Thus, although the ANPD, for now, has not applied any sanctions, especially fines – mainly because, although it has already been submitted to public consultation, its regulation regarding methodology and dosimetry of infractions is not yet in force – it is possible to observe that the Judiciary has already brought the LGPD as a basis for its decisions in the first or second instance, as in the labor field. On the occasion, the Regional Labor Court of the 2nd Region upheld the dismissal for just cause of a telemarketing employee who sent to his personal email a list of sensitive data and highlighted the relevance of the LGPD and reaffirmed the civil liability of those who handle such data (Judicial Process No. 1000612-09.2020.5.02.0043).
Nevertheless, it is possible to experience a decision of the Supreme Court (STF) that determines that the Executive Branch must apply the LGPD in a decree that deals with the sharing of personal data between federal agencies. This decree intends to gather information that already exists and is used in various government agencies, such as name, CPF, marital status, electoral title, employment ties and biometric identification data, such as fingerprints, retina or face shape.
Recent and upcoming developments
From a macro point of view, what is captured is the publication of a law that brings with it the best practices of personal data protection, in addition to fundamental points to guide a society in adapting to the new rules of the already known and mature virtual world. However, many details still remain open, since the ANPD is responsible for its detailed regulation, so as to guarantee full clarity on the path to be followed, from beginning to end.
The most recent advance was the public consultation addressed in this article, which shows the evolution of the maturation process of the Authority responsible for the controls resulting from this Law, indicating that the country will soon experience organised coordination of this protection and reinforcing the alert for organisations that still do not have appropriate procedures, making it clear that the omission of these issues will severely hamper the chances of limiting and mitigating the risks arising from the penalties of this legislation.
Challenges
Given the recent validity of the Law, it is observed that one of the main challenges of the ANPD is to balance the balance between excessive sanctions applied and to disseminate the educational culture in the face of national unpreparedness. In this sense, much has been debated about postponing the effects of the law, since all debate and validity took place during a pandemic period in which companies, in addition to their already known financial obligations, would still have to invest in the implementation of the LGPD.
It is clear that the challenge of the ANPD will be great, but this balance will be important to make citizens aware of their rights and organisations as to their responsibilities, creating a hostile environment between these sides will be only beneficial to a lack of control of data security in the country, benefiting evildoers, who today already make significant profit from unauthorised transactions of this data.
Interacting with the regulator
In addition to the common consultations, companies, through their manager, must report any data leakage incident – because, in addition to the communication, demonstrate transparency and good faith and will be considered in any inspection, it also allows the ANPD to adopt containment measures.
Furthermore, it is essential that the company elects a data protection officer (DPO) – a professional who is responsible for taking care of issues related to the protection of the organisation’s data and that of its clients – who will be the focal point for communications, such as incidents of data leakage with the ANPD. For this, it is necessary to pre-register on the ANPD’s website and fill out forms, sign declarations and send personal documents.
As well as other aspects still in development, the registrations currently available are for natural persons, who can later be linked to business registrations, once they are made available by the ANPD.
Notes for foreign investors
Throughout the global context and increased digital data traffic, it is increasingly necessary to comply with standards that ensure compliance and proper processing of data, especially personal data and sensitive personal data. Therefore, the recent concerns and attention on policies and adjustments regarding environmental, social and governance (ESG) now have an important addition, which can be addressed within the ESG itself, in the topic of governance, which is the protection of personal data, which will be a significant pillar in attracting investments, demonstrating the degree of security of its operations, even for those who do not have in its object the processing of data itself, since this care should be equally directed to all business entities, which to a greater or lesser extent will have within their processes some data processing.
Once the ANPD regulations are in full force, the adequacy of operations to the LGPD and the ability to demonstrate these controls will be decisive for attracting investments and even expanding activities to other countries, especially in organisations controlled, directly or indirectly by European entities, and this ability to control data is a competitive differential in markets subject to the European General Data Protection Regulation application as well.
Other regulators it works closely with