Is the Brazilian Data Protection Law (LGPD) Really Taking Off?

A little over six months after the Brazilian Data Protection Law (LGPD) became effective, there seems to be real progress in its implementation. The LGPD is an all-encompassing data protection law similar to the European Union’s GDPR. Although the Brazilian authorities had two years since the law was passed in 2018 to create a national data protection agency (ANPD), the government did not take action until the law became effective last September. Despite the late start and the pandemic, in just a few months of existence, the ANPD has made reasonable progress.

Why is that relevant?

The LGPD requires the ANPD to regulate some key aspects of the law, and such regulations may significantly impact the way companies in Brazil, doing business in Brazil, or otherwise having some relationship with individuals in Brazil, approach their obligations under the LGPD.

Six-Month Review and the Two-Year Agenda

On November 6, 2020, the Director Council of the ANPD was finally sworn in, kicking off the ANPD operations. Shortly after, the ANPD created a website with news, forms, and communication channels.

On January 28, 2021, the ANPD set up the ANPD’s biannual regulatory agenda, with the 10 priority topics the ANPD plans to tackle in the next two years, based on its understanding of the priorities.1 The following outlines the agenda and proposed timeline for implementation.

REGULATORY AGENDA - 2021-2022

Item

Topic

Description

Prioritization

Regulatory process starting period (forecast)

Instrument

       

1st/ 2021

2nd/ 2021

1st/ 2022

2nd/ 2022

 

1

ANPD Internal Regulations

Publication of the first ANPD Internal Regulation.

Phase 1

     

Ordinance

2

ANPD Strategic Planning

Publication of the 2021-2023 Strategic Plan, containing the objectives to be achieved by the ANPD and their respective deadlines and related strategic actions.

Phase 1

     

Ordinance

3

Data and privacy protection for small and medium-sized businesses, startups and individuals who process personal data for economic purposes

The LGPD provides for differentiated regulation for micro and small businesses, with the issuance of regulations on the subject, as established in art. 55-J of the LGPD.

Phase 1

     

Resolution

4

Rights of data subjects

The LGPD establishes the data subject’s rights, but several points require regulation, such as rights under articles 9, 18, 20 and 23.

Phase 3

   

 

Resolution

5

Establishing regulations for the application of administrative sanctions (art. 52 and following of the LGPD)

Art. 53 of the LGPD provides that the ANPD must define and regulate the administrative sanctions for violations of the law, including the methodologies that will guide the calculation of the fines.

The regulation will also establish the circumstances and conditions for issuing a fine.

Phase 1

     

Resolution

6

Incident reporting and notification deadline

According to art. 48 of the LGPD, the controller must report to the national authority and the data subject(s) the occurrence of a security incident that may cause significant risk or damage to the data subject(s).

The ANPD needs to regulate some items, such as deadline, and define the form and the best way of forwarding the information.

Phase 1

     

Resolution

7

Personal Data Protection Impact Report

According to art. 55-J, item XIII of the LGPD, ANPD needs to issue regulations and procedures on the protection of personal data and privacy, as well as on reports of the impact of the protection of personal data in cases where the treatment of the data represents a high risk to the guarantee of the general principles of personal data protection.

Phase 1

     

Resolution

8

Person in charge of personal data protection

Under the terms of art. 41, § 3 of the LGPD, the ANPD can establish complementary rules on the definition and the duties of the person in charge, including examples of exemption from the need for their appointment, according to the nature and size of the entity or the volume of data processing operations.

Phase 2

   

 

Resolution

9

International Transfer of Personal Data

Art. 33, item I of the LGPD provides that the international transfer of personal data is only permitted to countries or international organizations that provide a degree of protection of personal data appropriate to that provided for in the LGPD. In turn, art. 34 explains that the data protection level of the foreign country or the international body may be assessed by the ANPD. Art. 35 of the law also determines that the definition of the content of standard contractual clauses, among others, will be carried out by the ANPD. Thus, it is necessary to regulate arts. 33, 34 and 35 of the LGPD, without prejudice to the other topics covered by the articles not mentioned in this text.

Phase 2

   

 

Resolution

10

Legal bases for processing personal data

Document guiding the public on the bases and legal hypotheses of the application of the LGPD on various topics, including the legal hypotheses described in art. 7, but not restricted to it.

Phase 3

     

Good Practices Guide

Shortly after, in February, items # 1 and 2 of the Agenda were published, and the ANPD opened for public comment and review regulations to address item # 3 (micro and small companies) and item # 6 (incident report and notification deadline).

In April, the ANPD participated in the UK-Brazil Digital and Cyber Dialogue 2021 to exchange experiences and discuss international data flow. Also, the ANPD members participated in the Data Protection Academy provided by the Maastricht University, as part of the cooperative relationship the ANPD is building with the European Commission.

On May 28, 2021, the ANPD issued the first Guide,2 which although not binding, provides some clarifications regarding the definitions of “Controller,” “Processor,” and “Data Privacy Officer,” and includes the new concept of “Sub-processor.”

How do these three topics (international data transfer, definitions, and incident report) affect my Brazil operations and employees?

International Data Transfer

The LGPD, as other data protection laws, limits the ability of companies to transfer personal data outside the country. Under most circumstances, companies headquartered outside Brazil have to comply with the LGPD if they have individual customers, employees, contractors and freelancers located in Brazil and have in place mechanisms to transfer the personal data of such individuals outside Brazil, whether to the HQ location or to third-party vendors and servers.

As we all know, relying on consent to transfer internationally personal data is precarious, because consent can be withheld and withdrawn, and consent from employees (and potentially other individuals) can be deemed null and void due to their lack of bargaining power. Therefore, having other avenues and mechanisms are imperative.

The fact that the ANPD is working with the UK authorities and the European Commission is a good sign because, hopefully, the ANPD will rule that the European Union members, plus the UK and the other countries of the European Economic Area, are countries that provide a degree of protection of personal data adequate to that provided for in the LGPD, and the European Commission (among others) will also recognize Brazil as a country providing adequate protection, facilitating the transfer of personal data between Brazil and such countries.

However, Brazil will also need mechanisms for companies to transfer data to the United States and other countries safely, and, according to the agenda, the ANPD may not tackle this matter until next year.  

Some personal data may be legally transferred outside Brazil for the purpose of executing a contract, at the request of the data subject, so agreements directly with customers and freelancers could validate the transfer of relevant information to execute the contract, but may not go beyond that without other mechanisms.

For many companies headquartered outside Brazil, the biggest challenge now is to manage employee data flowing from the local subsidiary to HQ abroad.  

Another aspect to consider here is the role of each party. HQ can be deemed the “Controller” if it is making the decisions about the processing of the Brazilian subsidiary’s employees’ personal data. An example provided by the Guide explains the ANPD’s view:

Company XRAY, which provides services through a digital platform, is headquartered in the United Kingdom. Due to the need to carry out the marketing of its services and to obtain more knowledge about the interests of the Brazilian public, it opens a subsidiary YANKEE in Brazil, which acts only according to its guidelines. Despite being part of the same economic group, the parent company XRAY and the Brazilian subsidiary YANKEE have different legal personalities and, depending on the type of operation of processing personal data and the circumstances of the specific case, they can act as controllers or processors, according to the specific case. In the processing of data for the marketing campaign carried out by the Brazilian subsidiary YANKEE, where the decision on the purpose and the essential elements was established by the parent company (data of the subjects determined for the marketing campaign with the purpose of leveraging the sales of services, for a determined period). In this case, the Brazilian subsidiary YANKEE is the data processor. This is because data processing is carried out exclusively according to the instructions of the company XRAY, which were defined in a contractual instrument signed between the parties. Regarding the processing of employees' data, when processing the payroll, for example, the Brazilian subsidiary YANKEE will be considered the controller of the data. On the other hand, if the parent XRAY and the Brazilian subsidiary YANKEE develop a new service for the Brazilian public, jointly defining the purposes and essential elements of the treatment, they will act as joint controllers in relation to this operation.

Incident Report

According to the LGPD and the Guide, the Controller is solely responsible for communicating to the ANPD and the data subjects the occurrence of a breach “incident.” It is also important to keep in mind that the individuals who work for the Controller (or the Processor) are not responsible for compliance with the law with respect to the ANPD and the data subject; only the Controller (and to a limited extent the Processor) are responsible, so there is no excuse based on negligence of employees.

Although the ANPD has not yet issued final guidelines for the incident report requirements, it has already set a roadmap and issued a form to report incidents.3 Unfortunately, the current guidelines do not identify what would constitute a “relevant” breach that would require reporting. The current guidelines simply say the Controller must ask itself two questions:

1. Has there been a security incident related to personal data?

☐ Yes - Next question.

☐ No - It is not necessary to notify the ANPD if there was no security incident related to personal data.

2. Is there a relevant risk or damage to the individual rights and freedoms of the affected holders due to the security incident?

☐ Yes - Communicate to the ANPD and the holder.

☐ No - Communication to the ANPD will not be necessary if the controller can demonstrate, in an irrefutable way, that the breach of the security of personal data does not constitute a relevant risk to the rights and freedoms of the data subject.

And that “it can be extracted from the law that the probability of relevant risk or damage to the holders will be greater whenever the incident involves sensitive data or of vulnerable individuals, including children and adolescents, or has the potential to cause damage, material or moral, such as discrimination, violation of the right to image and reputation, financial fraud and identity theft. Likewise, the volume of data involved, the number of affected individuals, the good faith and the intentions of the third parties who had access to the data after the incident and the ease of identification of the holders by unauthorized third parties should be taken into account.”

Therefore, under the current guidelines it will be difficult to determine the need to report when the breach is not clearly massive or affecting a more sensitive group.

To make matters more complicated, the current guidelines suggest that companies should report the incident within two business days from the date of knowledge of the incident. Therefore, it is imperative that Processors immediately communicate an incident to the Controller, and the Controller needs to have mechanisms (through contractual clauses) to seek indemnification from Processors. It is also important that the same service agreements include obligations to the Processor to seek authorization (specific or generic, depending on the situation) from the Controller before engaging Sub-processors and that Processor will remain solely responsible for such Sub-processors.

Do I really need a Data Privacy Officer (DPO)?

For now, yes. The ANPD says in the Guide that it may revisit this topic and determine under which conditions a DPO will not be required. However, for the moment, Controllers must appoint a DPO and make the DPO’s contact information easily accessible. Neither the law nor the Guide requires the Controller to report the DPO’s contact information to, or otherwise register the DPO with, the ANPD.

The good news is that the Guide clarified the DPO can be either an employee or an outside agent, which can be a company. Also, the Guide says that the DPO can be assisted by a data protection team. However, it highlights the importance for the Controller to choose wisely an outside DPO that will actually be capable of performing all its duties efficiently; after all, the ultimate responsibility for the processing of personal data will continue to be the Controller’s.


See Footnotes

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.