On January 28, 2021, international Data Privacy Day, the newly formed Brazilian data protection authority (Agência Nacional de Proteção de Dados, the “ANPD”) published its regulatory strategy for 2021-2023 and work plan for 2021-2022 (in Portuguese).
ANPD Regulatory Strategy
The ANPD’s regulatory strategy for 2021-2023 sets forth the agency’s vision for becoming a reference, nationally and internationally, with respect to data protection matters. It also establishes the ANPD’s three main objectives in its initial years as a data protection regulator, which are linked to concrete actions, timelines and key performance indicators (“KPIs”):
- To promote the strengthening of a data protection culture, which will be done through events and workshops, drafting guidance and recommendations, engaging with public and private entities to partner in the development of best practices and investigations of non-compliance;
- To establish an effective data protection regulatory environment, which will be done through the development of a process to manage individual complaints and data breach notifications, drafting rules to regulate the Brazilian data protection law (Lei Geral de Proteção de Dados Pessoais, the “LGPD”), open provisions (which will be open to public consultation) and drafting the ANPD’s bi-annual work plan; and
- To improve the ANPD’s ability to operate according to the LGPD rules, which will involve the ANPD’s office, infrastructure, budget and staff, as well as preparing a study concerning the legal transformation of the ANPD.
The ANPD applied a risk-based approach to its strategy when acknowledging that it will require constant monitoring of developments and re-calibration of priorities. It also concluded that its ultimate goals for the publication of the agency’s strategy are to enhance transparency and enable the ANPD to become accountable to society.
ANPD Work Plan
The ANPD’s work plan for 2021-2022 establishes immediate priorities and areas of focus for the ANPD, which will be assessed and possibly re-calibrated at the end of 2021:
- Work starting in H1 2021, to be done within one year:
- ANPD bylaws
- Regulatory strategy for 2021-2023
- Rules for small and medium-sized enterprises (“SMEs”)
- Rules concerning the ANPD’s enforcement and calculation of fines
- Rules concerning notification of data breaches to the ANPD and data subjects
- Rules concerning data protection impact assessments (“DPIAs”)
- Work starting in H1 2022:
- Rules concerning data subject rights
- Rules concerning the data protection officer (“DPO”)
- Rules concerning international data transfers
- Work starting in H2 2022:
- Guidelines on legal bases for processing
The ANPD also has published an FAQ document (in Portuguese) with basic questions and answers concerning the new authority, the LGPD, basic data protection concepts (e.g., personal data, data processing and sensitive data), compliance obligations and other topics.
Transparency
The ANPD has launched its official website (in Portuguese), which will contain basic information about the ANPD’s structure, strategy and work plan, as well as the agenda of the President Director and information about financial resources obtained as a result of agreements, contractual arrangements and audits. In addition, the ANPD will issue a status report on its progress with respect to the work plan every six months.
Initial Investigations
While the LGPD provisions concerning sanctions and fines go into effect in August 2021, the ANPD has already initiated its first investigations, as announced by ANPD Director Arthur Pereira Sabbat during a webinar. These are preliminary investigations of WhatsApp’s recent privacy policy changes and an August 2019 data breach involving credit-research firm Serasa Experian, which allegedly affected more than 220 million Brazilians. The Brazilian National Consumer Secretariat (Secretaria Nacional do Consumidor, “Senacon”) is also investigating the Serasa data breach.
Coordination with Other Regulatory Authorities
The Brazilian National Council of Consumer Defense (Conselho Nacional de Defesa do Consumidor, the “CNDC”), created in July 2020 to facilitate cooperation and coordination on consumer matters among various Brazilian public bodies, has created a working group dedicated to privacy and data protection. This working group will work closely with the ANPD, and ANPD representatives will have a seat at the working group’s meetings. The working group is led by Luciano Timm, former Director of Senacon, and data privacy lawyer and professor Laura Schertel Mendes. Mendes is also founder and Director of the Centro de Estudos de Direito, Internet e Sociedade of the Instituto Brasiliense de Direito Público (the “CEDIS-IDP”), which jointly coordinates the Effective Implementation and Regulation Under the LGPD project with Hunton Andrews Kurth’s Centre for Information Policy Leadership (“CIPL”).
ANPD Staff
The ANPD’s five Directors, nominated by President Bolsonaro, took office on November 6, 2020. The ANPD also has hired more than 19 of the 31 staff members they are entitled to per Presidential Decree 10.474/2020. These individuals mostly come from other public bodies (i.e., the Presidency of the Republic, telecommunications regulator, consumer regulator, Brazilian Attorney General's Office and Office of the Comptroller General). Three members of the staff come from Telebras, the Brazilian telecommunications company that was once state-owned, and where the ANPD’s President Director previously worked. One member of staff comes from the private sector, previously having worked at a Brazilian think tank and as a data protection lawyer.
Application Process Opened for the ANPD’s National Data Protection Council
On February 4, 2020, the ANPD opened the application process for the National Data Protection Council. This is a multi-stakeholder advisory council provided for by the LGPD to advise on the ANPD’s work and raise awareness regarding data privacy matters.
Public Consultation Process
In its three months of existence, the ANPD already has opened its first public consultation process (in Portuguese). The agency is seeking initial views on general data protection challenges and opportunities for SMEs and on specific topics such as the implementation of data protection compliance programs and risk assessments by SMEs, which will inform upcoming ANPD rules. Submissions must follow a template form and be sent (in Portuguese) to the ANPD public consultations department by March 1, 2021.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- U.S. State Privacy
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- Disclosure
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition
- Facial Recognition Technology
- FACTA
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Legislature
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Online Behavioral Advertising
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Paul Tiao
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- WeProtect Global Alliance
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code