On August 27, 2020, the Brazilian Presidency published Decree 10.474/2020 (the “Decree”) in the Official Journal, approving the regulatory structure of the new Brazilian data protection authority (the “ANPD”) and establishing its roles. The Decree will apply after the President-Director of the ANPD is officially appointed through publication in the Official Journal.
The Decree was published hours after the Brazilian Senate rejected a delay of the new Brazilian data protection law – Lei Geral de Proteção de Dados Pessoais (“LGPD”). As we previously reported, the Secretary-General of the Presidency of the Republic, Jorge Antônio de Oliveira Francisco, had announced that the Decree was ready for publication during a webinar organized by the Centre for Information Policy Leadership (“CIPL”).
According to the Decree, the ANPD must carry out public consultations, public hearings and analyses of regulatory impact prior to issuing regulations and standards. All public hearings must be recorded and published on the ANPD’s website. The ANPD can also issue a resolution establishing other means for stakeholders to participate in its decision-making processes.
The ANPD will have a staff of 36 people, including its President-Director and four Directors appointed by the Office of the Chief of Staff of the Brazilian Presidency appointed by the President and approved by the Senate. The remainder of the staff will be public servants reallocated from other governmental departments and the Military. Staff cannot refuse their new role and can be dismissed at any time.
The ANPD’s Council of Directors will include the President-Director, the four Directors and five project managers, who will be appointed for a term of four years. The Council of Directors will meet at least monthly and must publish its meeting agendas in advance. They will be the ultimate decision-makers within the ANPD, though they can delegate decision-making to other departments.
The Council of Directors will be responsible for executing most of the ANPD tasks outlined in the LGPD, including providing guidance, establishing further rules governing the ANPD, defining mechanisms to enable international transfers of personal data, requesting organizations to undertake risk assessments of data processing operations and acknowledging best practices concerning data governance. They also will be responsible for defining the methodology for the calculation of fines for non-compliance with the LGPD.
The Council of Directors will be supported directly by the following departments:
- General Secretariat – composed of one secretary and four technical advisors. They will be responsible for all administrative tasks, including organizing the agenda of the Council of Directors’ meetings and overseeing the drafting of ANPD reports and promoting ANPD transparency.
- General Coordination of Internal Administration – composed of one general coordinator and three other coordinators. They will manage human resources and finance.
- General Coordination of Institutional and International Relations – composed of one general coordinator and one coordinator. They will be responsible for supporting the Council of Directors by engaging with international data protection authorities, supporting the authorization of international data transfers and assessing the level of adequacy of third countries and international bodies.
In addition, the ANPD will have the following departments:
- Internal Affairs – composed of one inspector and one legal advisor, who will be responsible for internal disciplinary actions concerning the ANPD staff.
- Ombudsman – composed of the Ombudsman and a technical advisor, who will be responsible for accepting complaints, queries and suggestions from the general public.
- Legal Counsel – composed of one counsel and one coordinator, who will be responsible for interpreting the LGPD and other relevant laws and drafting regulations, which will be approved by the President-Director.
The following departments will be responsible for analyzing specific matters relevant to the LGPD:
- General Coordination of Technology and Research – composed of one general coordinator and one other coordinator.
- General Coordination of Standardization – composed of one general coordinator and two other coordinators.
- General Coordination of Oversight/Inspection – composed of one general coordinator and two other coordinators.
Finally, the Office of the President-Director will be composed of one chief officer, responsible for drafting the ANPD’s annual report, determining its budget and managing spending, contracting and meetings.
The Decree also specifies the structure of the National Data Protection Council, the ANPD’s external advisory council (the “Council”); this body may issue its own bylaws with further details concerning its functioning. The Council will be chaired by the Office of the Chief of Staff of the Brazilian Presidency and include representatives of other governmental bodies, the Senate, the House of Representatives, civil society, scientific institutions and industry associations. Each body will be responsible for appointing its own representatives, who will not be paid for this work. Some bodies have already appointed representatives prior to the publication of the Decree, including the Senate and the House of Representatives. The Council will meet at least three times a year, preferably over video-conferencing, and its meeting agendas must be published at least a week in advance.
CIPL has published a paper on “The Role of the Brazilian Data Protection Authority (ANPD) under Brazil’s New Data Protection Law (LGPD),” outlining what the ANPD’s priorities should be once it is established. The paper is available in English and in Portuguese.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- U.S. State Privacy
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- Disclosure
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition
- Facial Recognition Technology
- FACTA
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Legislature
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Online Behavioral Advertising
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Paul Tiao
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- WeProtect Global Alliance
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code