National Data Protection Authority (ANPD) presented a schedule of its first actions. Experts and companies point out that Brazil is lagging behind in regulation.
The National Data Protection Authority (ANPD), responsible for inspecting and editing rules foreseen in the General Data Protection Law (LGPD), presented on January 28 an agenda of its first actions and announced on February 1 the objectives planning and actions between 2021 and 2023.
These are the first steps of the body that will give shape to the data law, and they happen in the midst of one of the biggest data leaks known in Brazil – on January 28, the Federal Police received a request from the ANPD to open the investigation into the case.
The agenda foresees the definition of rules for the calculation of fines, deadlines and ways of communicating leaks, among other topics (see the complete list of items at the end of the report).
In the initial planning of the authority, it is planned to implement a flow to receive incidents and complaints within 6 months and obtain its own budget within up to one year.
Although the LGPD is in effect, the fines only began to be applied in August 2021 and the ANPD still lacks rules.
The regulation of the law is important for it to be followed in full. Without ANPD’s performance, it is not clear how some sections should be interpreted, nor what specific rules companies need to follow.
“Because the LGPD is a general law, there are issues that are not well tied and points that end up not being clear depending on the activity that a company is going to perform. The ANPD serves to regulate this,” explains Karolyne Utomi, a lawyer specializing in law digital.
Experts heard by G1 indicate that Brazil is lagging behind in regulating the issues. Since the law was passed in August 2018, it has been two years for it to come into force, after two postponements.
“The biggest problem with the protection authority is not the regulatory agenda, which has now been published, but past events such as late appointments and the publication of the job structure that was carried out with the law about to take effect,” said Utomi.
The authority’s position structure was published by President Jair Bolsonaro last August, with the directors appointed in October. The Senate approved the names a week later.
The agenda released at the end of January sets the stage for discussions on LGPD regulation, but does not impose a deadline for this to be completed. Only the planning brought a schedule with a forecast of the closure of the actions.
“If it continues at this pace, it will take years for the law to be fully regulated,” said Italo Nogueira, president of Assespro Nacional, an association of information technology companies.
The ANPD’s first step was the publication of the regulatory agenda, a document that defined 10 items considered most important by the 2nd semester of 2022 by the agency’s board (see the complete list of items at the end of the report).
In the first half of 2021, the authority will start to discuss, among other items:
how fines will be calculated;
specific rules for small and medium-sized companies and startups;
forms of communication for leaks.
The first semester of 2022 left important discussions in the evaluation of specialists heard by G1:
rights of the holders, that is, of the individuals to whom the personal data refer;
duties of the data protection officer, a position that will serve as a bridge between companies and citizens;
rules for the international transfer of personal data, important for multinational companies.
“The discussion about the rights of holders (of individuals) was for 2022, in the assessment of the ANPD. To be defined like this, in the week when there is the biggest data leak in the history of the country, I don’t know if it was a very good “, said Danilo Doneda, professor of law at IDP (Brasiliense Institute of Public Law), referring to the overflowing of 223 million CPFs.
The LGPD provides for penalties ranging from a warning to a fine of 2% of the company’s annual revenue, limited to R $ 50 million, and discussions on the rules for this calculation should start in the first half of 2021 – the agenda did not impose a deadline for complete the rules.
Important definitions for companies, such as the duties of the data protection officer, who will serve as a bridge between companies and citizens, and which companies will need to create this position, should only start to be discussed in the second half of the year.
“Without regulation, the assessment of non-compliance with the law will be at the discretion of whoever will be supervising. This can cause a number of legal issues. In addition, anyone who wants to invest in this area is always on the back foot, ”says Roberto Mayer, an advisor at Assespro Nacional.
In the opinion of lawyer Karolyne Utomi, haste cannot interfere with the quality of the ANPD’s definitions.
“The fact is that we have been in a situation of legal uncertainty for a long time, since the law was postponed. Brazil is already lagging behind with the ANPD, but it needs to be done well, instead of doing it anyway and causing more legal uncertainty, “she said.
“For a work of a dimension to regulate and foster a culture of protection of personal data, in addition to satisfying the regulatory points, the deadlines set in the agenda are reasonable. The formation of the board took place in November 2020, and they have a huge job for To have a quality job, it is a reasonable period “, said Utomi.
Absence of the board
The structure of the ANPD provides for the existence of the National Council for the Protection of Personal Data (CNPD), a group formed by 23 members with a two-year mandate that should give its opinion on the authority’s decisions and make suggestions for the national data protection policy.
It is on the council that will be represented by civil society, scientific institutions, the Senate, the Chamber of Deputies, the National Council of Justice, the National Council for the Public Prosecution, the Brazilian Internet Steering Committee and entities from the business sector.
This group has not yet been formed and the agenda does not provide any deadline for the nominations to be completed.
“I missed mentioning the National Council for the Protection of Personal Data (CNPD) on the agenda, because this is one of the things that the ANPD needs to regulate in order to work,” said Danilo Doneda.
“In theory, it is not impossible for the authority to make regulations without the CNPD, but they are playing the boat in a way that can make it difficult for the council to have a voice, to give an effective opinion,” said the law professor.
“If the regulatory agenda is being carried out without the council, it means that you are taking space from civil society to speak out,” added Doneda.
“The ideal would be that the council had already been fully formalized, but each entity designated to compose the council should have already appointed its representatives, which has not yet happened. If we were to wait until everyone sent, the ANPD would be stopped”, said the lawyer Karolyne Utomi.
Last Thursday (4), a week after the release of the agenda, the ANPD published the notice to receive nominations for the CNPD from representatives of civil society, scientific, technological and innovation institutions, union confederations representing the economic categories of the sector productive sector, business and labor sector entities.