The discourse on data protection and privacy in Brazil has been gaining momentum in the last years and the issue has now been placed firmly on the radar for companies doing business in Brazil. High profile media coverage and an increased awareness of the population relating to personal rights related to data, mean that the topic has now become mainstream.
Just this year, data protection became a fundemental right under the Brazilian Federal Constitution, further cementing its position as a critical area that businesses must deal with and expanding the protection of citizen’s rights.
Below we look at some of the recent changes in Brazil related to the area and also discuss what challenges are on the horizon.
Brazil’s recent data protection law
Brazil’s new Data Protection Law, the ‘Lei Geral de Proteção de Dados Pessoais’ (or LGPD) came into force on August 1, 2021. The new regime was heavily inspired by the European General Data Protection Regulation (GDPR) and establishes rules on collecting, handling, storing, and sharing of personal data. In addition to dealing with personal rights, the law seeks to encourage economic development and best practices in line with international standards.
Prior to the enactment of the LGPD, the Brazilian Judiciary had already been dealing with diverse actions based (at least partly) on the new law. This is because there is significant overlap with other areas of Brazilian law, for example in cases related to consumer, employment, and public interest law.
In addition to the other areas of law that may apply in a particular case, entities doing business in Brazil must now be aware that ignoring the new law may lead to heavy sanctions through the Brazilian Data Protection Authority (ANPD).
Such sanctions may include (i) warnings; (ii) disclosure and publicization of an infraction; (iii) blocking, suspension, deletion and prohibition of the personal data processing; and (iv) fines up to two percent (2%) of yearly revenues in Brazil, up to a total maximum of 50 million Reais (approx. USD 10 million).
The Brazilian Data Protection Authority
The Brazilian Data Protection Authority, the ‘Autoridade Nacional de Proteção de Dados’ (or ANPD) was formally created at the end of 2020, and began the process of establishing its directorate, staff and internal composition during 2021. It also took the crucial step of consolidating the National Council for the Protection of Personal Data and Privacy (CNPD).
With the LGPD already in force since September 2020, companies were given a year to adapt to the legislation, and the ANPD’s power of sanction (see above) only started to apply after August 2021.
At the outset of 2021, the ANPD published its regulatory agenda for the period 2021 – 2024, specifically highlighting priority topics for the period. These include providing guidance on data subject rights, fines, incident reporting, impact assessments, DPO’s, international transfers, and other best practices.
The authority also sought public contributions in relation to important data protection matters, and started to align itself with other international agencies and institutions. For example, on October 4, 2021 the ANPD signed a formal co-operation agreement with the Spanish Data Protection Authority, AEPD, which establishes the sharing of information and joint actions on data protection.
This agreement with the Spanish authority also coincided with the ANPD joining the Ibero-American Data Protection Network (a forum that brings together international entities, both in the public and private sectors) as well as being granted observer status at the Global Privacy Assembly (a global forum for regulators, data protection and privacy officers across the world).
From the above developments, we can see that the authority is advancing on the goals described in its agenda and starting to produce important guidance on various topics.
To date, the authority has produced guidelines on the roles of Data Processing Agents (Controller/Processor) as well as on the role of the Data Protection Officer (updated in 2022), a resolution that proposes simplified procedures in relation to micro-enterprises, small businesses and startups that do not regularly perform data processing activities, and specific guidelines on the processing of personal data related to elections (in cooperation with the Brazilian Superior Electoral Court).
Looking forward, it is likely that the ANPD will have another busy year, with guidance on critical topics still expected, such as the regulation of international data transfers. In fact, on May 19 the authority already announced that it is opening a public consultation process on the regulation of international transfers of personal data.
The contributions that the ANPD receives from society will be used to draft new regulations governing such transfers under the Brazilian Data Protection law – LGPD. The consultation process will remain open until 17 June 2022.
Looking forward: 2022 and beyond
From the above, we can see that the issue of data protection has taken off in Brazil over the last years, with the LGPD in force and the work of the Brazilian authority (ANPD) ongoing.
In addition to an increased understanding of the subject by the population, it is now possible to observe data protection referenced within different areas of litigation before the Brazilian courts, also reaching the superior courts.
However, it is also clear that there are still serious challenges on the road ahead.
The LGPD is still in its infancy and, while the Brazilian government has taken some important first steps in creating a safer environment for the use of data by organizations, many businesses are still struggling with its implementation, while others still have taken little or no action to ensure compliance.
Brazil faces enormous challenges in terms of information security. In 2021, the country was named the fifth largest target of cyber attacks worldwide, with more than 9 million data security incidents occurring in the first quarter. Such incidents have already affected both the public and private sectors (including multinational companies, banks, government agencies, the superior courts, etc.).
Just in January 2021 alone, Brazil experienced a data leak involving the personal data of more than 220 million people and 40 million companies. Such staggering numbers make it clear that investment in cyber security measures must be a main priority for the country moving forward.
Enjoyed this post?
With all the recent changes for privacy and data protection matters in Brazil, companies must stay vigilant in their transactions involving personal data, especially when they involve sensitive data (i.e., data which helps to identify people).
If you have any questions on any of these topics, get in touch with us.