In this blog post, we will discuss recent developments in respect of the ANPD (Brazil’s new federal data protection agency) and the LGPD (Brazil’s Data Protection law).
The new law will finally come into full effect in August 2021, bringing with it new obligations for companies in terms of handling personal data and strict penalties for non-compliance.
Although the law has been in force since September 2020, companies have had a year to adapt to the legislation. Therefore, violations will be subject to sanction through the ANPD only after August 2021.
Meanwhile, the Brazilian Judiciary has already been dealing with diverse actions based (at least partly) on the new law. There has also been significant overlap with other areas of Brazilian law, for example in cases related to consumer, employment, and public interest law.
Below we will briefly discuss the ANPD’s status of development. We also give 3 recent examples of events that highlight the type of issues companies and organizations are currently facing in Brazil.
Brazilian DPA prepares for enactment of Brazil’s Data Protection Law
The new Brazilian data protection agency (DPA) is currently being established to ensure compliance with the LGPD (Brazil’s data protection law). Last January, the institution published its regulatory agenda for the coming years.
Considering the prolonged silence of the Brazilian authority since its creation and the enactment of the law on September 18, 2020, the publication of the agenda provides a first glimpse on ANPD’s priorities. A link to the ANPD’s regulatory agenda can be found here.
A forecast of semi-annual reports to monitor the regulatory initiatives is foreseen on the agenda, with an express provision allowing for readjustment of the established dates in the 2021 final report. The ANPD’s CEO may also change the goals and dates by a resolution of the Board of Directors.
In that sense, although the Brazilian data protection community welcomed these initial clarifications by the agency, the scenario remains uncertain.
The authority was formally initiated in November 2020 and is currently in the process of establishing its directors, staff, and basic constitution. It has already started in its function as information provider, and those eager to get basic information about the agency can access the FAQ section on its website.
– What possible Sanctions could I face in the event of a Personal Data Breach?
– Challenges that may arise in protecting trade secrets against security threats when using videoconferencing apps
Example 1: Brazil´s biggest data leak to date
During January 2021, Brazil experienced its biggest data leak to date, involving the personal data of more than 220 million people and 40 million companies.
The number of leaked data is greater than the number of inhabitants in Brazil.
Example 2: Brazilian superior courts of justice and ministries victims of personal data leaks in 2020
The Brazilian Superior Court of Justice’s (STJ) was the subject of a suspected ransomware virus attack in November of last year, leading to an interruption of several judgments and suspension of procedural deadlines, due to an invasion by hackers of the STJ systems.
The Brazilian Electoral Superior Court (TSE) and the Ministry of Health also struggled with vulnerabilities on data protection in 2020.
In practice, the Brazilian Judiciary is already dealing with a significant overlap between data protection and privacy issues with consumer protection and employment law, as well as other issues considered to be in the public interest.
To date, however, these types of actions have had mixed outcomes, generating legal uncertainty, and reinforcing the need for clearer standards in privacy and data protection matters.
We are monitoring all the latest news in respect of privacy and data protection in Brazil and will keep our clients and partners informed of all developments. Please contact us if you would like to discuss any matter further.