October 7th, 2021

Following the latest developments in Brazil’s DPA

Thiago Villa

Following the latest developments in Brazil’s DPA

In our last post on this topic, we discussed recent developments in respect of the ANPD (the Brazilian DPA) and the LGPD (Brazil’s Data Protection law).

Since our last post, the new law came into full effect, bringing with it strict penalties for companies’ that are non-compliant with obligations on handling personal data.

Below we provide some recent updates on the ANPD’s activities and its status of development.

ANPD Administrative Sanctions now apply

On August 1st, the LGPD (Brazil’s data protection law) finally came into full effect. This means that Brazilian companies that do not follow this legislation may be subject to sanctions by the Brazilian DPA (ANPD).

These may include (i) warnings; (ii) disclosure and publicization of an infraction; (iii) blocking, suspension, deletion and prohibition of the personal data processing; and (iv) fines up to two percent (2%) of yearly revenues in Brazil, up to a total maximum of approximately 10 million Reais (USD 10,000,000.00) per infraction.

However, the ANPD has already issued declarations affirming that sanctions will only be possible after the approval of specific regulations on the administrative sanctioning process. This step is expected to happen in the coming weeks. The DPA is also still discussing methodologies for calculating administrative fines.

As discussed in our recent post, the Brazilian Judiciary has already been dealing with diverse actions based (at least partly) on the new law. This is because there is significant overlap with other areas of Brazilian law, for example in cases related to consumer, employment, and public interest law.

With the beginning of the ANPD compliance activities, it is likely that the number of such actions will increase.

You can access more information about the ANPD’s powers of sanction here.

ANPD issues draft resolution for micro and small businesses

On 30 August, the authority issued a new draft resolution dealing with the application of the LGPD to micro and small businesses, including for start-ups.

The resolution proposes simplified procedures in relation to such entities that do not regularly perform data processing activities. This more flexible approach is welcome as it balances the need for regulation with the day-to-day realities that such businesses face in the market.

The full resolution (in Portuguese) can be accessed here.

The resolution is currently open to comments from the public until 29th of September and will be updated by the ANPD based on this consultation process.

Standard Contractual Clauses for International Data Transfers

During the recently held 11th Internet Forum in Brazil, the Director of the Brazilian DPA (ANPD) Miriam Wimmer confirmed that the authority is likely to choose the standard contractual clauses model for international data transfers as one of the authority’s first steps.

The Director announced they intend to do so firstly by issuing standard contractual clauses, but also implied that the Brazilian clauses will likely follow New Zealand’s model, with shorter, simpler clauses, instead of the European guidelines.

It seems that the ANPD is taking a pragmatic approach by opting to handle such movements in a manner that is cost effective for companies of varied sizes and with an understanding that such movements are an essential element in e-commerce transactions.

ANPD Guidelines on Data Processing Agents

Last May, the Brazilian DPA issued its first guidelines on the roles of Data Processing Agents (Controller/Processor) as well as on the role of the Data Protection Officer.

The authority’s guidelines closely resemble those of the European Data Protection Board on the same subject. As the LGPD is strongly inspired by the GDPR, similar guidelines on the subject and content are expected to be announced in the upcoming months.

The ANPD is also currently accepting comments from the public about the guidelines and these will be updated in future based on the consultation process.

While the first guidelines are non-binding in nature, they provide welcome clarity in relation to these positions.

The LGPD and Cookies

In Brazil, Law 12.965 (known as the Internet Civil Framework) previously regulated the use of Cookies on websites. While such practices were considered legal, the user had to be informed in a clear and precise manner. Further, express consent in advance was already needed for “third party type Cookies”.

The LGPD now provides for a broad definition of personal data, and following the European approach, most Cookies will certainly fall under its remits (unless the user is not identifiable or in situations where such data stays completely anonymous).

The use of Cookies in Brazil therefore requires careful consideration of the rules in the LGPD, including the principles of purpose, adequacy, free access, quality, necessity, security, prevention, non-discrimination, and accountability (Article 6).

Under the law, the purpose for which the data is collected and processed must be legitimate and strictly necessary, and the data subject must be clearly informed of such purpose.

Enjoyed this post?

With all the recent changes for privacy and data protection matters, companies must stay vigilant in all transactions involving personal data, especially when they involve sensitive data (i.e., data which helps to identify people).

With these updates we intend to keep you informed of the latest privacy and data protection matters in Brazil.

If you have any questions on any of these topics you can get in touch with us. We also invite you to sign up below and receive all the latest news and updates on matters related to intellectual property and technology in Brazil. Stay informed with Daniel Law!

Following the latest developments in Brazil’s DPA

In our last post on this topic, we discussed recent developments in respect of the ANPD (the Brazilian DPA) and the LGPD (Brazil’s Data Protection law).

Since our last post, the new law came into full effect, bringing with it strict penalties for companies’ that are non-compliant with obligations on handling personal data.

Below we provide some recent updates on the ANPD’s activities and its status of development.

ANPD Administrative Sanctions now apply

On August 1st, the LGPD (Brazil’s data protection law) finally came into full effect. This means that Brazilian companies that do not follow this legislation may be subject to sanctions by the Brazilian DPA (ANPD).

These may include (i) warnings; (ii) disclosure and publicization of an infraction; (iii) blocking, suspension, deletion and prohibition of the personal data processing; and (iv) fines up to two percent (2%) of yearly revenues in Brazil, up to a total maximum of approximately 10 million Reais (USD 10,000,000.00) per infraction.

However, the ANPD has already issued declarations affirming that sanctions will only be possible after the approval of specific regulations on the administrative sanctioning process. This step is expected to happen in the coming weeks. The DPA is also still discussing methodologies for calculating administrative fines.

As discussed in our recent post, the Brazilian Judiciary has already been dealing with diverse actions based (at least partly) on the new law. This is because there is significant overlap with other areas of Brazilian law, for example in cases related to consumer, employment, and public interest law.

With the beginning of the ANPD compliance activities, it is likely that the number of such actions will increase.

You can access more information about the ANPD’s powers of sanction here.

ANPD issues draft resolution for micro and small businesses

On 30 August, the authority issued a new draft resolution dealing with the application of the LGPD to micro and small businesses, including for start-ups.

The resolution proposes simplified procedures in relation to such entities that do not regularly perform data processing activities. This more flexible approach is welcome as it balances the need for regulation with the day-to-day realities that such businesses face in the market.

The full resolution (in Portuguese) can be accessed here.

The resolution is currently open to comments from the public until 29th of September and will be updated by the ANPD based on this consultation process.

Standard Contractual Clauses for International Data Transfers

During the recently held 11th Internet Forum in Brazil, the Director of the Brazilian DPA (ANPD) Miriam Wimmer confirmed that the authority is likely to choose the standard contractual clauses model for international data transfers as one of the authority’s first steps.

The Director announced they intend to do so firstly by issuing standard contractual clauses, but also implied that the Brazilian clauses will likely follow New Zealand’s model, with shorter, simpler clauses, instead of the European guidelines.

It seems that the ANPD is taking a pragmatic approach by opting to handle such movements in a manner that is cost effective for companies of varied sizes and with an understanding that such movements are an essential element in e-commerce transactions.

ANPD Guidelines on Data Processing Agents

Last May, the Brazilian DPA issued its first guidelines on the roles of Data Processing Agents (Controller/Processor) as well as on the role of the Data Protection Officer.

The authority’s guidelines closely resemble those of the European Data Protection Board on the same subject. As the LGPD is strongly inspired by the GDPR, similar guidelines on the subject and content are expected to be announced in the upcoming months.

The ANPD is also currently accepting comments from the public about the guidelines and these will be updated in future based on the consultation process.

While the first guidelines are non-binding in nature, they provide welcome clarity in relation to these positions.

The LGPD and Cookies

In Brazil, Law 12.965 (known as the Internet Civil Framework) previously regulated the use of Cookies on websites. While such practices were considered legal, the user had to be informed in a clear and precise manner. Further, express consent in advance was already needed for “third party type Cookies”.

The LGPD now provides for a broad definition of personal data, and following the European approach, most Cookies will certainly fall under its remits (unless the user is not identifiable or in situations where such data stays completely anonymous).

The use of Cookies in Brazil therefore requires careful consideration of the rules in the LGPD, including the principles of purpose, adequacy, free access, quality, necessity, security, prevention, non-discrimination, and accountability (Article 6).

Under the law, the purpose for which the data is collected and processed must be legitimate and strictly necessary, and the data subject must be clearly informed of such purpose.

Enjoyed this post?

With all the recent changes for privacy and data protection matters, companies must stay vigilant in all transactions involving personal data, especially when they involve sensitive data (i.e., data which helps to identify people).

With these updates we intend to keep you informed of the latest privacy and data protection matters in Brazil.

If you have any questions on any of these topics you can get in touch with us. We also invite you to sign up below and receive all the latest news and updates on matters related to intellectual property and technology in Brazil. Stay informed with Daniel Law!


Sign up for our newsletter






    Sign up for our newsletter












      © Copyright 2020-2021 - Daniel Law. All rights reserved.