Since its entry into force in 2020, the LGPD has come a long way, but there are several legal issues relating to the protection of personal data that still need further refinement.
Among the main changes since the enactment of the LGPD has been the change in the legal nature of the National Data Protection Authority (ANPD), which represented an important step in the process of adapting Brazilian regulation to international data protection standards. Originally created as part of the Federal Public Administration and linked to the Presidency, the ANPD was recently transformed into an independent agency. This status has effectively given the ANPD technical and decision-making autonomy.
The ANPD is currently carrying out all of its inspection and sanctioning functions except for the application of fines, which was the subject of discussion in public consultation (as mentioned below). The ANPD has already issued the following resolutions:
In order to provide guidance to data processors on the subject of personal data protection, ANPD (alongside several other entities and authorities) has also published and updated several guidelines and technical documents on its official website, covering a variety of specific data protection topics.
Nevertheless, there are still several LGPD provisions pending clarification and/or regulation by the ANPD. In this regard, in August of 2022 the ANPD opened four public consultations on the following matters.
ANPD’s Regulatory Agenda for the biennium 2023-2024
Aiming to confer greater publicity, predictability, transparency, and efficiency to its regulatory process, as well as to improve the relationship with processing agents, the agency published a call for public comments with the main topics pending regulation to be classified by the public in order of priority and relevance.
After the contributions by public, the ANPD approved its Regulatory Agenda for 2023-2024 at the end of 2022. Overall, 20 initiatives are foreseen in the Agenda that were classified into phases by order of priority.
Resolution On The Application Of Administrative Penalties
The draft Resolution on the Application of Administrative Penalties sets out a methodology for the application of the sanctions provided for in the LGPD, seeking to ensure that its decisions are effective, transparent, objective and consistent. Finalising this regulation is the main pending issue before the ANPD begins to apply fines. Among the most relevant points of the draft proposed by the agency are:
Resolution on High-Risk Personal Data Processing
This consultation stems from the provisions of a 2022 regulation that provides the criteria for defining when the processing performed is of high risk to the data subjects. Although the regulation relaxes some of the obligations provided for in the LGPD, small-sized data processing agents who carry out high-risk processing will not be able to benefit from this differentiated legal regime. In light of this, the ANPD is preparing a guideline to assist small data processors in the evaluation of their personal data processing.
Regulation on the Processing of Children and Adolescents’ Personal Data
Given the importance and controversial nature of this topic, the LGPD has reserved a specific section for the personal data processing of children and adolescents, establishing that such processing must be carried out in the best interests of these data subjects. To this end, the ANPD has prepared a preliminary study on the legal rules applicable to the personal data processing of children and adolescents. In this study, the agency addressed especially the mandatory collection of consent from legal guardians for the processing of children’s personal data, as well as its implications.
Recent surveys indicate that most Brazilian companies are not compliant with the LGPD. At the same time, incidents involving personal data continue to grow in the country, placing Brazil among the countries with the highest total number of data incidents. Although the ANPD has shown that it is aware of the need to invest time and effort in raising awareness about personal data protection before taking a more aggressive stance, organisations must commit to LGPD compliance.
In the first half of 2023, we expect:
We also expect regulation by the ANPD on:
Although enormous challenges lie ahead for the full implementation and proper enforcement of the LGPD, the advances in these last four years have brought the certainty that data privacy and the protection of personal data are rights that are here to stay.
In light of these advances, it is expected that the gaps in LGPD will soon be filled, bringing greater legal certainty to organisations and more effective protection for personal data subjects in a global scenario of increasingly data-driven economies.
For more information about data privacy