National Data Protection Authority
The Brazilian Data Protection Law (LGPD) begins to assume greater weight with the creation of the National Data Protection Authority. To enlighten the power and competences assumed by the agency, partners Mirella da Costa Andreola de Almeida and Renata Almeida Pisaneschi wrote an article for the new edition of RECHT & STEUERN, organized by Câmara de Comércio e Indústria Brasil-Alemanha.
The Brazilian National Data Protection Authority
Law no. 13709, as of August 14, 2018 (“LGPD”), governs the personal data protection in Brazil. The original articles 55, 56 and 57 of the LGPD provided for the National Data Protection Authority (“ANPD”) and the National Council for Data and Privacy Protection, but were vetoed by the President for procedural reasons.
However, Provisional Measure no. 869, as of December 27, 2018 (“MP”), included new language to the LGPD to create and regulate the ANPD in articles 55, letters A through K.
It is important to highlight that the MP is subject to approval by the National Congress within a 60-day term (with the possibility to extend for one additional 60-day term), otherwise it will become ineffective.
According to the language added by the MP, the ANPD is a federal governmental body, who has technical independence, and the members of its board shall be Brazilian citizens, with good reputation, superior degree and have significant specialty to occupy the position they are being appointed to. The main reason for the existence of the ANPD is to ensure effectiveness of the LGPD and the enforcement of its provisions in the administrative level.
Their competences are listed in the MP and generally involve normative and supervision powers, as well as preventive duties to improve data protection, among others. In detail, the ANPD has powers to:
(i) watch over personal data protection;
(ii) issue rules and procedures about personal data protection;
(iii) resolve on the interpretation of the LGPD and omissions;
(iv) request information from personal data operators and their controlling parties who treat personal data;
(v) implement simplified mechanisms to register claims about personal data treatment in breach of the LGPD;
(vi) inspect and impose penalties in case of data treatment in breach of the LGPD;
(vii) inform competent authorities about criminal offenses it becomes aware of;
(viii) inform internal control bodies about the breach of the LGPD performed by bodies and entities of the federal government;
(ix) disseminate knowledge about data protection rules and public policies and about security measures;(x) stimulate adoption of standards for services and products that help the control and protection of personal data by the data holders;
(xi) prepare reports on national and international data protection and privacy practices;
(xii) promote cooperation actions with personal data protection authorities from other countries;
(xiii) carry out public consultations to gather suggestions about matters of relevant public interest in the field of action of the ANPD;
(xiv) hear the entities and bodies of the government responsible for the regulation of specific economic fields before issuing resolutions;
(xv) interact with public regulating authorities to exercise its powers in specific economic and governmental fields subject to regulation; and (xvi) prepare annual management reports about its activities.
The MP established that the ANPD has exclusive competence to impose penalties and its powers shall prevail over the powers of specific governmental entities or bodies in connection with personal data protection. Additionally, the ANPD shall be the central body to interpret the LGPD and to issue rules and guidelines for its implementation.
The LGPD provides for several types of administrative penalties that may be imposed by the ANPD, including fines, suspensions and measures to eliminate or block personal data. In any case, the penalties shall be preceded by an administrative proceeding to be carried out by the ANPD, in which the company or individual must be granted broad defense, and the penalties shall consider certain parameters and criteria, including gravity of the breach, good faith, economic condition, damage level, prompt adoption of correction measures, proportionality.
The ANPD has the duty to report possible criminal offenses to the applicable authorities and the penalties imposed by the ANPD do not avoid or replace civil indemnification claims involving the persons affected by the breach and the responsible parties. Moreover, other administrative penalties provided for in specific laws may also apply.
The individuals and companies subject to the obligations of the LGPD will have to interact with the ANPD to the extent that they will be supervised by it and will have to provide information, documents and grant access to possible inspections.
Therefore, it is important to be prepared to always have proper support documents and evidences to present to the ANPD in case of request, to have a contact person in charge of dealing with and relating to the ANPD in compliance with the LGPD, to monitor and react as promptly as possible to minimize adverse effects of possible claims.
Of course, it will take some time for companies subject to the LGPD to have a clear picture of their needs in relation to the ANPD. Only after the actual structuring and the beginning of the activities of the ANPD it will be possible to have a better understanding of their demands and of the extent of the interactions between the companies and the ANPD. In any case, it is advisable to closely follow up and be updated about any developments related to the ANPD and the LGPD and to actively participate in public consultation procedures in order to allow the implementation of reasonable and effective policies and regulations.
At last, it is worth remembering that the conversion of the MP into a law is required to confirm the creation of the ANPD and its powers. This is supposed to occur by the end of February or at the latest by the end of April 2019.