ANPD issues a Guideline on the Processing of Personal Data by Public Authorities


ANPD issues a Guideline on the Processing of Personal Data by Public Authorities


The Brazilian Data Protection Authority published the Guideline on the Processing of Personal Data by Public Authorities. The Guideline begins by mentioning the term broadly defined by the LGPD, “Public Authorities”, and includes bodies or entities of the federative entities (Union, States, the Federal District and Municipalities) and of the three Branches (Executive, Legislative and Judiciary), including the Courts of Accounts and the Public Prosecutor Office. The concept of Public Authorities also includes: (i) notary and registry services; and (ii) public companies and government-controlled corporation, in the latter case, provided that (ii.i.) they are not operating under a competitive regime; or (ii.ii) implement public policies within the scope of their execution. All of these must comply with the provisions of the LGPD regarding the processing of personal data.

LGPD also aims to ensure that personal data are used transparently and for legitimate purposes, while guaranteeing the rights of individuals. Specifically in relation to Public Authorities, LGPD provides that the ANPD may request specific information on the scope, nature of the data and other details involved in the processing operation, as well as carry out audits on the processing of personal data. It is important to note that the Government is not exempt from the sanctions provided for by law, except in relation to the simple or daily fine penalties. The national authority has exclusive competence to apply the administrative sanctions provided for in the LGPD, with prevalence of its competences over other related entities and bodies of the public administration with regard to the protection of personal data.

Finally, it is important to emphasize that the public official who violates the LGPD is also liable to personal and autonomous administrative liability, according to Decree-Law No. 4,657, of September 4, 1942. Thus, if the public official processes personal data improperly, such as, for example, selling databases, altering or deleting records inappropriately or using personal data for illegitimate purposes, he or she can be held liable for practicing an illegal act.

In this regard, LGPD establishes that the ANPD must act in coordination with other public bodies and entities, aiming to ensure the fulfillment of its attributions with greater efficiency and to promote the proper functioning of the regulated sectors.

For this Guideline, ANPD considered the questions sent to the entity and the peculiarities of the processing of personal data by the Government, as well as the provisions of the Regulatory Agenda for the 2021-2022 biennium, and therefore the analysis of the published document was limited to the following legal basis: consent, legitimate interest, compliance of legal and regulatory obligation and implementation of public policies.

The Guideline explains the use of the legal basis cited above by Public Authorities and enlighten us with examples of what may be applicable on a day-to-day example and what may not. For example, it states that consent, in many cases, will not be the appropriate legal basis to justify the processing,  because there is a disbalanced relation between the individual and the Public Authority, which makes the consent invalid. Nevertheless, the Guideline also gives us an example of how consent may be used in a relation between those two, to elucidate on how it is possible to use consent in these cases. Furthermore, with regard to the principles listed by law, as a general rule, the Guideline determines they must be interpreted together and in a systematic way with the provisions of Chapter IV of the LGPD, in which specific rules directed to the Public Authorities are found. For example, the principle of purpose, in view of the provisions of the LGPD and in view of the international experience on the subject, it is recommended to assess the compatibility between the original purpose and the secondary use of personal data. This assessment must take into account the following aspects: (i) the relevant context and circumstances of the specific case; (ii) the existence of a factual or legal connection between the original purpose and that on which the subsequent processing is based; (iii) the nature of personal data, adopting a position of greater caution when sensitive data is being processed; (iv) the legitimate expectations of the individuals and the possible impacts of further processing on their rights; and (v) the public interest and the specific public purpose of the further processing, as well as its link with the legal competences of the bodies or entities involved.