Overview
The concept of protection of privacy is not an innovation in Brazil. The privacy, private life, honour and image of individuals were considered as inviolable as well as fundamental rights by the Brazilian Federal Constitution of 1988 (the Brazilian Federal Constitution).2
After many years of legislative discussions, in 2018 the Brazilian General Data Protection Act (Law No. 13,709/2018 (LGPD)) was enacted.3 This Law is considered the most important data protection law in our jurisdiction, and represents a big advance and an important step for Brazil, to guarantee the protection of individuals, define limits to data processing for companies and enable the expansion of Brazils digital economy.
The LGPD came into force in September 2020, during the covid-19 pandemic and after a legislative race. At the end of 2020, the regulatory authority was constituted and its regulatory agenda was published, specifying the topics for discussion and the dates on which each will be addressed. The National Data Protection Authority (ANPD or Authority) is fully functioning and has already issued guidelines regarding the processing of personal data, as will be mentioned in the topic below.
The rights given in Article 5 of the Brazilian Federal Constitution are classified as fundamental rights. As described above, privacy is considered a fundamental right and, recently, the right to data protection was included in this list by the Constitutional Amendment 115 of 2022,4 which added the item LXXIX to Article 5.
The year in review
The covid-19 pandemic continued to emphasise the exponential growth of technology in peoples daily lives, in companies activities, in governmental roles, and in the fight against coronavirus. Other privacy-related challenges have arisen, as vaccination status and body temperature are considered as sensitive personal health data. Technology has continued to be an important ally in the practice of medicine, in the home office, in online education and in relationships as a whole.
In Brazil, taking into account the context of the LGPDs effectiveness and as companies rush to adapt to the Laws provisions, the ANPD has taken shape and is acting with an initial awareness-raising and educational agenda.
In early 2021, the ANPD published Ordinance No. 11/2021,5 making public its regulatory agenda for the 2021–2022 biennium, which includes the main data protection issues such as the LGPD for small and medium-sized enterprises, data subjects rights, data breaches and international transfers. In compliance with the published agenda, in March 2021 the ANPD published Ordinance No. 1, with the Authoritys internal regulation, outlining its entire organisational structure for compliance with its legal attributions, and its activities and the main items that will be analysed in the coming months.
In February 2021, the ANPD took another important step in publishing explanations and notification requirements of data breaches on its website,6 clarifying what constitutes a data breach, what needs to be communicated to the ANPD and in which situations to communicate breaches to data subjects. The web page also includes a template of the communication form.
In May 2021, the ANPD followed up with the publication of two important and robust documents that will guide the actions of the Authority and public and private companies in the processing of personal data, namely: the Guidance on Definitions of Processing Agents and Data Protection Officer;7 and the Enforcement Rule,8 which addresses inspections and application of administrative sanctions imposed by the Authority.
The first document considers the concepts of personal data processing agents (controller and processor) and data protection officers (DPO). The guideline intends to establish non-binding directives, developing topics such as legal definitions, respective liability regimes, concrete cases and examples, and frequently asked questions. The ANPD, along with the Superior Electoral Court, has also published, in 2021, a Guideline on the Application of the LGPD by Processing Agents under the Electoral Context,9 which aims to instruct processing agents that participate in the electoral process. Its purpose is to seek to ensure the protection of data, the individuals privacy, and the fairness of the electoral process, without obstructing the communication between candidate and citizen, which is necessary for the democratic process.
In October 2021, the ANPD issued the Guideline on Information Security for Small Processing Agents,10 which is defined as a guide of good practices addressed to small-size processing agents that, due to the size and possible limitations, often do not have people specialized in security of the information among their staff, and need to improve it in relation to the processing of personal data.
Last but not least, in January 2022 the Authority issued a Guideline on the Processing of Data by Public Agents,11 which seeks to outline parameters that can assist public entities and bodies in the adequacy and implementation of activities with the LGPD.
Furthermore, the Provisional Measure No. 1,124/2022 altered the nature of the Authority, which until then was only a body of the federal public administration with a transitory legal nature. With the conversion of the Provisional Measure into law, the ANPD will be considered a special independent governmental agency, as defined by Brazilian law as an autonomous administrative entity, decentralised from the Public Administration and not hierarchically subordinated to ministries or the Presidency, placing ANPD on the same level as the Brazilian Central Bank, ANATEL, and other Brazilian agencies. In practice, this will give ANPD more autonomy in terms of its actions and decisions, and more confidence in relation to external bodies, an opportunity in which Brazil will be able to appear on lists of countries with an adequate level of data protection practices.
To be effectively converted into law, the Provisional Measure must go through a process of analysis and approval by the Brazilian National Congress, which can last for 60 days, extendable for an equal period. During this period there will be a recess of the Parliaments work, with the interruption of its activities from 18 July to 31 July, in addition to a presidential election, which may cause a delay in the deliberations on the matter. The current ANPDs Regulations will remain in force and applicable until the Provisional Measure is converted into law, which is expected to occur at the end of August 2022.