As the curtains close on his mandate, Brazil’s President Michel Temer enacted a provisional measure — similar to an executive order in the U.S. — that was published in the Official Gazette Dec. 28, 2018, creating the Brazilian Data Protection Authority (Autoridade Nacional de Proteção de Dados or ANPD) and altering several provisions of the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados or LGPD).

The act was highly anticipated by the market for a very clear reason: Without a data protection authority there would be no one to regulate and supervise the effective compliance with the legislation, thus drastically reducing its efficiency, especially considering that a large part of the provisions of the LGPD demand further regulations, such as a definition on how to handle data breach notifications.

The act was highly anticipated by the market for a very clear reason: Without a data protection authority there would be no one to regulate and supervise the effective compliance with the legislation... 

Although highly expected by all sectors of the economy, the provisional measure that created the ANPD brings a lot of questions regarding the model adopted for its structure and the other changes made to some provisions of the LGPD.

According to the text published in the Official Gazette, the ANPD will be directly linked to the Office of the President of the Republic and the members of its highest decision-making body, the Directing Council, will be appointed by the president. There is no legal provision that requires the approval of the Senate for these appointments, such as occurs with the appointments to the Administrative Council for Economic Defense, the Brazilian antitrust agency.

In other words, the so much desired independence of the national authority is suddenly lost. If it is up to the president to appoint and dismiss the members of the Directing Council, there will be an undeniable political influence on the ANPD, making it an agency highly attached to the orientations and guidance of the President of the Republic.

The lack of independence may also leave Brazil out of the list of countries recognized as adequate by the European Union for international transfers of personal data. One of the most relevant requirements for the declaration that another jurisdiction has a level of protection of personal data compatible and adequate with the one adopted in Europe is precisely the existence of an independent supervisory authority, as set forth in Article 45(2) of the EU General Data Protection Regulation.

It is worth remembering that other countries in South America, such as Argentina and Uruguay, already have adequacy decisions in place that allow international transfers of personal data from the EU to these jurisdictions, an aspect that inevitably translates into competitive advantages to businesses established in those countries.

Another interesting point is that the provisional measure determined the creation of the ANPD without any increase of expenses, although the agency will be composed of a Directing Council, an internal affairs office, an ombudsman office, a proper legal advisory office, administrative units and by the National Council of Protection of Personal Data and Privacy, the latter composed of 23 members, whose functions will not be remunerated.

That is undoubtedly a large structure for a federal administration body that holds a number of important mandates, such as disseminating knowledge about privacy and data protection to society, engaging in cooperation with other jurisdictions, enforcing compliance with the law and investigating possible violations.

It is hard to imagine that an agency like that, which will need several resources to function properly, both human and financial, might be able to exist without increasing public expenditure. In a country that is already tainted by corruption scandals, it seems that a new door opens for serious problems in the future.

In a country that is already tainted by corruption scandals, it seems that a new door opens for serious problems in the future.

The provisional measure also sets forth that the commissioned positions and the functions of confidence of the ANPD will be fulfilled by the relocation of public servants of other federal agencies that already have an insufficient number of employees due to the absence of resources for hiring more people. The relocation of public servants to the ANPD could mean the collapse of several federal agencies such as INSS (Brazil’s social security agency) and Anvisa (Brazilian sanitation agency).

On the other hand, there are positive aspects brought by the provisional measure such as the definition that the ANPD will have exclusive jurisdiction to apply the sanctions provided for in the LGPD and will be the central body for interpretation of the legislation, prevailing over other bodies acting in the Brazilian National System of Consumer Defense. This was one of the major concerns of the market as PROCONs (agencies focused on protecting consumers’ interests) and public prosecutors could try to avail themselves of the LGPD to directly enforce the high fines provided for by law and to adopt different interpretations on privacy and data protection issues, creating legal uncertainty and causing legal disputes to review such sanctions.

The extension of the LGPD’s grace period from 18 to 24 months was also positive. Now, the law will come into effect as of August 2020, allowing a longer adaptation time for companies that have not yet implemented a privacy program.

Some of the other changes to the LGPD are also worth mentioning. The original text of the law stated that every controller should designate a data protection officer and that the DPO should necessarily be a natural person. Although the provisional measure has not taken down the obligation of assigning a DPO (something that could certainly change with further regulations issued by the DPA), it has removed the requirement that the DPO should be a natural person, thus permitting that legal persons fulfill this role, as it happens with the GDPR.

Moreover, the LGPD originally set forth that data subjects had the right to demand a review, by a natural person, of decisions that have been taken solely based on the automated processing of their personal data. There is no longer a requirement that the review is conducted by a natural person, which could strip any value this provision of the law had before. If the data subject is unable to get any human intervention in these situations, controllers can comply with the law by simply running the automated processing algorithm again, as this could be interpreted as of a review, this time conducted by a computer.

It is important to note that in order to become a law, the provisional measure must be approved by Congress within 60 days as of its publication in the Official Gazette; a term could be extended for another 60 days if needed. The contents of the provisional measure might also be altered by Congress during that time. In case the provisional measure is rejected, or if it fails to be approved within the extended deadline, it becomes void. Therefore, we still have a long way to go before being certain that Brazil’s DPA structure will remain as it stands right now.

It remains to be seen if the provisional measure will undergo future changes and if it will be later converted into law. For many, the creation of the ANPD is a late Christmas present. However, only time will tell if this was not a curse in disguise.

photo credit: ruifo Brasil via photopin (license)