Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, held hearings July 15 and 16 where the public had the opportunity to offer 5-minute comments, via an online platform, on the draft regulation governing the ANPD's investigation powers and the application of penalties set forth in the General Data Protection Law.
The draft was based on the "responsive regulation" model. This model comes from Professor John Braithwaite's works and has been widely adopted by Brazilian governmental agencies in the drafting of new regulations. The main principles of this model are: "achieve outcomes by support and education to build capacity;" build interactions with regulated entities and individuals; resort to heaviest sanctions only in exceptional situations, while applying persuasion or counseling measures in most cases.
The draft regulation was published on the ANPD's website more than one month ago, giving the public plenty of opportunity to carefully revise it and figure possible consequences for data subjects and entities. These were the most controversial topics brought up by the participants.
Insufficient prior awareness of data privacy rights and obligations
Brazil still has a long way toward achieving a privacy culture. Corporations still regard LGPD sanctions as one more burden to be avoided instead of a business opportunity. Even though organizations acknowledge the importance of LGPD enforcement, several participants commented on the lack of government-led actions to promote awareness focused on data subject rights, compliance and data governance by controllers and processors. Any government sanctions should be preceded by adequate education on data privacy.
Unclear criteria for the calculation of administrative fines
Privacy professionals reported frustration that the draft failed to provide for rules or criteria for the application of penalties, calculation of administrative fines, and aggravating or mitigating circumstances. Considering Article 53 of the LPGD provides the ANPD should enact a regulation defining "the methodologies that will guide the calculation of the base amount for fines," there was a lot of expectation the draft would address such legal requirement.
Notice concerns and short deadline for defense
The draft foresees that any notices or services of administrative processes will be considered successfully delivered within 10 days after the remittance of notice by the ANPD via electronic means, or effective immediately upon the publication of a call notice on the ANPD's website. Hence, international organizations may face a punitive administrative proceeding, with a short 10-day term for filing a defense, without proper notice. In fact, the 10-day term for filing a defense was heavily criticized since it is insufficient for the investigated party to gather evidence, depending on the size of organization and complexity of data processing activities. A 30-day term, as applied by other government agencies, was suggested as a more reasonable approach.
Monitoring activities
The draft provides that the ANPD’s monitoring of an organization can be triggered according to the number of data subject complaints or reported security incidents. Upon the end of the monitoring phase, the ANPD may start a punitive administrative proceeding. But the text doesn't clarify if controllers and processors will receive notice of a possible monitoring of their activities by the ANPD, or if organizations will be given opportunity to rectify any infringements to the LGPD upon completion of the monitoring phase.
Additionally, many questioned if the ANPD's monitoring would consider the risk level of processing activities, admissibility of data subject complaints and proactive measures taken by organizations in order to ensure legal compliance. Since there was no clear defense proceeding in the monitoring phase and the draft expressly forbids any appeals against the start of a punitive administrative proceeding, organizations expressed possible violations to due process and full defense, which are widely available in Brazilian laws.
Concern about over-penalizing small and nonprofit organizations
Several commentators noted enforcement actions would be applied without distinction to small and nonprofit organizations and large corporations. Such "equal treatment" was regarded by many as utterly disproportional, since small businesses were still recovering from the COVID-19 crisis and did not have enough resources to invest in data privacy programs or adequate information security measures. For example, small and nonprofit entities should be afforded longer deadlines to defend themselves or respond to the ANPD's requests in an inspection process, receive discounted administrative fines, and be allowed to use security frameworks adequate and proportional to their sizes.
No prior consultation
Even though the draft provided for the ANPD's promotion of "measures aiming at the guidance, awareness and education of controllers and processors," they were not considered a priority in comparison to repressive actions. Additionally, the draft is not clear if a prior consultation mechanism or model clause would be available. Several commentators highlighted prior consultations would be essential to convey legal security to organizations and help them in LGPD compliance efforts.
Confidentiality of the investigative process
Many participants highlighted investigations should be confidential by default, and not restricted to trade secrets or depending on the organization's request. The draft is not clear in which circumstances the ANPD will accept a confidentiality request and does not take into account the confidentiality obligation in other pieces of Brazilian legislation that protect tax, banking or capital markets information.
Classification
Once the monitoring phase is complete, the ANPD will classify organizations in four different levels. Level I organizations are exempt from any measures. Level II organizations will receive a report from the ANPD with data subject complaints so they can adopt corrective measures. Organizations classified as level III will receive guidance or preventive measures from the ANPD, and those classified as level IV will receive preventive or repressive measures from the authority.
Organizations classified as level IV in two consecutive monitoring cycles will be sanctioned. Privacy professionals expressed concern the classification is too simplistic and does not reflect the complexity of data processing activities, the maturity of privacy programs and information security practices adopted by organizations. Furthermore, a one-sided classification by the ANPD without an appeal or review mechanism may be illegal, considering the LGPD sets forth sanctions on a case-by-case basis.
Imprecision of the concept "regulated entities"
The draft provides for the term "regulated entities," which applies without distinction to data subjects, controllers and processors. What about cases in which data controllers or processors are governmental authorities? The term "regulated entities" may lead to confusion regarding the roles performed during the investigative process since the LGPD applies equally to “regulators” and private entities.
ANPD's incompetence in recovery of damages
Some participants questioned "recovery of damages," which was included in the description of "repressive measures" by the ANPD. According to them, recovery of damages is the exclusive competence of courts since Article 55-J of the LGPD does not authorize the ANPD to resolve disputes between parties or to rule on damages. "Recovery of damages" should not be confused with administrative sanctions.
Lack of an independent board of review
Decisions issued by the ANPD are not subject to review by any other body. Any appeals will be directed to the office that issued the decision and decided by the ANDP Board of Directors. Commentators expressed doubt on the independence of the administrative controls and adequacy of review mechanisms. In any event, judicial review remedies are available in case any illegal decision needs to be struck down.
The ANPD has not yet provided any comments on these topics. Brazilian privacy professionals are looking forward to seeing the DPA's reaction to the proposed changes, and to what extent the final wording of the regulation will be responsive to their concerns. Considering that administrative sanctions will be in force next month, we expect the ANPD to respond to the comments in the next two to three weeks.
Photo by Mateus Campos Felipe on Unsplash