A
Structure and enforcement powers of the Brazilian DPA
The ANPD will be the federal entity responsible for overseeing, issuing guidelines and enforcing data protection laws in the country. While the government did not want to create new expenses with such an authority (mostly due to fiscal responsibility issues), one of the major concerns was creating an independent agency. The ANPD is a government entity subordinate to the cabinet of the presidency, with no increase of expenses, but the LGPD expressly provides the “ANPD has technical and decision-making autonomy.” The ANPD will have two important bodies within its organization: the Board of Directors and the National Council. The Board of Directors will have five members, indicated by the president and with expertise on the privacy and data protection and will be responsible for the decisions taken by ANPD. The National Council, a multi-representative committee with 23 members of the government, civil society, research (scientific and technological) institutions, private and labor sector, will play the role of advisory board.
The main powers of the ANPD include:
- Issuing guidelines for the implementation of the LGPD and for the national policy on data protection and privacy.
- Examine complaints from data subjects.
- Investigate (with powers to audit) and apply sanctions.
- Prepare studies and educate the society.
- Encourage the adoption of standards for services and products that facilitate data subjects’ control over his/her personal data.
- Promote cooperative actions with data protection authorities from other countries.
The ANPD will be the main government entity responsible for the interpretation of the LGPD. In order to avoid multiple investigations for the same events, the LGPD expressly establishes that the ANPD will have prevailing jurisdiction to enforce data protection laws over the correlated jurisdiction of other public entities or bodies such as the consumer protection ones, but, it must coordinate enforcement actions with other bodies and entities.
Other important changes
Grace period: The LGPD originally provided it would enter into force in February 2020. Provisional Measure No. 869 extended the deadline for organizations to become compliant with the LGPD and the entry into force date moved to August 2020.
Penalties: Another important change relates to the inclusion of penalties of total or partial suspension from the database for up to six months or the illegal processing operation and, after applying a less burdensome sanction, permanent prohibition from carrying out data processing activities. Such penalties were originally provided in the LGPD but vetoed by the president in August 2018.
Sensitive data: Specific changes were made that allow the processing of health data for the protection of health, making it more flexible for health care service providers. Another change relates to the prohibition of shared use of sensitive data, which now sets forth that:
- The communication or shared use of any sensitive personal data (including health data) between organizations with the purpose of obtaining economic advantage may be further regulated and/or prohibited by ANPD.
- The communication or shared use of health-related data is prohibited, except when related to the provision of health services, pharmaceutical and health care assistance (e.g., in services of diagnosis and therapy; to allow data portability, upon the individual request; or in financial and administrative transactions resulting from the use and provision of services to the individual).
Risk assessment in insurance: The processing of sensitive health data by private health care providers for the selection, acceptance or exclusion of beneficiaries (risk analysis) is now expressly prohibited. Although this is a new prohibition from a privacy perspective, such practice was already prohibited by the National Regulatory Agency for Private Health Insurance and Plans since the beginning of private health activities in Brazil.
Data protection officer: Now the data protection officer (known as “encarregado”) shall be appointed both by the controller and by the processor. Before, only the controller would have to appoint a DPO. The ANPD, however, will determine the cases in which the processor must appoint a DPO and the possibility of appointment of one DPO for the same economic group. The data protection officer is the one who acts as a communication channel between the controller, data subjects and the ANPD. Provisional Measure No. 869 added the requirement of indicating a DPO with legal-regulatory knowledge and capable of providing specialized services, with specific regulatory and legal knowledge of data protection.
Very small enterprises and startups: ANPD now has express jurisdiction to establish different deadlines and procedures for micro and small enterprises, startups and innovation companies to facilitate compliance with the standards of LGPD.
Photo by sergio souza on Unsplash