Brazil’s General Data Protection Law is now in effect. Much like the EU General Data Protection Regulation, the LGPD has extraterritorial applicability, meaning any organization processing personal data in Brazil must comply with the law irrespective of the company’s location. One of the LGPD’s requirements for such companies under Article 41 is that they must appoint a data protection officer to be “in charge of processing personal data.” Given the prevalence of data processing in today’s digital economy, we estimate approximately 50,000 DPOs are needed in the immediate term to comply with the LGPD.
Precisely how many DPOs are needed in response to the law’s entry into force is not entirely clear. Article 41 states only that “the controller shall appoint an officer to be in charge of processing personal data” and provides a short list outlining the DPOs responsibilities. There is nothing in the article limiting the applicability of the requirement to companies above a certain size or processing a certain quantity of personal data. As written, the requirement is applicable to every controller processing any personal data.
Assuming most companies today process at least some personal data, the text of the law tends to indicate that roughly 4.5 million Brazilian companies (not to mention foreign companies subject to the LGPD) would need to appoint DPOs in response to the law. Clearly, that number is not a realistic estimation. Ninety-nine percent of Brazilian businesses are small organizations often only employing one or two people and are likely not the intended target of this new requirement.
Thus, the applicability of the requirement is unlikely to remain unbounded indefinitely.
Thankfully, clarity on the subject does not require an amendment to the law. Rather, the guidance and limitations are expected to come from the national authority, the Autoridade Nacional de Proteção de Dados, which is authorized under Section 3 of Article 41 to “establish complementary rules about the definition and the duties of the officer, including situations in which the appointment of such person may be waived, according to the nature and the size of the entity or the volume of data processing operations.”
Unfortunately, the ANPD doesn’t yet exist to establish such rules. This is problematic given the law is now enforceable.
Consequently, even if the ANPD is expected to limit the DPO requirement, Brazil’s constitutional grant of a private right of action, in addition to the local authorities’ enforcement abilities, means that until the ANPD provides clarity on the subject, failure to appoint a DPO could expose even the smallest organizations to costly penalties. Many of these small organizations may feel compelled to appoint a DPO while they await the ANPD’s guidance.
The question remains: How might future ANPD guidance influence the number of DPOs needed under the LGPD? And, how many DPOs will likely be needed in practice?
We took each of these questions in turn to estimate the lower and upper bounds of DPO needs, respectively. The law permits the ANPD to issue further limitations “according to the nature and the size of the entity or the volume of data processing operations.”
We think the ANPD could restrict the DPO obligations to large companies processing personal data, perhaps those with more than 250 employees, in addition to companies of any size engaged in large-scale processing.
Regarding the first option, publicly available statistics from IBGE indicate there are roughly 12,100 large companies in Brazil. If the ANPD decided to apply the requirement only to large companies, approximately 12,100 DPO positions would be needed. This is the most conservative calculation option and does not take into account foreign companies subject to the law’s extraterritorial scope.
Alternatively, if the ANPD decided to take the latter approach, we suspect that up to 50% of all Brazilian companies in certain sectors (these include transport, storage and mail; accommodation and food; information and communication; human health and social services; and professional scientific and technical activities) and up to 100% of all companies in others (financial, insurance and related service activities) process data on a large scale and would therefore require a DPO. This calculation recognizes many smaller companies, in addition to large companies, conduct large-scale processing of personal information.
If the ANPD were to institute such a requirement, the number of estimated DPO positions needed gets very large very quickly. In comparison to the 12,100 suggested before, this method of calculation suggests approximately 669,100 DPO positions within Brazil could be required by the LGPD.
Given the size of the Brazilian economy (as measured by gross domestic product) is roughly only 10% of the EU’s economy and that previous IAPP research found about 500,000 organizations registered DPOs in Europe during the first year following adoption of the GDPR, the estimation that almost 700,000 DPO positions are needed seems high.
Given the previous two options, alone or in combination, are mostly theoretical at this point, we considered organizations’ experience under the GDPR to glean insight into what we might expect in Brazil in practice. Whether the companies that appointed a DPO in response to the GDPR were all legally required to do so or whether some did so to err on the side of caution or as a good business practice is not apparent.
It seems reasonable to assume the experience in Brazil would be similar or even more cautious given the possibility of private litigation. Assuming the number of organizations subject to the LGPD in comparison to the GDPR will be roughly proportional to each country’s market size, we estimate the LGPD could generate a need for around 50,000 — 10% of 500,000 — DPO positions.
Ultimately, without further guidance from the future ANPD, millions of organizations could face a legal requirement to appoint a DPO. Currently, the number of likely new DPO positions ranges from more than 12,100 to 4.5 million plus (considering foreign companies).
However, as outlined above, we think it far more likely that the true number will be around 50,000.
Photo by Isabela Kronemberger on Unsplash