The sudden implementation of Brazil's General Data Protection Law proved dizzying for the local and global privacy communities alike. While there continues to be a learning curve and much to sort out under the law, privacy professionals are, in fact, pleased with the progress taking place in Brazil.
The steps forward continued Oct. 20, 2020, as Brazil's Senate confirmed President Jair Bolsonaro's five nominations to the board of directors for Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados. Waldemar Gonçalves Ortunho Junior will serve a six-year term as the ANPD's president. Arthur Pereira Sabbat, Miriam Wimmer, CIPP/E, Nairane Farias Rabelo Leitão and Joacil Basilio Rael were appointed to the remaining director positions for terms ranging between two to five years.
Following suit with the LGPD's whirlwind theme, there were just five days between the announcement of Bolsonaro's nominations and their confirmation in an abbreviated Senate session. IAPP Country Leader for Brazil Dirceu Santa Rosa said Brazil's privacy community was surprised by the quick turnaround from nomination to confirmation, but overall, the president's selections and decision to act on appointments so quickly were a welcomed development.
"We really thought this was something they were going to look into next year," Santa Rosa said. "This was all very quick, even for Brazilian standards, but it's really good to see them starting. Especially considering data privacy kind of fell off the agenda of the opposing party and onto the president's desk."
There was no formal information regarding how Bolsonaro decided on his nominations. It is unknown whether there was set criteria or specific qualifications, though, four of the five choices have prior telecommunications or information security experience.
Ultimately Bolsonaro had the final word on the appointment; however, various entities, including the Brazilian Association of Information and Communication Technology Companies, were welcome to submit candidate recommendations for Bolsonaro to consider.
Privacy professionals anticipated some of the appointees would be individuals who have been embedded in Brazil's privacy debate or carry a deep privacy background. Wimmer, the director of telecommunications policies at the Ministry of Communications, certainly satisfies that expectation with her prior responsibilities in crafting Brazil's digital strategy. During an IAPP LinkedIn Live session on the LGPD, Brazilian lawyer Danilo Doneda characterized Wimmer's track record in privacy and information security as "competent and extraordinary."
Leitão, a partner at Serur Advogados specializing in data protection, and Sabbat, director of the Information Security Department of the Institutional Security Office of the Presidency of the Republic, are IAPP members like Wimmer.
A question mark among onlookers was how the military backgrounds held by Ortunho, Rael and Sabbat translated to data privacy. Doneda indicated a military presence is a common practice throughout Brazilian agencies.
"I'd say more than 2,000 people of military background are ranked officials in federal and public administration. The ANPD is not different from most of the public offices, so it's not a surprise," Doneda said. "These backgrounds are mostly on the level of military cryptography and information systems. So the idea of having a fundamental right that needs to be protected may not come naturally for people with this background."
The lack of data protection experience may create some early obstacles, but there's little evidence suggesting the ANPD and its directors can't simply avoid or overcome any potential hurdles. Santa Rosa said each director displayed a good deal of enthusiasm and readiness while appearing before the Senate for their confirmations.
"Everyone showed that they had some level of knowledge and that they're committed to standing up the authority," Santa Rosa said. "They're interested in making the authority active, which is important here. Just having it on paper is very difficult to navigate."
Photo by Rafaela Biazi on Unsplash
Brazil’s LGPD may require 50,000 data protection officers.
If you want to comment on this post, you need to login.