Privacy professionals are still working to make sense of what enforcement of Brazil's General Data Protection Law will look like when the law's grace period ends Aug. 1, 2021. Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, pulled back the curtain on its enforcement focuses with the recent release of its regulatory agenda and 2021–23 strategic plan.

ANPD Director Miriam Wimmer, CIPP/E, appointed to one of five seats on the regulator's board of directors in October 2020, spoke with The Privacy Advisor to discuss some of the board's work thus far and expand on the contents of the ANPD's outlined priorities.

The Privacy Advisor: First and foremost, what does it mean for you to be appointed to the ANPD? Did it come as a surprise?

Miriam Wimmer: Indeed, I was surprised and honored with the appointment to be a director at ANPD and am very excited about the opportunity to help build Brazil’s first data protection authority. As a professional civil servant, I have been working on data protection issues for many years and was deeply involved in the discussions that led to the approval of LGPD in 2018. In this sense, it is, for me, personally, a great privilege to be able to work on actually implementing the LGPD and help to promote this important cultural shift in Brazil with regard to privacy and personal data protection.

The Privacy Advisor: The board of directors appears to be diverse as far as privacy backgrounds go. How will the different expertise held by each director help the ANPD be an effective regulator?

Wimmer: The ANPD is headed by a board of five directors, in a model similar to what we have with regulatory agencies in Brazil. There are, of course, advantages and disadvantages in having a board of directors instead of a single commissioner — as is the case in some other countries. In my opinion, especially at this point in time, as we are creating the foundations of our DPA, it has been very helpful to have a board of directors with diverse backgrounds. Since we are building the ANPD from the ground up, a very diverse set of skills is needed. The ANPD’s board of directors includes members with legal and technical backgrounds and with varied professional experiences both in public and private sectors. These diverse outlooks have been extremely valuable at this initial stage of setting up the ANPD.

The Privacy Advisor: The ANPD’s strategic plan for 2021–23 has a top focus of “strengthening of the culture of protection of personal data.” Can you describe the ANPD’s definition of strengthening in this regard? What initiatives will help support this concept?

Wimmer: In fact, promoting a cultural change with regards to privacy is perhaps our most important mission. Unlike European countries, with a long history of laws, public institutions and court decisions on privacy and personal data protection, this is a very recent discussion in Brazil. Before the LGPD was approved, we had a very fragmented legal framework, with a patchwork of horizontal and sector-specific rules that was very difficult to navigate.

The approval of LGPD was undoubtedly a very important first step, and the challenge now is to incentivize compliance and raise awareness. We have listed a number of initiatives that will support this goal, which include capacity building projects, drawing up guidelines and recommendations, monitoring violations to the LGPD, and promoting constructive engagement with public and private organizations, including international organizations and DPAs in other countries. In this sense, we have already begun to negotiate cooperation agreements with the Brazilian Secretariat for Consumer Relations, with the Brazilian Internet Steering Committee and other public bodies that can assist us in achieving this goal.

The Privacy Advisor: As far as an initial regulatory strategy goes, do you and your fellow directors believe guidance or enforcement actions will help to best set expectations and standards for LGPD compliance? Can there be a balance between both?

Wimmer: The board has been very open about the importance of education and guidance to stimulate LGPD compliance. It is clear the LGPD provides a framework that seeks to promote corporate accountability and is based not only on traditional forms of command-and-control regulation but also on more responsive forms of regulation. While we firmly believe in the importance of providing guidance and promoting responsible behavior by controllers and processors, it is, of course, also necessary to be able to apply sanctions when necessary. In this sense, the challenge is, indeed, finding a middle ground between guidance and enforcement to ensure that data subject rights are adequately protected.

The Privacy Advisor: With LGPD administrative sanctions slated to take effect Aug. 1, 2021, should we expect to see swift and decisive actions when that date arrives? Is there any concern about being too strong or too weak when it’s time to start serving penalties?

Wimmer: We are currently working on the regulation that will define the methodologies for calculating fines and the administrative procedures for applying sanctions. Before approval, the regulation must also be submitted to a regulatory impact assessment, public consultation and public hearing.

It is important to note the LGPD also provides for a number of parameters that must be observed when applying sanctions, which include aspects such as the good faith of the offender and the adoption of internal mechanisms and procedures that may minimize the negative impacts of the violation. Sanctions can only be applied after an administrative procedure providing full opportunities for defense.

For all these reasons, we are confident we will be able to strike the right balance when we begin serving penalties.

The Privacy Advisor: Scheduled in the 2022 portion of the strategic plan are guidelines for international data transfers. Given the current attention being paid to transfers in the EU and U.S., was there any thought to addressing data transfers in the near term rather than the future? Does the ANPD have any preliminary tips on how to proceed with data transfers in the interim?

Wimmer: Publishing our strategic plan and regulatory agenda was meant to communicate with the public, in a very transparent manner, on what we will be focusing on over the next two years. It was certainly not easy to draw up these documents, and we had to make difficult choices in terms of priorities.

Given the importance of cross-border data flows in our increasingly digital economy, our decision was to include international transfers in our list of priorities and to initiate formal regulatory procedures in the first semester of 2022, after we deal with pressing issues regarding domestic implementation of the LGPD.

It is important to note that although formal procedures are scheduled to begin next year, we are already initiating discussions with our counterparts in other countries to better understand which mechanisms could be more effectively developed in Brazil.

Similar to the EU General Data Protection Regulation, the LGPD provides for a portfolio of mechanisms for international data transfers, including adequacy decisions, standard contractual clauses, binding corporate rules and certifications. Our priority is currently identifying which of these instruments we should focus on developing to provide effective and uncomplicated mechanisms for organizations, including smaller businesses, to transfer data to and from Brazil while maintaining a high level of data protection for individuals.

The Privacy Advisor: Data leaks in Brazil are becoming more prevalent, and the number of people affected is growing with each incident. In the ANPD’s preliminary view, is this a problem related more to the growing sophistication of bad actors or potential negligence by organizations?

Wimmer: Data leaks have, in fact, become a huge concern in Brazil, especially considering the extent of the breaches and their impact on the Brazilian population. Investigations are still ongoing, and it is not yet clear who is responsible for these leaks, but there is some evidence to suggest the possibility of these data breaches not being recent, but the result of different leaks over several years.

At this point, several public organizations are involved in investigations and the adoption of measures to mitigate the risks, and we hope that these dramatic events will also serve as a wake-up call for organizations to improve their privacy governance programs and their security mechanisms, both from an administrative and technical standpoint.

Photo by Agustin Diaz Gargiulo on Unsplash