News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Wimmer discusses ANPD's LGPD buildup, priorities Related reading: Top-5 operational impacts of Brazil’s LGPD: Part 5 — Enforcement mechanisms and sanctions

rss_feed

""

Privacy professionals are still working to make sense of what enforcement of Brazil's General Data Protection Law will look like when the law's grace period ends Aug. 1, 2021. Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, pulled back the curtain on its enforcement focuses with the recent release of its regulatory agenda and 2021–23 strategic plan.

ANPD Director Miriam Wimmer, CIPP/E, appointed to one of five seats on the regulator's board of directors in October 2020, spoke with The Privacy Advisor to discuss some of the board's work thus far and expand on the contents of the ANPD's outlined priorities.

The Privacy Advisor: First and foremost, what does it mean for you to be appointed to the ANPD? Did it come as a surprise?

Miriam Wimmer: Indeed, I was surprised and honored with the appointment to be a director at ANPD and am very excited about the opportunity to help build Brazil’s first data protection authority. As a professional civil servant, I have been working on data protection issues for many years and was deeply involved in the discussions that led to the approval of LGPD in 2018. In this sense, it is, for me, personally, a great privilege to be able to work on actually implementing the LGPD and help to promote this important cultural shift in Brazil with regard to privacy and personal data protection.

The Privacy Advisor: The board of directors appears to be diverse as far as privacy backgrounds go. How will the different expertise held by each director help the ANPD be an effective regulator?

Wimmer: The ANPD is headed by a board of five directors, in a model similar to what we have with regulatory agencies in Brazil. There are, of course, advantages and disadvantages in having a board of directors instead of a single commissioner — as is the case in some other countries. In my opinion, especially at this point in time, as we are creating the foundations of our DPA, it has been very helpful to have a board of directors with diverse backgrounds. Since we are building the ANPD from the ground up, a very diverse set of skills is needed. The ANPD’s board of directors includes members with legal and technical backgrounds and with varied professional experiences both in public and private sectors. These diverse outlooks have been extremely valuable at this initial stage of setting up the ANPD.

The Privacy Advisor: The ANPD’s strategic plan for 2021–23 has a top focus of “strengthening of the culture of protection of personal data.” Can you describe the ANPD’s definition of strengthening in this regard? What initiatives will help support this concept?

Wimmer: In fact, promoting a cultural change with regards to privacy is perhaps our most important mission. Unlike European countries, with a long history of laws, public institutions and court decisions on privacy and personal data protection, this is a very recent discussion in Brazil. Before the LGPD was approved, we had a very fragmented legal framework, with a patchwork of horizontal and sector-specific rules that was very difficult to navigate.

The approval of LGPD was undoubtedly a very important first step, and the challenge now is to incentivize compliance and raise awareness. We have listed a number of initiatives that will support this goal, which include capacity building projects, drawing up guidelines and recommendations, monitoring violations to the LGPD, and promoting constructive engagement with public and private organizations, including international organizations and DPAs in other countries. In this sense, we have already begun to negotiate cooperation agreements with the Brazilian Secretariat for Consumer Relations, with the Brazilian Internet Steering Committee and other public bodies that can assist us in achieving this goal.

The Privacy Advisor: As far as an initial regulatory strategy goes, do you and your fellow directors believe guidance or enforcement actions will help to best set expectations and standards for LGPD compliance? Can there be a balance between both?

Wimmer: The board has been very open about the importance of education and guidance to stimulate LGPD compliance. It is clear the LGPD provides a framework that seeks to promote corporate accountability and is based not only on traditional forms of command-and-control regulation but also on more responsive forms of regulation. While we firmly believe in the importance of providing guidance and promoting responsible behavior by controllers and processors, it is, of course, also necessary to be able to apply sanctions when necessary. In this sense, the challenge is, indeed, finding a middle ground between guidance and enforcement to ensure that data subject rights are adequately protected.

The Privacy Advisor: With LGPD administrative sanctions slated to take effect Aug. 1, 2021, should we expect to see swift and decisive actions when that date arrives? Is there any concern about being too strong or too weak when it’s time to start serving penalties?

Wimmer: We are currently working on the regulation that will define the methodologies for calculating fines and the administrative procedures for applying sanctions. Before approval, the regulation must also be submitted to a regulatory impact assessment, public consultation and public hearing.

It is important to note the LGPD also provides for a number of parameters that must be observed when applying sanctions, which include aspects such as the good faith of the offender and the adoption of internal mechanisms and procedures that may minimize the negative impacts of the violation. Sanctions can only be applied after an administrative procedure providing full opportunities for defense.

For all these reasons, we are confident we will be able to strike the right balance when we begin serving penalties.

The Privacy Advisor: Scheduled in the 2022 portion of the strategic plan are guidelines for international data transfers. Given the current attention being paid to transfers in the EU and U.S., was there any thought to addressing data transfers in the near term rather than the future? Does the ANPD have any preliminary tips on how to proceed with data transfers in the interim?

Wimmer: Publishing our strategic plan and regulatory agenda was meant to communicate with the public, in a very transparent manner, on what we will be focusing on over the next two years. It was certainly not easy to draw up these documents, and we had to make difficult choices in terms of priorities.

Given the importance of cross-border data flows in our increasingly digital economy, our decision was to include international transfers in our list of priorities and to initiate formal regulatory procedures in the first semester of 2022, after we deal with pressing issues regarding domestic implementation of the LGPD.

It is important to note that although formal procedures are scheduled to begin next year, we are already initiating discussions with our counterparts in other countries to better understand which mechanisms could be more effectively developed in Brazil.

Similar to the EU General Data Protection Regulation, the LGPD provides for a portfolio of mechanisms for international data transfers, including adequacy decisions, standard contractual clauses, binding corporate rules and certifications. Our priority is currently identifying which of these instruments we should focus on developing to provide effective and uncomplicated mechanisms for organizations, including smaller businesses, to transfer data to and from Brazil while maintaining a high level of data protection for individuals.

The Privacy Advisor: Data leaks in Brazil are becoming more prevalent, and the number of people affected is growing with each incident. In the ANPD’s preliminary view, is this a problem related more to the growing sophistication of bad actors or potential negligence by organizations?

Wimmer: Data leaks have, in fact, become a huge concern in Brazil, especially considering the extent of the breaches and their impact on the Brazilian population. Investigations are still ongoing, and it is not yet clear who is responsible for these leaks, but there is some evidence to suggest the possibility of these data breaches not being recent, but the result of different leaks over several years.

At this point, several public organizations are involved in investigations and the adoption of measures to mitigate the risks, and we hope that these dramatic events will also serve as a wake-up call for organizations to improve their privacy governance programs and their security mechanisms, both from an administrative and technical standpoint.

Photo by Agustin Diaz Gargiulo on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Author
Headshot Joseph Duball IAPP Staff Contributor
Tags
Government
Latin America
Data Loss
Enforcement
Infosecurity
Privacy Law
Privacy Operations Management
Transborder Data Flow
Comments

If you want to comment on this post, you need to login.

Related Stories
Related Stories
Tags
Government
Latin America
Data Loss
Enforcement
Infosecurity
Privacy Law
Privacy Operations Management
Transborder Data Flow
Recent Comments