The General Law for the Protection of Personal Data (LGPD) emerges in a context of advances in information technology and its application in several areas. Thus, the Bill was designed to specifically regulate the protection of the individuality and privacy of people, without impeding the free commercial and communication initiative. The law was discussed for almost four years and in 2018 it became part of the Brazilian legal system.
The LGPD applies to any data processing operation carried out by a natural person or by a legal entity governed by public or private law, regardless of the means, the country of its headquarters or the country where the data is located, provided that: the operation of treatment is carried out in the national territory; the processing activity has as its objective the offer or supply of goods or services or the processing of data of individuals located in the national territory; or the personal data subject to the processing have been collected in the national territory. The entity responsible for applying the established rules is the National Data Protection Authority – ANPD.
In that document, are some concepts relevant to the discussion about access to personal data.
Sanctions will be applied after an administrative procedure that allows for the opportunity of ample defense, in a gradual, isolated or cumulative manner, according to the peculiarities of the specific case and considering the criteria established by law.
Data processing agents, due to infringements committed to the rules provided for in the LGPD, are subject to the following administrative sanctions applicable by the national authority:
- warning, with an indication of a deadline for the adoption of corrective measures;
- simple fine, of up to 2% (two percent) of the revenue of a legal entity governed by private law, group or conglomerate in Brazil in its last fiscal year, excluding taxes, limited in total to R$ 50,000,000.00 (fifty million reais) for infraction;
- daily fine, observing the total limit mentioned in the previous item;
- publicity of the infraction after properly ascertained and confirmed its occurrence;
- data lock personnel to which the infraction refers until its regularization;
- deletion of personal data what the infraction refers to;
- partial suspension the functioning of the database to which the infringement refers for a maximum period of 6 (six) months, extendable for an equal period, until the regularization of the processing activity by the controller;
- suspension of the exercise of the treatment activity the personal data to which the infringement refers for a maximum period of 6 (six) months, extendable for an equal period;
- partial or total ban the exercise of activities related to data processing.
The sanctions provided for do not replace the application of administrative, civil or criminal sanctions in the consumer protection code and in specific legislation. The proceeds from the collection of fines applied by ANPD, registered or not in active debt, will be allocated to the Diffuse Rights Defense Fund.
The partial suspension, suspension of the exercise of the processing activity and total or partial prohibition will be applied only after at least 1 (one) of the following sanctions have already been imposed: simple fine, daily fine, publication of the violation, data blocking or deletion of data. In the case of controllers submitted to other bodies and entities with sanctioning powers, these bodies are heard.
NATIONAL DATA PROTECTION AUTHORITY - ANPD
The National Data Protection Authority (ANPD) is a federal public administration body, a member of the Presidency of the Republic, which has technical and decision-making autonomy. In exercising its powers, it must ensure the preservation of business secrecy and the secrecy of information.
Currently, the legal nature of ANPD is transitory and may be transformed (by the Executive Branch) into an indirect federal public administration entity, subject to a special autarchic regime and linked to the Presidency of the Republic
Among the powers of the authority, it is worth mentioning:
- ensure the protection of personal data, under the terms of the legislation;
- ensure the observance of commercial and industrial secrets, observing the protection of personal data and the confidentiality of information when protected by law or when the breach of confidentiality violates the foundations established in the LGPD;
- prepare guidelines for the National Policy for the Protection of Personal Data and Privacy;
- inspect and apply sanctions in the event of data processing carried out in breach of the law, through an administrative process that ensures the contradictory, full defense and the right to appeal;
- promote cooperation actions with personal data protection authorities from other countries, of an international or transnational nature;
- edit regulations and procedures on the protection of personal data and privacy, as well as on the impact reports on the protection of personal data for cases where the processing represents a high risk to the guarantee of the general principles of personal data protection provided for in the LGP;
- enter into, at any time, a commitment with processing agents to eliminate irregularities, legal uncertainty or a contentious situation in the context of administrative proceedings;
- edit simplified and differentiated rules, guidelines and procedures, including with regard to deadlines, so that micro and small businesses, as well as business initiatives of an incremental or disruptive nature that declare themselves startups or innovation companies, can adapt to this Law;
- resolve, in the administrative sphere, in a terminative nature, on the interpretation of this Law, its powers and omissions.
Board of Directors
It is the highest management body composed of five directors, including the Chief Executive Officer. The members of the ANPD Board of Directors will be chosen by the President of the Republic and appointed by him, after approval by the Federal Senate. Members will only lose their positions as a result of resignation, unappealable court conviction or penalty of dismissal resulting from a disciplinary administrative proceeding.
The term of office of the members of the Board of Directors will be 4 (four) years. The terms of the first appointed members of the Board of Directors shall be 2 (two), 3 (three), 4 (four), 5 (five) and 6 (six) years, as established in the appointment. In the event of a vacancy in the position during the term of office as a member of the Board of Directors, the remaining term will be completed by the successor.
The composition of the body can be accessed in this link.
NATIONAL DATA PROTECTION COUNCIL - CNPD
The National Council for the Protection of Personal Data and Privacy is an advisory body of ANPD, which is responsible for:
- propose strategic guidelines and provide subsidies for the elaboration of the National Policy for the Protection of Personal Data and Privacy and for ANPD's performance;
- prepare annual evaluation reports on the execution of the actions of the National Policy for the Protection of Personal Data and Privacy;
- suggest actions to be taken by ANPD;
- prepare studies and hold debates and public hearings on the protection of personal data and privacy; and
- disseminate knowledge about the protection of personal data and privacy to the population.
The members of the CNPD will be appointed by an act of the President of the Republic - delegation is allowed -, being composed of 23 (twenty-three) representatives, holders and alternates, as follows:
- 5 (five) of the Federal Executive Branch;*
- 1 (one) from the Federal Senate;*
- 1 (one) from the Chamber of Deputies;*
- 1 (one) from the National Council of Justice;*
- 1 (one) from the National Council of the Public Ministry;*
- 1 (one) from the Brazilian Internet Steering Committee;*
- 3 (three) from civil society entities with activities related to the protection of personal data; **
- 3 (three) from scientific, technological and innovation institutions; **
- 3 (three) from union confederations representing the economic categories of the productive sector; **
- 2 (two) from entities representing the business sector related to the area of personal data processing; ** and
- 2 (two) from entities representing the labor sector. **
* appointed by the holders of the respective bodies and entities
** appointed in the form of regulation, not being able to be members of the Internet Management Committee in Brazil, with a two-year term (one renewal allowed).
The current composition of the board can be accessed in this link.
The President of the National Council for the Protection of Personal Data and Privacy is responsible for convening, coordinating and directing the Council's meetings, in addition to being able to invite representatives of other bodies and entities of the federal public administration to participate in them, without the right to vote.
As for its meetings, the Board will meet, on an ordinary basis, three times a year and on an extraordinary basis whenever called by its Chairman. The meeting quorum is sixteen members and the approval quorum is a simple majority. The agenda of the meetings will be announced at least one week in advance.
The CNPD will be able to edit internal regulations to detail the complementary norms, which must be approved by an absolute majority of the members.
The regulations and standards issued by ANPD must be preceded by public consultation and hearing, as well as regulatory impact analyses.
The regulatory process includes the procedures for drafting, reviewing, implementing, monitoring and evaluating regulations, guided by the fundamentals of the discipline of personal data protection and by the guidelines of: there being compatibility with ANPD's Strategic Planning; administrative simplification and speed; improving regulatory quality; consolidation and simplification of the regulatory framework; planning and transparency of ANPD's performance; protection of the holder's data; improvement of the business environment, enabling economic and technological development and innovation; and strengthening social participation.
The regulatory process includes the following steps:
It is important to mention that the Regulatory Agenda it will cover a period of two years and will establish the goals and deadlines to be observed in each Regulation Project. The elaboration of the Regulatory Agenda will observe the provisions and objectives of the Strategic Planning and will take into account the National Policy for the Protection of Personal Data and Privacy and other legal regulations. The description of the activities of the regulatory process within the scope of ANPD is available in the righteous of Ordinance 16/2021.
ANPD and the public bodies and entities responsible for regulating specific sectors of economic and governmental activity must coordinate their activities, in the corresponding spheres of action, with a view to ensuring the fulfillment of their duties with the greatest efficiency and promoting the proper functioning of the sectors regulated, in accordance with specific legislation, and the processing of personal data, in accordance with the LGPD.
The application of sanctions is solely the responsibility of ANPD, and its powers will prevail, with regard to the protection of personal data, over the related powers of other entities or bodies of public administration. ANPD will articulate its activities with other bodies and entities with sanctioning and regulatory powers related to the subject of personal data protection and will be the central body for interpreting the LGPD and establishing rules and guidelines for its implementation.
GOVERNANCE COMMITTEE OF THE NATIONAL DATA PROTECTION AUTHORITY
The Governance, Risks and Controls Committee (Governance Committee) of ANPD is composed of the CEO of ANPD (who will chair it) and Directors of the Board of Directors of ANPD, in which each member may have an alternate to replace him in cases of impediments. The Executive Secretariat of the Governance Committee will be exercised by the General Secretariat of ANPD.
The Governance Committee is responsible for defining institutional strategies and transversal strategic guidelines relating to:
- public governance;
- risk management, transparency and integrity at ANPD;
- internal control mechanisms; and
- efficiency in administrative management.
The Governance Committee will meet monthly on an ordinary basis. The quorum for holding the meeting is two-thirds of the representatives, and the quorum for deliberation is by a simple majority, with the casting vote of its Chairman. The minutes and their resolutions must be published on the ANPD website, except for the content subject to confidentiality.
Since its creation, ANPD has already promoted some actions, including the publication of its Internal Regulation and its Strategic Planning. Among the acts in preparation are the resolution that regulates the protection of data and privacy for small and medium-sized companies, startups and individuals who process personal data for economic purposes; the establishment of regulations for the application of administrative sanctions by the LGPD; and the Personal Data Protection Impact Report.
By the end of 2022, the authority will have to work on the publication of the resolution dealing with the rights of the holders of personal data; in reporting incidents and specifying the deadline for notification; in the duties of the person responsible for the protection of personal data; in the international transfer of Personal Data; and in a Good Practice Guide on the “Legal hypotheses for the processing of personal data”.
There are also prospects for a draft text for the authority to become an autarchy under a special regime. ANPD and the Ministry of Economy are already working on this agenda, as registered in the authorities' agenda and already ratified by ANPD directors in events.
The Executive Branch has up to 2 years after the entry into force of the ANPD regimental structure to propose this change, as provided for by Decree 10.474/2020. It was published on August 27, 2020, but only entered into force on November 6, 2020 with the appointment of the Chief Executive Officer of the National Data Protection Authority.
In this sense, this change should be resisted by the National Congress (CN), since the parliamentarians demonstrated their support for the independence of authority, during the vote on the Proposal and Amendment to the Constitution (PEC) 17/2019 in the Chamber of Deputies. This PEC proposes the inclusion of the protection of personal data among the fundamental rights and guarantees and establishes the exclusive competence of the Union to legislate on the protection and processing of personal data. The matter has already been approved by the Chamber of Deputies and is awaiting deliberation by the Federal Senate.
General Data Protection Law (link)
Decree of the Regimental Structure (link)
ANPD Internal Regulation (link)
Governance Committee of the National Data Protection Authority (link)
ANPD regulation process (link)
Regulatory Agenda 2021-2020 (link)
Guidance guide for definitions of personal data processing agents and the person in charge (link)
Strategic Planning 2021-2023 (link)
Article updated on 09/16/2021.
Wrote by Umbelino Lôbo Team: Walysson Barros, Advisor