On January 28, 2021, international Data Privacy Day, the newly formed Brazilian data protection authority (Agência Nacional de Proteção de Dados, the “ANPD”) published its regulatory strategy for 2021-2023 and work plan for 2021-2022 (in Portuguese).

ANPD Regulatory Strategy

The ANPD’s regulatory strategy for 2021-2023 sets forth the agency’s vision for becoming a reference, nationally and internationally, with respect to data protection matters. It also establishes the ANPD’s three main objectives in its initial years as a data protection regulator, which are linked to concrete actions, timelines and key performance indicators (“KPIs”):

  1. To promote the strengthening of a data protection culture, which will be done through events and workshops, drafting guidance and recommendations, engaging with public and private entities to partner in the development of best practices and investigations of non-compliance;
  2. To establish an effective data protection regulatory environment, which will be done through the development of a process to manage individual complaints and data breach notifications, drafting rules to regulate the Brazilian data protection law (Lei Geral de Proteção de Dados Pessoais, the “LGPD”), open provisions (which will be open to public consultation) and drafting the ANPD’s bi-annual work plan; and
  3. To improve the ANPD’s ability to operate according to the LGPD rules, which will involve the ANPD’s office, infrastructure, budget and staff, as well as preparing a study concerning the legal transformation of the ANPD.

The ANPD applied a risk-based approach to its strategy when acknowledging that it will require constant monitoring of developments and re-calibration of priorities. It also concluded that its ultimate goals for the publication of the agency’s strategy are to enhance transparency and enable the ANPD to become accountable to society.

ANPD Work Plan

The ANPD’s work plan for 2021-2022 establishes immediate priorities and areas of focus for the ANPD, which will be assessed and possibly re-calibrated at the end of 2021:

  • Work starting in H1 2021, to be done within one year:
    • ANPD bylaws
    • Regulatory strategy for 2021-2023
    • Rules for small and medium-sized enterprises (“SMEs”)
    • Rules concerning the ANPD’s enforcement and calculation of fines
    • Rules concerning notification of data breaches to the ANPD and data subjects
    • Rules concerning data protection impact assessments (“DPIAs”)
  • Work starting in H1 2022:
    • Rules concerning data subject rights
    • Rules concerning the data protection officer (“DPO”)
    • Rules concerning international data transfers
  • Work starting in H2 2022:
    • Guidelines on legal bases for processing

The ANPD also has published an FAQ document (in Portuguese) with basic questions and answers concerning the new authority, the LGPD, basic data protection concepts (e.g., personal data, data processing and sensitive data), compliance obligations and other topics.

Transparency

The ANPD has launched its official website (in Portuguese), which will contain basic information about the ANPD’s structure, strategy and work plan, as well as the agenda of the President Director and information about financial resources obtained as a result of agreements, contractual arrangements and audits. In addition, the ANPD will issue a status report on its progress with respect to the work plan every six months.

Initial Investigations

While the LGPD provisions concerning sanctions and fines go into effect in August 2021, the ANPD has already initiated its first investigations, as announced by ANPD Director Arthur Pereira Sabbat during a webinar. These are preliminary investigations of WhatsApp’s recent privacy policy changes and an August 2019 data breach involving credit-research firm Serasa Experian, which allegedly affected more than 220 million Brazilians. The Brazilian National Consumer Secretariat (Secretaria Nacional do Consumidor, “Senacon”) is also investigating the Serasa data breach.

Coordination with Other Regulatory Authorities

The Brazilian National Council of Consumer Defense (Conselho Nacional de Defesa do Consumidor, the “CNDC”), created in July 2020 to facilitate cooperation and coordination on consumer matters among various Brazilian public bodies, has created a working group dedicated to privacy and data protection. This working group will work closely with the ANPD, and ANPD representatives will have a seat at the working group’s meetings. The working group is led by Luciano Timm, former Director of Senacon, and data privacy lawyer and professor Laura Schertel Mendes. Mendes is also founder and Director of the Centro de Estudos de Direito, Internet e Sociedade of the Instituto Brasiliense de Direito Público (the “CEDIS-IDP”), which jointly coordinates the Effective Implementation and Regulation Under the LGPD project with Hunton Andrews Kurth’s Centre for Information Policy Leadership (“CIPL”).

ANPD Staff

The ANPD’s five Directors, nominated by President Bolsonaro, took office on November 6, 2020. The ANPD also has hired more than 19 of the 31 staff members they are entitled to per Presidential Decree 10.474/2020. These individuals mostly come from other public bodies (i.e., the Presidency of the Republic, telecommunications regulator, consumer regulator, Brazilian Attorney General’s Office and Office of the Comptroller General). Three members of the staff come from Telebras, the Brazilian telecommunications company that was once state-owned, and where the ANPD’s President Director previously worked. One member of staff comes from the private sector, previously having worked at a Brazilian think tank and as a data protection lawyer.

Application Process Opened for the ANPD’s National Data Protection Council

On February 4, 2020, the ANPD opened the application process for the National Data Protection Council. This is a multi-stakeholder advisory council provided for by the LGPD to advise on the ANPD’s work and raise awareness regarding data privacy matters.

Public Consultation Process

In its three months of existence, the ANPD already has opened its first public consultation process (in Portuguese). The agency is seeking initial views on general data protection challenges and opportunities for SMEs and on specific topics such as the implementation of data protection compliance programs and risk assessments by SMEs, which will inform upcoming ANPD rules. Submissions must follow a template form and be sent (in Portuguese) to the ANPD public consultations department by March 1, 2021.