loading...

The ANPD and the challenge of enforcing the LGPD

The recently formed National Data Protection Authority (ANPD) has a challenging mission to standardize or regulate various situations that require more detailed regulation by the primary authority responsible for personal data in Brazil.

The General Data Protection Law (LGPD) lacks numerous regulations regarding the work of the ANPD, which are discussed in the list below:

Art. 10, § 3 – The legitimate interest of the controller can only justify the processing of personal data for legitimate purposes, considered from concrete situations, which include, but are not limited to:

§ 3 The national authority may request from the controller an impact report on the protection of personal data, when the processing is based on its legitimate interest, observing commercial and industrial secrets. – The impact report is defined in Article 5, without any further clarification, and the reasons why the ANPD may request an impact report from one company and not the other are not clear. And finally, will the company’s simple statement justify commercial and industrial secrecy?

Art. 11, § 3 – The processing of sensitive personal data may only occur in the following cases:

§ 3 The communication or shared use of sensitive personal data between controllers to obtain an economic advantage may be subject to prohibition or regulation by the national authority, after consultation with the sectoral bodies of the Public Power, within the scope of their competences. – The extent to which the ANPD will prohibit or regulate the shared use of sensitive personal data between controllers to obtain an economic advantage is still unknown.

Art. 12, § 3 – Anonymized data will not be considered personal data under this Law, except when the anonymization process to which they were submitted is reversed, using only their own means, or when, with reasonable efforts, it can be reversed.

§ 3 The national authority may provide for standards and techniques used in anonymization processes and carry out checks on their security, after consultation with the National Council for the Protection of Personal Data. – The ANDP may establish more specific rules to characterize anonymity.

Art. 13, § 3 – In carrying out public health studies, research bodies may have access to personal databases, which will be treated exclusively within the body and strictly to carry out studies and research and kept in a controlled and safe environment, according to security practices provided for in specific regulations and that include, whenever possible, the anonymization or pseudonymization of data, as well as considering the appropriate ethical standards related to studies and research.

§ 3 The access to the data referred to in this article will be subject to regulation by the national authority and health and sanitary authorities, within the scope of their competences. – This statement clarifies the need for the ANPD, together with health and sanitary authorities, to regulate access to data resulting from public health studies.

Art. 18, V – The subject of personal data is entitled to obtain from the controller, in relation to the data of the subject treated by him, at any time and upon request:

V – data portability to another service or product supplier, upon express request, in accordance with the regulations of the national authority, subject to commercial and industrial secrets; – Data portability is one of the rights of the subject of personal data that certainly need regulation by the ANPD.

Art. 19, § 3 – Confirmation of existence or access to personal data will be provided, upon request by the subject:

§ 3 When the processing originates from the consent of the subject or in a contract, the subject may request a complete electronic copy of his personal data, observing commercial and industrial secrets, under the terms of the regulations of the national authority, in a way that allows for their subsequent use, including in other processing operations. – Another need for regulation on the part of the ANPD regarding the requisition by the subject of a complete electronic copy of their personal data, having to observe the commercial and industrial secrets.

Art. 23, § 1 – The processing of personal data by legal entities governed by public law referred to in the sole paragraph of Art. 1 of Law No. 12,527, of November 18, 2011 (Law of Access to Information), must be carried out to fulfill its public purpose, in pursuit of the public interest, to execute the legal powers or fulfill the legal attributions of public service, provided that:

§ 1 The national authority may provide for the forms of advertising of processing operations. – The ANPD may regulate the form of publicity for personal data processing operations by legal entities governed by public law.

Art. 27, single paragraph – The communication or shared use of personal data from legal entities under public law to persons under private law will be reported to the national authority and will depend on the consent of the subject, except:

Single paragraph. The information to the national authority referred to in this article’s caput will be subject to regulation. – The communication or shared use of personal data between legal entities under public and private law should be subject to ANPD regulation.

Art. 30. The national authority may establish complementary rules for the activities of communication and shared use of personal data. The ANPD will have to decide whether to create complementary norms for communication activities and shared use of personal data by legal entities of public law.

Art. 40 – The national authority may provide interoperability standards for portability, free access to data and security, and the time for keeping records, especially given the need and transparency. – This device alone lacks numerous regulations of paramount importance that must be prepared by the ANPD.

Art. 41, § 3 – The controller must indicate the person in charge of personal data processing. § 3 The national authority may establish complementary norms on the definition and the attributions of the person in charge, including hypotheses of exemption from the need for his appointment, according to the nature and size of the entity or the volume of data processing operations. – The LGPD offers a very brief list of duties for the Supervisor. The extent to which such assignments will be extended remains to be seen.

Art. 46, § 1 – Processing agents must adopt security, technical and administrative measures to protect personal data from unauthorized access and accidental or illicit situations of destruction, loss, alteration, communication, or any form of inappropriate or illegal processing.

§ 1 The national authority may provide for minimum technical standards to make the provisions of the caput of this article applicable, considering the nature of the information processed, the specific characteristics of the processing, and the current state of technology, especially in the case of sensitive personal data, as well as the principles foreseen in the caput of Art. 6 of this Law. – The ANPD may establish the minimum technical standards to characterize security, technical and administrative measures.

Art. 48, § 1 – The controller shall inform the national authority and the data subject of the occurrence of a security incident that may cause significant risk or damage to the subjects.

§ 1 The communication will be made within a reasonable period, as defined by the national authority, and must mention, at least: – The ANPD will have to clarify what is a reasonable period.

Art. 51. The national authority will encourage the adoption of technical standards that facilitate the control by the subjects of their personal data. – The question is how the ANPD will generate this stimulus.

Art. 53. The national authority shall define, through its regulation on administrative sanctions for violations of this Law, which shall be the object of public consultation, the methodologies that will guide the calculation of the base value of the fine sanctions. – The regulation of the application of sanctions is a fundamental part of the LGPD for the ANPD. After all, it is the sanctions that will determine its impact on the market.

Art. 62. The national authority and the National Institute of Educational Studies and Research Anísio Teixeira (Inep), within the scope of their competences, will issue specific regulations for access to data processed by the Union to comply with the provisions of § 2 of Art. 9 of Law no. 9.394, of December 20, 1996 (Law of Guidelines and Bases of National Education), and those referring to the National Higher Education Assessment System (Sinaes), dealt with by Law no. 10.861, of April 14 of 2004. – The ANPD and the INEP must regulate personal data related to education by the government.

Art. 63. The national authority will establish rules on the progressive adaptation of databases constituted up to the date of entry into force of this Law, considering the complexity of the processing operations and the data’s nature. – This is another essential aspect for the ANPD since the countless databases constituted up to the LGPD will need additional regulation, considering the complexity of the operations involved.

If the ANPD had been created as a unique agency, which should have been the case, considering the nature of its existence and the need to enforce the LGPD, such regulations would supposedly privilege the technical aspect without the potential for excessive political interference.

It is up to us to monitor how the ANPD will move forward with all these regulations, which are so necessary to ensure the enforcement of the LGPD.