a) Diagnosis and Compliance Index with LGPD
In order to clarify some of the questions regarding the compatibility of Governmental bodies with the LGPD’s compliance standards, the Brazilian Federal Government launched an adequacy diagnosis, in the form of a questionnaire, which seeks to investigate the level of symmetry that entities linked to the Federal Government have with regard to the new data protection Law.
Furthermore, the Federal Government, which had previously made a Good Practices Guide, has issued some Operational Guidelines that address specific data protection topics and that guides the way to be followed by the entities seeking to comply with the new Law.
b) Publication of Biennial ANPD Regulatory Agenda for 2021-2022
ANPD, through Ordinance N. 11 of 2021, made public the agenda approved by its Board of Directors, which will continue to be implemented during the next year. The agenda includes the timeframe for the regulatory process for the main topics under the responsibility of the National Data Protection Authority (“ANPD”).
The Regulatory Projects in the calendar are organized in three distinct phases. The first phase is expected to start in the first 12 months, while the second phase in the first 18 months and, finally, the third phase, with an expected start within the 24 months of the implementation timeframe.
Similarly, the publication of the first ANPD Rules of Procedure also deserves attention. The item was effectively adopted by means of the Ordinance N. 1 of March 8, 2021 and will be relevant to identify significant characteristics considered by the entity and, as a consequence, the level of legal security existing in the relationship between the Authority and the subject companies.
c) ANPD publishes Guidance for controllers, processors and DPOs
On May 28, 2021, the ANPD published a “Guide for Definitions of Agents for the Processing of Personal Data and the Data Protection Officer“, which establishes non-binding guidelines for such agents.
The document seeks to explain who can perform the function of controller, processor and DPO, their legal definitions, the respective liability regimes, as well as concrete cases that exemplify the explanations.
d) LGPD Sanctions came into force on August 1, 2021
On August 1, 2021, came into force the articles of the LGPD that establish the inspection and application of penalties by the National Data Protection Authority (“ANPD”) in the administrative sphere for violations of the LGPD. The sanctions provided for by the Law include warnings, fines, publicizing the violation, blocking, or deleting personal data to which the violation refers, suspension of collection and processing activities, indemnification for damage caused to data subjects, and even partial or total prohibition of exercising activities related to data processing.
e) ANPD publishes new Information Security Guidance for Small Personal Data Processing Agents and Regulation of the Monitoring Process and Sanctioning Administrative Proceedings
On October 4, 2021, the ANPD published an Information Security Guidance for Small Businesses that Process Personal Data, as well as a checklist suggesting measures to be adopted by such businesses. Both documents are addressed to the controllers and processors who, due to their size and possible limitations, often do not have employees specialized in information security and need to improve it in relation to the processing of personal data.
Another important Resolution was issued by the Authority less than a month after the Guidance was published. On October 29, 2021, the Resolution approving the Regulation of the Monitoring Process and the Sanctioning Administrative Proceeding by the ANPD Board of Directors was published, through the Resolution CD/ANPD No. 1, which entered into force on the same day, and will have its first monitoring cycle from January 2022. The main purpose of the Regulation is to establish procedures inherent to the monitoring process, as well as the rules that must be observed in the scope of sanctioning administrative proceedings by ANPD.
f) Legal decisions based on the LGPD
According to the Painel de LGPD nos Tribunais, in one year of LGPD’s effectiveness, 274 decisions that effectively applied the law were rendered in Brazilian courts, even though LGPD was mentioned as a reinforcement to other laws, such as the Consumer Protection Code or the Civil Rights Framework for the Internet, in 584 decisions in this period.
Most of the decisions in the lower courts await decision in the higher courts and the Courts of Appeals have not yet taken a position on important issues and it is not possible to identify a consolidated jurisprudential orientation in many aspects.