Brazilian Data Security Authority Publishes Regulatory Approach for 2021 – 2023

On January 28, 2021, global Data Privacy Day, the recently formed Brazilian data safety authority (Agência Nacional de Proteção de Dados, the “ANPD”) posted its regulatory method for 2021-2023 and do the job system for 2021-2022 (in Portuguese).

ANPD Regulatory Approach

The ANPD’s regulatory strategy for 2021-2023 sets forth the agency’s vision for turning into a reference, nationally and internationally, with regard to information security matters. It also establishes the ANPD’s three principal objectives in its first several years as a info security regulator, which are linked to concrete steps, timelines and important effectiveness indicators (“KPIs”):

  1. To endorse the strengthening of a knowledge defense tradition, which will be finished through functions and workshops, drafting steering and suggestions, partaking with general public and personal entities to spouse in the growth of best tactics and investigations of non-compliance
  2. To create an effective facts safety regulatory surroundings, which will be accomplished by the progress of a process to take care of person problems and facts breach notifications, drafting principles to regulate the Brazilian data defense law (Lei Geral de Proteção de Dados Pessoais, the “LGPD”), open up provisions (which will be open up to public consultation) and drafting the ANPD’s bi-once-a-year get the job done program and
  3. To boost the ANPD’s capacity to run in accordance to the LGPD principles, which will involve the ANPD’s business, infrastructure, budget and personnel, as perfectly as making ready a analyze about the authorized transformation of the ANPD.

The ANPD used a risk-based strategy to its tactic when acknowledging that it will have to have continual monitoring of developments and re-calibration of priorities. It also concluded that its top plans for the publication of the agency’s strategy are to enhance transparency and empower the ANPD to come to be accountable to society.

ANPD Operate Program

The ANPD’s work system for 2021-2022 establishes fast priorities and parts of aim for the ANPD, which will be assessed and quite possibly re-calibrated at the finish of 2021:

  • Perform beginning in H1 2021, to be finished within just one calendar year:
    • ANPD bylaws
    • Regulatory approach for 2021-2023
    • Procedures for tiny and medium-sized enterprises (“SMEs”)
    • Guidelines about the ANPD’s enforcement and calculation of fines
    • Policies relating to notification of data breaches to the ANPD and information subjects
    • Policies concerning details safety influence assessments (“DPIAs”)
  • Get the job done starting up in H1 2022:
    • Rules concerning facts subject legal rights
    • Rules concerning the facts protection officer (“DPO”)
    • Policies regarding intercontinental knowledge transfers
  • Perform starting up in H2 2022:
    • Recommendations on lawful bases for processing

The ANPD also has posted an FAQ doc (in Portuguese) with primary questions and responses regarding the new authority, the LGPD, standard knowledge safety principles (e.g., individual knowledge, details processing and sensitive info), compliance obligations and other topics.


The ANPD has launched its formal website (in Portuguese), which will comprise fundamental details about the ANPD’s construction, system and do the job approach, as effectively as the agenda of the President Director and information about economic assets received as a final result of agreements, contractual preparations and audits. In addition, the ANPD will issue a position report on its progress with regard to the get the job done plan every 6 months.

Initial Investigations

When the LGPD provisions about sanctions and fines go into effect in August 2021, the ANPD has already initiated its very first investigations, as announced by ANPD Director Arthur Pereira Sabbat through a webinar. These are preliminary investigations of WhatsApp’s recent privateness coverage improvements and an August 2019 details breach involving credit-investigate organization Serasa Experian, which allegedly afflicted much more than 220 million Brazilians. The Brazilian Countrywide Shopper Secretariat (Secretaria Nacional do Consumidor, “Senacon”) is also investigating the Serasa details breach.

Coordination with Other Regulatory Authorities

The Brazilian Countrywide Council of Buyer Defense (Conselho Nacional de Defesa do Consumidor, the “CNDC”), designed in July 2020 to aid cooperation and coordination on buyer matters between many Brazilian community bodies, has created a doing the job team devoted to privateness and info safety. This doing the job team will do the job closely with the ANPD, and ANPD reps will have a seat at the functioning group’s meetings. The performing team is led by Luciano Timm, former Director of Senacon, and info privacy lawyer and professor Laura Schertel Mendes. Mendes is also founder and Director of the Centro de Estudos de Direito, Internet e Sociedade of the Instituto Brasiliense de Direito Público (the “CEDIS-IDP”), which jointly coordinates the Helpful Implementation and Regulation Under the LGPD task with Hunton Andrews Kurth’s Centre for Information Policy Leadership (“CIPL”).

ANPD Workers

The ANPD’s five Directors, nominated by President Bolsonaro, took workplace on November 6, 2020. The ANPD also has employed extra than 19 of the 31 team members they are entitled to per Presidential Decree 10.474/2020. These persons mainly arrive from other public bodies (i.e., the Presidency of the Republic, telecommunications regulator, consumer regulator, Brazilian Legal professional General’s Business and Office environment of the Comptroller Basic). A few associates of the personnel arrive from Telebras, the Brazilian telecommunications firm that was once condition-owned, and where the ANPD’s President Director earlier labored. A single member of staff members will come from the private sector, beforehand getting labored at a Brazilian imagine tank and as a details defense lawyer.

Software Approach Opened for the ANPD’s National Details Security Council

On February 4, 2020, the ANPD opened the application course of action for the Nationwide Data Security Council. This is a multi-stakeholder advisory council delivered for by the LGPD to recommend on the ANPD’s operate and raise awareness about facts privateness matters.

General public Consultation Approach

In its a few months of existence, the ANPD by now has opened its first general public session method (in Portuguese). The agency is looking for original sights on typical data protection issues and alternatives for SMEs and on precise subjects these kinds of as the implementation of knowledge security compliance systems and chance assessments by SMEs, which will advise future ANPD policies. Submissions ought to abide by a template type and be sent (in Portuguese) to the ANPD public consultations department by March 1, 2021.