Much is being said about Brazil´s new omnibus data protection legislation, known as the LGPD, which was finally approved in August 2018. The LGPD is strongly inspired by the GDPR and borrows heavily from its structure and foundation; the Brazilian legislation also considers that the protection of personal data is a fundamental right.
However, the LGPD was rushed out of Congress by an outgoing government. The process left some key issues unaddressed, and created uncertainty over the new law’s effectiveness. In one of its final decisions, President Michel Temer´s outgoing administration was able to fill in some of the LGPD’s gaps by issuing a provisional measure in late December 2018. The most relevant change is without question the creation of Brazil´s Data Protection Authority (ANPD), which President Temer had vetoed previously. The authority is responsible for monitoring and enforcing Brazil’s data protection laws; absent the ANPD, the legislation’s effectiveness would be put into question, and data controllers and data processors would almost certainly dismiss any efforts to comply.
The provisional measure extended the deadline for the LGPD to become fully enforceable to August 2020. But the creation of the ANPD has had an immediate effect, as the way it was done generated other concerns for privacy professionals and scholars.
The watchdog was created by a last-minute push of a pen and, without the necessary resources. In practice, the outgoing Temer administration had already spent more than it could, and had little room to increase public spending with a new regulatory body in its final days in office. As a result, the ANPD was created as a body attached to the president’s office, receiving direct orders from the Presidency and lacking an independent budget.
There are reasonable concerns about whether the ANPD will be able to function appropriately and independently, as a data protection authority should. As part of the President´s office, there is a high risk of conflicts of interest and the ANPD will be unlikely to have the same autonomy to enforce Brazil´s data protection laws against the public sector as it has against the private sector.
Without its own budget, the ANPD will also have a difficult time in upholding the LGPD. It could even be incentivised to apply heavy fines to boost its income. And if the ANPD is not considered sufficiently independent, it’s unlikely that the EU would consider Brazil’s data protection framework to be adequate with the GDPR.
What’s more, Temer’s government simply created the structure of the ANPD, and did not appoint any members or officers. The authority is currently an empty shell, and the new government, led by President Jair Bolsonaro, has yet to pay it much attention. In the meantime, the authority remains part of the president’s office; President Bolsonaro will be responsible for appointing its members. Its current structure means the appointments will take place without legislative oversight.
When looking at the ANPD’s structure, one cannot help wondering whether it will be able to enforce the LGPD effectively and fairly. Its lack of independence could lead to its decisions facing challenges in Brazilian courts, which could put its very existence into question.
In spite of the issues surrounding the ANPD, the LGPD is welcome news for the country’s legal framework, which previously lacked a comprehensive set of data protection rules. As long as the ANPD is properly built up before the LGPD comes into force in August 2020, the new law will effectively address data protection in a way that will reshape how companies, organisations, and public authorities can collect, process, use and store personal data in Brazil.
While the president’s office takes its time to appoint the ANPD’s members and officers, the provisional measure that created the authority must be voted into law by Congress within 120 days of its enactment, by the end of April 2019 – or the authority will be disbanded. During that time, the measure could be fully approved, rejected, or approved with amendments. Discussions on the provisional measure are still timid in Congress, which came back from recess on February 2.
In the country of football, we rely on the popular saying “it isn´t over until the referee whistles” to hope that the changes to the LGPD and ANPD will be properly discussed with privacy experts and lawyers before the provisional measure’s 120 days are over. An open dialogue will lead to productive suggestions for (re)structuring the Brazilian watchdog, so that Brazil has enforceable and proper data protection laws.