On January 28 (coinciding with International Data Protection Day) the Brazilian Federal Data Protection Agency (Autoridade Nacional de Proteção de Dados, or ANPD) published its regulatory agenda for the next years.
This is welcome news considering the prolonged silence of the agency since its creation. The ANPD has now provided a forecast of its reports and monitoring activities for the period between 2021 – 2024, specifically highlighting the following topics on its agenda (still subject to amendment):
– ANPD Internal Regulations and Bylaws; – Strategic Planning; – Initiatives for SME’s, Start Ups and Individuals; – Administrative Fines; – Incident Reporting and Deadlines; – Parameters for Impact Assessments (DPIAs); – Role of Data Protection Officer (DPO); – International Transfer of Data; – Rights of Data Holders; – Best Practice Guides on the legal basis for data processing.
The ANPD was formally initiated in November 2020, and is currently in the process of establishing its directorate, staff and internal composition. It has already started in its function as information provider, and those eager to get basic information about the agency can access the newly established FAQ section on its website.
In August 2021, the LGPD (Brazil’s Data Protection law) will come into full effect, bringing with it new obligations for companies in terms of handling personal data and strict penalties for non-compliance. These will include possible fines of up to R$50 Million. Although the law is already in force since September 2020, companies have had a year to adapt to the legislation, and therefore, violations will be subject to sanction through the ANPD only after August 2021.
In practice, however, the Brazilian Judiciary has already been dealing with numerous actions, which are based, at least in part, on predictions of how the new law will function (there has also been a significant overlap with other areas of Brazilian law, for example in cases related to consumer, employment and public interest law).
