While the inauguration of a polarizing new president dominated the news of Brazil around the beginning of the new year, outgoing President Michel Temer, before leaving office, issued an executive order that has important ramifications for Brazil’s recently enacted General Data Protection Regulation (Lei Geral de Proteção de Dados or LGPD). Provisional Measure No. 869/2018 (MP 869/2018), published Dec. 28, 2018, takes the vitally important step of creating Brazil’s National Data Protection Authority (ANPD), tasked with rulemaking, education and enforcement of the LGPD. Additionally, MP 869/2018 delays the effective date of the LGPD by six months, from February 2020 to August 2020.
The creation of the ANPD fills a void left after the provisions of the LGPD that would have created such an agency were vetoed, based on the Brazilian Congress’s lack of authority to create such an agency. The newly created ANPD will have a multitiered structure consisting at the highest level of five commissioners, to be appointed by the Brazilian president. ANDP commissioners will be appointed to serve four-year terms; however, the initial commissioners will serve two-, three-, four-, five- and six-year terms to ensure continuity. The ANPD will be tasked with three primary functions: 1) rulemaking and interpretive guidance; 2) investigation and enforcement ‒ the ANPD has the exclusive jurisdiction to issue the penalties provided for under the LGPD; and 3) education. To advise the commissioners and help steer data policy in Brazil, the ANPD will also consist of a National Council for the Protection of Personal Data. This body, which was also stricken from the version of the LGPD signed by former President Temer, will consist of 23 members ‒ 11 from different sectors of the Brazilian government and 12 from the spheres of private industry, academia and civil society. In addition, the ANPD will include ombudsmen, an internal legal advisory board and specialized administrative units.
Once the ANPD has been implemented and its commissioners appointed, organizations that will be subject to the LGPD can expect to see a number of clarifications on the details of the law, such as the meaning of “legitimate interests” under the LGPD and the permissibility of certain international data transfer mechanisms. Despite the six-month delay, organizations that expect to comply with the LGPD should already be assessing their data-processing activities and should closely monitor any new guidance issued by the ANPD, once established. We will continue to report on such developments in this blog. For more information on the LGPD, please see our previous post, available here.