August 31, 2022

Brazil's 2021-2022 LGPD Privacy Regulatory Process Nearing Completion

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

Recent developments from the ANPD provide insight into the path ahead.  

On July 7, 2022, Brazil's National Data Protection Authority (ANPD) published its semiannual Regulatory Agenda Monitoring Report. This report updated the public on the current status of the ANPD's regulatory agenda. With the comment period for regulations on international data transfers officially closing June 30, 2022, the ANPD has started all "phase two" regulations. This progression indicates that 2023 may be a pivotal year for Brazil's new data privacy law, the General Personal Data Protection law (LGPD).

Phased Approached

When the LGPD passed in 2020, the ANPD chose a "phased" approached of implementation, meaning that the ANPD was required to pass regulations to supplement the main statute in distinct phases. In January 2021, the ANPD published Ordinance No. 11, which outlined the LGPD's two-year regulatory process for 2021 and 2022 broken into three phases.[1]

Item Phase
ANPD Internal Regulations 1
ANPD Strategic Planning 1
LGPD Application to Small and Medium Sized Companies 1
ANPD Regulations for Inspection and Fines[2] 1
Incident Reporting Notification Guidelines and Rules 1
Personal Data Protection Impact Report 1
Regulations on Data Protection Officers 2
Regulations on International Data Transfers 2
Legal Hypotheses for Processing Personal Data 3
Rights of Personal Data Subjects 3

In order to become law, each phase item must go through several steps including public comment, internal consultation, and deliberation by the ANPD board of directors, among several other steps. Until an item goes through this full process it is advisory in nature only.

As of July 2022, all phase 1 and 2 items within the 2021-2022 regulatory agenda have started and are currently in the administrative process, with two being fully completed.[3]

Phase One

In late 2021 and early 2022, the ANPD published several agenda matters that apply to companies that have operations within Brazil or offer goods or services to people within Brazil, even if the company has no physical presence there.[4]

Specifically, the ANPD released a regulation on LGPD applicability, clarifying that the law will apply to small businesses and nonprofits, including, "micro-companies," "small companies," "startups," and "legal entities governed by private law." [5] While these entities do not need to appoint a data protection officer, they still must comply with most LGPD items, albeit in a simplified format.[6]

In addition, in October 2021, the agency approved the Regulation on Inspection and Enforcement Administrative Procedures. This resolution covers the inspection process for the ANPD covered entities and provides rules and procedures the agency must follow during the administrative process, including application of sanctions.[7]

The ANPD also released an operational guide for incident response (Portuguese only) to help companies properly respond to security breaches. The guide offers best practices, required documentation, circumstances when a personal data protection impact report should be prepared, and containment and recovery plans.[8]

Phase Two

The ANPD released an updated guidance document on Data Protection Officers (DPO) as part of its phase two guidance (Portuguese only). The new guidance aligns DPO responsibilities with the LGPD and defines the DPO's tasks as "play[ing] an important role in fostering and disseminating the culture of data protection in the organization, such as, when receiving requests from data subjects and the national government authority and adopting measures or when guiding employees and contractors regarding the practices to be taken concerning the protection of personal data."[9]

As with the guidance document for DPOs, it is anticipated guidance documents for international transfers will be released prior to regulations becoming final law. Moreover, with the 2021-2022 regulatory agenda coming to an end, companies should expect a more active ANPD in 2023 with respect to enforcement.

*Greenberg Traurig is not licensed to practice law in Brazil and does not advise on Brazilian law. Specific LGPD questions and Brazilian legal compliance issues will be referred to lawyers licensed to practice law in Brazil.

[1] Although Ordinance No. 11 initially contained 10 agenda items, the Regulatory Agenda Monitoring Report has only discussed eight items in its phases 1 and 2 regulatory agenda.[1] Rights of Personal Data Subjects and Legal Hypotheses for Processing Personal Data, which are listed under phase 3 in Ordinance 11, were left out of the July 2022 Regulatory Agenda Monitoring Report.

[2] While initially this was one regulation, it was divided into two regulations: one for inspection and application of sanctions and the other for methodologies for calculating the among of fines.

[3] Regulation for Protection of Personal Data for small processing agents and the Regulation of the Inspection Process and the Sanctioning Administrative Process have been finalized and are official regulations.

[4] Ordinance No. 11, Jan. 27, 2021.

[5] Ordinance No. 2, Jan. 27, 2022.

[6] Id.

[7] Resolution CD/ANPD No. 1, Oct. 28, 2021.

[8] Guia de Resposta a Incidentes de Segurança.

[9] Autoridade Nacional de Protecção de Dados.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Greenberg Traurig

Proposed UCC Amendments to Article 12 Shed New Light on Transacting and Securing Interests in Digital Assets

By John B. Hutton III Greenberg Traurig December 07 , 2022

As we know it, the emerging practice of transacting in digital assets has developed into a mainstream fragment of the financial market ecosystem.

Certain Ukrainian and Afghan Parolees Employment Authorized Incident to Parole

By Linnea Porter Greenberg Traurig December 07 , 2022

Effective Nov. 21, 2022, USCIS announced that certain Afghan and Ukrainian beneficiaries paroled into the United States are employment authorized incident to parole.

Trade Secret Law Evolution Podcast Episode 51: The Sixth Circuit Analyzes Key Concepts in Trade Secret Law in Affirming Major Jury Verdict

By Jordan D. Grotzinger Greenberg Traurig December 02 , 2022

You are invited to listen to Episode 51 of Greenberg Traurig’s Trade Secret Law Evolution Podcast, "The Sixth Circuit Analyzes Key Concepts in Trade Secret Law in Affirming Major Jury Verdict."

More From Privacy

Deadline: 'Old' Standard Contractual Clauses (SCCs) Expire Dec. 27, 2022

By Dr. Viola Bensinger Greenberg Traurig December 02 , 2022

After an extended sunset period, time to replace the “old” SCCs runs out on Dec. 27, 2022. After that date, the old SCCs will no longer legalize data transfers to countries outside the European Economic Area (EEA).

Can a business require a consumer to submit a declaration under penalty of perjury in order to prove their identity?

By David A. Zetoony Greenberg Traurig November 22 , 2022

The regulations implementing the CCPA require that a business verify the identity of a consumer that submits a specific-information access request to a “reasonably high degree of certainty.”

What is the difference between a category-level access request and a specific-information access request?

By David A. Zetoony Greenberg Traurig November 21 , 2022

The CCPA and its implementing regulations identify six types of information requests that a consumer can submit to a business.

Featured Stories