August 31, 2022

Brazil's 2021-2022 LGPD Privacy Regulatory Process Nearing Completion

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

Recent developments from the ANPD provide insight into the path ahead.  

On July 7, 2022, Brazil's National Data Protection Authority (ANPD) published its semiannual Regulatory Agenda Monitoring Report. This report updated the public on the current status of the ANPD's regulatory agenda. With the comment period for regulations on international data transfers officially closing June 30, 2022, the ANPD has started all "phase two" regulations. This progression indicates that 2023 may be a pivotal year for Brazil's new data privacy law, the General Personal Data Protection law (LGPD).

Phased Approached

When the LGPD passed in 2020, the ANPD chose a "phased" approached of implementation, meaning that the ANPD was required to pass regulations to supplement the main statute in distinct phases. In January 2021, the ANPD published Ordinance No. 11, which outlined the LGPD's two-year regulatory process for 2021 and 2022 broken into three phases.[1]

Item Phase
ANPD Internal Regulations 1
ANPD Strategic Planning 1
LGPD Application to Small and Medium Sized Companies 1
ANPD Regulations for Inspection and Fines[2] 1
Incident Reporting Notification Guidelines and Rules 1
Personal Data Protection Impact Report 1
Regulations on Data Protection Officers 2
Regulations on International Data Transfers 2
Legal Hypotheses for Processing Personal Data 3
Rights of Personal Data Subjects 3

In order to become law, each phase item must go through several steps including public comment, internal consultation, and deliberation by the ANPD board of directors, among several other steps. Until an item goes through this full process it is advisory in nature only.

As of July 2022, all phase 1 and 2 items within the 2021-2022 regulatory agenda have started and are currently in the administrative process, with two being fully completed.[3]

Phase One

In late 2021 and early 2022, the ANPD published several agenda matters that apply to companies that have operations within Brazil or offer goods or services to people within Brazil, even if the company has no physical presence there.[4]

Specifically, the ANPD released a regulation on LGPD applicability, clarifying that the law will apply to small businesses and nonprofits, including, "micro-companies," "small companies," "startups," and "legal entities governed by private law." [5] While these entities do not need to appoint a data protection officer, they still must comply with most LGPD items, albeit in a simplified format.[6]

In addition, in October 2021, the agency approved the Regulation on Inspection and Enforcement Administrative Procedures. This resolution covers the inspection process for the ANPD covered entities and provides rules and procedures the agency must follow during the administrative process, including application of sanctions.[7]

The ANPD also released an operational guide for incident response (Portuguese only) to help companies properly respond to security breaches. The guide offers best practices, required documentation, circumstances when a personal data protection impact report should be prepared, and containment and recovery plans.[8]

Phase Two

The ANPD released an updated guidance document on Data Protection Officers (DPO) as part of its phase two guidance (Portuguese only). The new guidance aligns DPO responsibilities with the LGPD and defines the DPO's tasks as "play[ing] an important role in fostering and disseminating the culture of data protection in the organization, such as, when receiving requests from data subjects and the national government authority and adopting measures or when guiding employees and contractors regarding the practices to be taken concerning the protection of personal data."[9]

As with the guidance document for DPOs, it is anticipated guidance documents for international transfers will be released prior to regulations becoming final law. Moreover, with the 2021-2022 regulatory agenda coming to an end, companies should expect a more active ANPD in 2023 with respect to enforcement.

*Greenberg Traurig is not licensed to practice law in Brazil and does not advise on Brazilian law. Specific LGPD questions and Brazilian legal compliance issues will be referred to lawyers licensed to practice law in Brazil.

[1] Although Ordinance No. 11 initially contained 10 agenda items, the Regulatory Agenda Monitoring Report has only discussed eight items in its phases 1 and 2 regulatory agenda.[1] Rights of Personal Data Subjects and Legal Hypotheses for Processing Personal Data, which are listed under phase 3 in Ordinance 11, were left out of the July 2022 Regulatory Agenda Monitoring Report.

[2] While initially this was one regulation, it was divided into two regulations: one for inspection and application of sanctions and the other for methodologies for calculating the among of fines.

[3] Regulation for Protection of Personal Data for small processing agents and the Regulation of the Inspection Process and the Sanctioning Administrative Process have been finalized and are official regulations.

[4] Ordinance No. 11, Jan. 27, 2021.

[5] Ordinance No. 2, Jan. 27, 2022.

[6] Id.

[7] Resolution CD/ANPD No. 1, Oct. 28, 2021.

[8] Guia de Resposta a Incidentes de Segurança.

[9] Autoridade Nacional de Protecção de Dados.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Greenberg Traurig

International Entrepreneur Parole Program: USCIS Issues Policy Guidance

By Linnea Porter Greenberg Traurig March 22 , 2023

On March 10, U.S. Citizenship and Immigration Service (USCIS) issued an announcement with comprehensive guidance on parole for international entrepreneurs.

New UK Sanctions Package Would Target Russia's Arms Exports, Front-Line Resources

By Annabel Thomas Greenberg Traurig March 22 , 2023

The UK announced a further round of sanctions and trade measures on 24 February 2023 to coincide with the first anniversary of Russia’s invasion of Ukraine.

PFAS in Drinking Water: EPA Proposes Historic New Regulation

By Bernadette M. Rappold Greenberg Traurig March 17 , 2023

On March 14, 2023, the U.S. Environmental Protection Agency (EPA) issued a proposed National Primary Drinking Water Regulation (NPDWR) which, if finalized, would set enforceable limits, known as Maximum Contaminant Levels (MCLs), for six Per- and Polyfluoroalkyl Substances (PFAS).

More From Privacy

Is a business required to include an 'opt out of targeted advertising' link on its homepage (i.e., a Do Not Share link) if it recognizes opt-out preference signals?

By David A. Zetoony Greenberg Traurig March 13 , 2023

Three modern privacy statutes incorporate the concept that individuals should be able to broadcast a signal from their browser or device that directs an organization to cease providing their personal information to third parties for the purposes of targeted advertising.

Massachusetts Gov. Proposes Reorganization Plan for Housing Development Under Article 87

By Robert C. Ross Greenberg Traurig March 13 , 2023

Massachusetts Gov. Maura Healey recently filed legislation under Article 87 of the Massachusetts Constitution that would make organizational changes to the Commonwealth’s oversight of housing development.

Trade Associations Urge Illinois High Court to Reconsider BIPA Decision in Cothron

By Nadine C. Abrahams Jackson Lewis P.C. March 13 , 2023

The Illinois Supreme Court’s decision that a separate claim under Illinois’ Biometric Information Privacy Act (BIPA) accrues each time an entity scans or transmits an individual’s biometric identifier or biometric information will lead to absurd and unjust results not intended by the Illinois General Assembly, Jackson Lewis argued in a friend-of-the-court brief filed on behalf of a coalition of trade associations representing the interests of thousands of Illinois businesses employing approximately 2.9 million individuals in Illinois.

Featured Stories