In the week that celebrates two years of its creation, the Brazilian National Data Protection Authority (ANPD) published a new agenda for the period 2023 and 2024, making public the regulatory planning developed by the municipality, now autonomous and independent of the federal government. The ANPD Regulatory Agenda presents the actions and measures understood as priorities in the entity's scope for the next biennium and is a continuation of the previous agenda, which ends and at the end of 2022.
The document is considered a planning tool that aims to give more transparency and give more predictability to the regulatory process of the municipality. Public consultations and the analysis made by the ANPD raised the main points that should be included in the agenda for discussion. The document details the deadline of the regulatory process and how the matter will be handled: whether by resolution, good practice guide or ordinance.
HISTORIC
In January 2021, the ANPD issued its first Regulatory Agenda with the objective of indicating which topics related to the General Law on The Protection of Personal Data (LGPD) would be highlighted in the sphere of action of the municipality during its first two years of activity.
In the first version, the Regulatory Agenda listed ten priority points, categorized into three phases. It can be said that the ANPD valued an orientative posture when establishing as a priority the elaboration of resolutions, frameworks, protocols and guides to guide the beginning of the functioning of the authority in the supervision and protection of personal data and privacy of holders.
Such an agenda would bring greater legal certainty in the orientation of business models that, with the LGPD, began to address new security measures, in line with rights associated with the guarantee of privacy and data protection.
Since the publication of the LGPD, the discussion on the right to privacy and protection of personal data of data subjects has come to have great attention from the three powers. So much so that, in 2022, Article 5 of the Federal Constitution came to have a new wording, including among the fundamental rights the right to the protection of personal data.
Since then, the ANPD's performance continues at an accelerated pace, based on its Regulatory Agenda as guidance to future points of attention and obtaining subsidies for regulation by the municipality: all items of the Regulatory Agenda for the biennium 2021-2022 were initiated within the established deadline.
However, several initiatives brought in the Agenda 2021-2022 were not completed on time: some points submitted to consultation by the ANPD did not advance in consolidating an understanding by the authority. This is the case of the determination of the dosimetry of the penalty and sanctions applied despite violations of the LGPD, definitions such as high-risk treatment, mentioned in the Regulation that makes the application of the LGPD more flexible to small agents, and specifications involving the reporting of incidents and time of notification to the authority.
THE NEW REGULATORY AGENDA
The priority attention points detailed by the ANPD in the Regulatory Agenda 2021-2022 and that have not yet resulted in determinations published by the municipality will now make up Phase 1 of the new agenda, and the 12 items listed in this category will continue to be developed as a priority by the authority. In addition to the points listed in phase 1, eight more items began to include the regulatory planning of the ANPD:
- Data sharing by the government – Provided for in Articles 26 and 27 of the LGPD, the sharing of data between private entities and the public authorities will be the subject of studies to determine procedures to be adopted by agents, as well as transparency parameters on the disclosure of established agreements.
- Processing of personal data of children and adolescents – Although the authority has already conducted a preliminary study on the subject, the new study aims to include analysis of impacts on internet applications and online platforms in the protection of data from minors, expanding the research approach on top of the work already developed.
- Guidelines for the National Policy for the Protection of Personal Data and Privacy – The policy should involve several other projects in the field of public policies, encompassing all actors of the data protection ecosystem and management plans already developed in other systems, such as the Digital Strategy, the National IoT Plan, etc.
- Regulation of criteria for recognition and dissemination of rules of good practice and governance – As part of a work of constant updating, measures of good practice and information security that guide the internal organization of the parent companies and / or data operators should always be reviewed to consider changes in the technological scenario and business models. The regulation will serve as the anpd's recognition of standards of best practices in governance.
- Sensitive personal data: biometric data – The collection of biometrics should receive greater attention from the authority, on a guiding point, regarding the legitimacy of its collection and the security of the holder.
- Security, technical and administrative measures - In line with Article 46(1) of the LGPD, the authority plans to provide for minimum technical safety standards considering the nature of the information processed and the state of technology available for processing agents to ensure the protection of personal data from unauthorized access or situations of inappropriate or unlawful processing of data.
- Artificial Intelligence (AI) - In view of the complexity of the theme addressed in Article 20 of the LGPD, the authority seeks to develop documents and guidance to data subjects for the exercise of their rights in requesting review of automated decisions, in addition to serving as a basis for other rules that discipline the AI system.
- Conduct Adjustment Term (TAC) - As part of the ANPD's review process, the TAC will be an instrument for mediating proposals in sanctioning proceedings promoted by the authority, in any investigations of illicit acts committed under the LGPD.
FIRST CONCLUSIONS
The publication of the new Regulatory Agenda for the next two years reinforces the ANPD's ongoing effort to provide more predictability to the regulatory process and maintain transparency as one of its pillars of action.
Although the new agenda follows the discussion of the themes of the last biennium, which corroborates the orientation posture adopted by the ANPD, it can be expected that the coming years will be a transition to authority. This is because some of the themes based on the new Regulatory Agenda, such as Fines, rights of holders, incident reporting and impact reports, indicate that the ANPD will highlight the supervision of the LGPD and possibly adopt a coercive stance in a more emphatic way.