On 4 November, Brazil’s National Data Protection Authority (ANPD) launched its 2023-2024 Regulatory Agenda following a consultation process from August to September 2022.
The agenda, which provides greater transparency and efficiency regarding the Authority’s regulatory process, includes initiatives related to the application of administrative sanctions and the rights of personal data subjects.
Enhancing Brazil’s Privacy Framework
At its core, the document sets out twenty initiatives divided into four phases based on priority and with specific implementation timelines. The first phase includes regulatory processes that are already in progress, while activities in the other three phases will take up to eighteen months to take place. Key initiatives include:
- Cross-border data transfer (phase 1): Regulate the criteria in the LGDP for the international transfer of personal data between jurisdictions with adequate levels of protection (Art. 33), the evaluation process by the ANPD (Art. 34), and the definition of the content of standard contractual clauses (Art. 35).
- Incident reporting and notification (phase 1): Modify deadlines and reporting mechanisms in the event of security breaches or incidents.
- Children’s personal data (phase 2): Analyse the impact of processing personal data and the impact of digital platforms and Internet games on the protection of children’s personal data.
- Biometric data (phase 3): Promote ANPD regulation to guide the collection of sensitive data.
- Artificial Intelligence (AI) (phase 3): Perform a study and develop guidelines on AI from a privacy perspective that can later serve as a baseline for other AI standards.
The ANPD’s plans for 2023 will be implemented under the country’s new government, led by President Luiz Inácio Lula da Silva. In terms of privacy and security laws, Brazil’s next head of state has emphasised the need to improve regulation and enhance capabilities for the processing and storage of personal data. This is in line with the ANPD’s regulatory agenda for the next two years and represents an opportunity for companies to engage with the country’s data protection authority and the application of the LGPD.
Lula’s Tech Agenda
More broadly, Lula’s tech policy priorities are: 1) continuing to ensure high-quality Internet access across the country; 2) creating new labour legislation targeting digital workers and platforms; 3) harnessing Brazil’s national technological capacity and innovation; 4) promoting scientific and technological research; and 5) creating an economic strategy by adopting emerging technologies such as AI, biotechnology, and nanotechnology.
What’s at stake for tech companies?
Privacy and personal data protection issues remain at the forefront of public debate across Latin America. From Argentina’s new data protection bill to Chile’s ongoing discussions to create a new Data Protection Agency and Peru’s recent approval of international data transfer guidelines, Latam countries are actively looking to enhance their data protection frameworks. Similarly, the Ibero-American Network of Data Protection’s (RIPD) recently published guidelines for cross-border personal data transfers through contractual clauses signal a first step towards establishing a harmonised regional framework for international data transfers.
Companies operating in Brazil will need to comply with these new changes and prepare for any complementary requirements to existing obligations under the LGDP established by the ANPD. Brazil is a regional trendsetter, and other countries in the region will likely replicate these rules, particularly as they continue to enhance their respective data protection frameworks.