On March 1, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted a response to the new Brazilian data protection authority’s (Agência Nacional de Proteção de Dados, the “ANPD’s”) public consultation (in Portuguese) on the impact of the Brazilian data protection law (Lei Geral de Proteção de Dados, the “LGPD”) on small and medium-sized enterprises (“SMEs”), which will inform the ANPD’s upcoming special rules for SMEs.
This call for public input is the first step of ANPD’s public consultation process. The second step will be drafting rules on SMEs that also will be submitted for review and comment by the public. This is the first public consultation undertaken by the ANPD, which was established only four months ago.
CIPL welcomed ANPD’s willingness to engage with multiple stakeholders by obtaining feedback and input ahead of drafting the rules and guidance. In its response, CIPL observed that the ANPD’s main challenge in relation to the impact of the LGPD on SMEs is two-fold, i.e., to:
- Provide flexible and scalable rules to SMEs that (1) enable compliance with the LGPD; (2) encourage them to become accountable; and (3) facilitate their effective functioning in a data-driven Brazilian economy post-COVID-19; while
- Avoiding excessive exemptions to compliance and enforcement rules that could lead to SMEs (1) not complying with other applicable LGPD rules and (2) not being concerned about enforcement by the ANPD.
CIPL recommended that the ANPD should focus on the following activities:
- Providing guidance to SMEs to clarify the many applicable LGPD provisions and help them understand the importance of protecting personal data and becoming accountable;
- Developing and promoting accountability and compliance tools and templates for SMEs;
- Encouraging the development of industry codes of conduct;
- Enabling the development of certifications, seals and marks;
- Encouraging sharing of best practices in data protection, data management and data hygiene among Brazilian professional organizations;
- Driving SME-focused education and awareness programs;
- Providing opportunities for SMEs to engage with the ANPD and share their compliance experience;
- Taking organizational accountability efforts into account when enforcing the LGPD rules against SMEs and being transparent about this in connection with relevant enforcement criteria;
- Enabling international transfers of personal data to enable Brazilian SMEs participate in the global digital economy; and
- Working with public authorities of other regulated areas, as well as industry associations, to identify cross-sectoral initiatives to support SMEs’ LGPD compliance (e.g., regulatory sandboxes and policy roundtables).
CIPL also highlighted that (1) when providing guidance and tools to SMEs, the ANPD should prioritize promoting the principle of accountability as the enabler of effective data protection, responsible uses of personal data, economic growth and innovation; and (2) frameworks, such as the CIPL Accountability Framework (see figure below), that could be used as a baseline for LGPD compliance. CIPL explained that accountability is a scalable and sector-agnostic concept that may be applied by organizations of all types (including SMEs), sizes, sectors (including the public sector), geographical footprints and varying corporate cultures, as demonstrated in CIPL’s Accountability Mapping report.
[caption id="attachment_20241" align="aligncenter" width="1112"] Figure: CIPL Accountability Framework[/caption]
In addition to the consultation on SMEs, the ANPD has already opened a new call for preliminary input on the topic of notification of data breaches (in Portuguese) to the ANPD as well as data subjects. The ANPD is planning to finalize their rules on data breach notification within one year. Comments must be submitted by March 24, 2021 to consultapublica@anpd.gov.br with the subject of “Tomada de Subsídios 2/2021”.
Download CIPL’s response in English or in Portuguese.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code