CIPL sends response to first public consultation of the new Brazilian Data Protection Agency on SMEs
On March 1, 2021, the Center for Information Policy Leadership (“CIPL”) in Hunton Andrews Kurth responded to the public consultation of the new Brazilian Data Protection Agency (Agência Nacional de Proteção de Dados, “ANPD”) (in Portuguese). on the impact of the Brazilian Data Protection Act (Lei Geral de Proteção de Dados, the “LGPD”) on small and medium-sized enterprises (“SMEs”), which will inform about the upcoming special rules of the ANPD for SMEs.
This call for public contributions is the first step in the ANPD’s public consultation process. The second step will be to develop rules for SMEs, which will also be submitted to the public for review and comment. This is the first public consultation of the ANPD, launched just four months ago.
CIPL welcomed ANPD’s willingness to work with multiple stakeholders by gathering feedback and input before developing the rules and guidelines. In its response, CIPL noted that the main challenge of the ANPD in relation to the impact of the LGPD on SMEs is twofold, ie:
- Providing flexible and scalable rules for SMEs that (1) enable them to comply with the LGPD; (2) encourage them to be held accountable; and (3) facilitate their effective functioning in a data-driven Brazilian economy following COVID-19; while
- Avoid excessive exemptions from compliance and enforcement rules that could result in SMEs (1) not complying with other applicable LGPD rules and (2) not worrying about enforcement by the ANPD.
CIPL recommended that the ANPD focus on the following activities:
- Providing guidance to SMEs to clarify the many LGPD rules in force and help them understand the importance of personal data protection and accountability;
- Develop and promote accountability and compliance tools and templates for SMEs;
- Promoting the development of codes of conduct for industry;
- Enabling the development of certifications, seals and trademarks;
- Promote the exchange of best practices in the areas of data protection, data management and data hygiene between Brazilian professional associations;
- Promoting education and awareness programs aimed at SMEs;
- Providing opportunities for SMEs to deal with the ANPD and share their compliance experiences;
- Taking into account and being transparent about the efforts to achieve organizational accountability in enforcing LGPD rules against SMEs in connection with the relevant enforcement criteria;
- Enabling international transfers of personal data to enable Brazilian SMEs to participate in the global digital economy; and
- Working with authorities in other regulated areas as well as industry associations to identify cross-sector initiatives to support LGPD compliance for SMEs (e.B. Regulatory Sandboxes and Policy Roundtables).
CIPL also stressed that (1) in providing guidelines and tools for SMEs, the ANPD should give priority to promoting accountability to enable effective data protection, responsible management of personal data, economic growth and innovation; and (2) frameworks such as the CIPL Accountability Framework (see figure below) that could be used as the basis for LGPD compliance. CIPL stated that accountability is a scalable and sector-independent concept that can be applied by organizations of all types (including SMEs), sizes, sectors (including the public sector), geographic footprints and different corporate cultures, as demonstrated in CIPL’s accountability report .
Figure: CIPL Accountability Framework
In addition to the consultation on SMEs, the ANPD has already launched a new request for preliminary submission to the ANPD and data subjects on the subject of reporting data breaches (in Portuguese). The ANPD plans to finalize its privacy breach notification rules within a year. Comments must be submitted by March 24, 2021 to [email protected] with the topic “Tomada de Subsídios 2/2021”.
Download CIPL’s answer in English or Portuguese.