On January 28, 2021, due to the Data Privacy Day, the Brazilian National Data Protection Authority (“ANPD”), through Ordinance No. 11, made public the Regulatory Agenda approved by the Directing Council for the 2021-2022 biennium, through which it lists the topics to be regulated by the ANPD in this period and the respective deadlines for its beginning.
The agenda foresees the regulation of the so-called ‘priority aspects’. The deadlines defined by the ANPD for the regulation of these topics are divided into 3 distinct phases, highlighting that the scheduled date indicates the beginning of the regulation process, not its conclusion.
Although Ordinance No. 11 provides for the beginning of the regulatory process to take place in up to 1 year, for the aspects comprising phase 1, 1 and a half year for phase 2 and up to 2 years for the aspects comprising phase 3, Appendix I of the Ordinance, although it may still be changed, brings more optimistic forecasts for the beginning of the regulations, as shown in the schedule below:
| Aspects / Subjects | Phase | Forecasting beginning of the regulatory process |
|---|---|---|
| Publication of the First Internal Rules of the ANPD | 1 | 1st semester of 2021 |
| Publication of ANPD’s Strategic Planning for the 2021-2023 triennium | 1 | 1st semester of 2021 |
| Edition of simplified and differentiated rules, guidelines and procedures for adaptation of micro and small businesses to the LGPD1 , as well as startups and individuals who process personal data under economic purposes – according to article 55-J, XVIII of the LGPD | 1 | 1st semester of 2021 |
| Establishment of rules for the application of administrative sanctions provided for in article 52 of the LGPD, including the calculation of the base value of fines and the circumstances and conditions for their appliance | 1 | 1st semester of 2021 |
| Regulation of the notification, by the Controller to the ANPD, of security incidents, as provided for in article 48 of the LGPD, including deadline, templates and procedure for forwarding the information | 1 | 1st semester of 2021 |
| Edition of Regulations and Procedures on Data Protection Impact Assessments in cases on which the processing represents a high risk to the guarantee of the general principles of personal data protection | 1 | 1st semester of 2021 |
| Establishment of complementary rules on the definition and duties of the DPO, appointed by Controllers, pursuant to article 41, §3 of the LGPD | 2 | 1st semester of 2022 |
| Regulation of International Transfer of Personal Data, including authorized countries, the assessment of the level of protection of personal data and the standard contractual clauses that allow the transfer | 2 | 1st semester of 2022 |
| Regulation of the data subjects rights already provided for in the LGPD | 3 | 1st semester of 2022 |
| Edition of Document providing for the legal hypotheses for the processing of personal data and the consequent application of the LGPD, on various topics | 3 | 2nd semester of 2022 |
This challenging scenario and the uncertainties surrounding the LGPD should start to become less obscure in a short time. We will continue to follow all topics regarding the regulation of the LGPD and soon we expect to be able to provide more information on the development of the law and the effective start of the regulatory process for the matters set out above.