Put Christian Fernandes Rosa – 22/06/2020

The General Data Protection Law provided for the creation of a National Authority to promote the application of the new rule, which is an effort to protect fundamental rights such as privacy and the free development of the human person. However, the veto to the initial wording of the bill and the establishment of the Authority as carried out by means of a Provisional Measure removed it from the legal regime used in regulatory activities and sows doubts about the quality of its institutional design.

The General Data Protection Law, also known as LGPD, established an entire regulatory microsystem for the protection of personal data in Brazil. In short, the law is intended to regulate the conduct of data processing agents, imposing a series of conditions on the collection, use, reproduction, processing, archiving, evaluation or control of information, among other activities.

In order to comply with the new law, the creation of the National Data Protection Authority (“ANPD”) was foreseen, with the task of establishing the guidelines of the National Policy for the Protection of Personal Data and Privacy and competent to monitor and apply administrative sanctions to data processing agents for any non-compliance with the provisions of the LGPD.

The ANPF was initially provided for in a bill as a special agency, along the lines of the regime attributed by Brazilian Public Law to Regulatory Agencies such as ANATEL and ANTT, which were assigned the regulation of the telecommunications and land transportation sectors, respectively. This wording, approved by the National Congress and which provided for the financial autonomy of the institution, was vetoed by the then President of the Republic, on the grounds of an indicated defect in the initiative.

To address the lack of a supervisory entity, a Provisional Measure was enacted that established the institution of the ANPD, on a temporary basis, as an agency of the direct federal Public Administration, linked to the Presidency of the Republic. The provisions, received by Congress, became legal text and guarantee the technical and decision-making autonomy of the ANPD. However, there is no mention of its financial independence, separating the Brazilian model from international best practices, such as that offered by General Data Protection Regulation (GDPR), the European standard on the subject.

By removing its legal status as a special agency and removing any provision regarding its financial autonomy, national legislation casts doubt on its effective decision-making autonomy. There are many studies to the effect that the effective technical and decision-making independence of regulatory institutions is only possible when they are assured the necessary (material) means to do so.

It is true that the quality of institutions can only be properly assessed during their operation, over time, in the exercise of their duties. However, the structure chosen for its establishment may impose greater difficulties on its proper activity – and this is the case of the ANPD. In fact, to properly assess its institutional design, it is necessary to await the ANPD's bylaws and the conduct of the Presidency of the Republic itself when it was created and in supporting the Authority's oversight activities. It is possible that, within two years, the Chief Executive will decide to transform it into a special agency, as authorized in the legal text. However, this would not, by itself, guarantee its financial autonomy.

Ultimately, given the importance of the regulatory structure itself for the Authority's performance, in institutional terms, it is recommended that the structure provided for in the LGPD be changed from the outset, to ensure that administrators and investors, processing agents, are assured that the entity's performance will be effectively guided by reasonable and predictable technical and legal criteria, without being captured by a political-partisan agenda of the Presidency of the Republic, to which the Authority was linked.

The team at Mazzucco & Mello Advogados has been closely monitoring the issue and offering support to companies that are planning their compliance with the issue of personal data management.