Brazil: ANPD Launches A Publication That Covers Smart Cities And Other Innovations

In this Data Protection and Privacy newsletter, you will find:

• ANPD launches "Technological Radar" publication with smart cities as the central theme
• ANPD launches public consultation on the Anonymization and Pseudonymization Guide
• ANPD sanctions INSS and Federal District Secretary of Education for LGPD violations
• ANPD Launches Guidance on Legitimate Interest
• ANPD opens public consultation for the regulation of data subject's rights

ANPD launches 'Technological Radar' publication with smart cities as the central theme

On January 29, the Brazilian National Data Protection Authority (ANPD) launched a series of technical publications called "Technology Radar". These materials aim to analyze emerging technologies that are impacting or have the potential to impact the national and international scenario related to data protection.

The first edition focuses on smart cities and covers topics such as the main concepts, benefits, potential risks related to privacy and data protection, and perspectives for the future. This edition is only available in Portuguese.

Through this series, the ANPD demonstrates its commitment to monitoring technological progress and the potential impacts on the protection of personal data.

ANPD launches public consultation on the Anonymization and Pseudonymization Guide

On January 30, the ANPD initiated a public consultation on the Anonymization and Pseudonymization Guide for Personal Data Protection.

According to the Brazilian General Data Protection Law (LGPD), Federal Law no. 13,709/18, data subjects have the right to request anonymization of their personal data whenever its processing is excessive or non-compliant with the Law. Additionally, the LGPD mandates anonymization as a necessary measure, where feasible, in situations such as data processing for research purposes by research institutions.

Article 12, Paragraph 3 of the LGPD mandates the ANPD to define standards and techniques for anonymization processes and to assess their security.

The purpose of this consultation is to collect insights from professionals, processing agents, data subjects, academia, and the general public. This will help ensure that the guide reflects the best practices in the industry.

Interested parties are invited to submit their contributions to the consultation through the Participa+Brasil platform until February 28, 2024.

ANPD sanctions INSS and Federal District Secretary of Education for LGPD violations

On February 1, 2024, the ANPD announced the outcomes of two administrative sanctioning processes related to violations of the LGPD, the first involving the National Institute of Social Security (INSS) and the second involving the Education Department of the Federal District (SEEDF).

In the first case, the INSS was sanctioned for failing to inform data subjects about a data breach that occurred in 2022. This breach affected the Social Benefits Corporate System of INSS (SISBEN), exposing personal data such as CPF numbers, bank details, and dates of birth. This violation was further aggravated by the INSS's non-compliance with the ANPD's directives. The ANPD determined that the data breach could cause significant harm to data subjects, as it involved information about social security benefits. As a penalty, the INSS was required by the ANPD to publicize the violation on its website and the Meu INSS application for sixty days.

In the second case, the SEEDF was sanctioned for violating various obligations of the LGPD and the ANPD's Inspection Regulation. The ANPD identified infractions including the absence of the records of processing activities (ROPA) and failure to inform data subjects about data breaches with potential significant harm. Consequently, the ANPD applied four warnings to the SEEDF as sanctions.

ANPD Launches Guidance on Legitimate Interest

On February 2nd, the ANPD released the Guidance on Legal Hypotheses for Data Processing – Legitimate Interest. The guide provides essential clarifications on the application of legitimate interest as a legal basis for the processing of personal data by controllers and third parties, including public authorities.

In addition to guiding the topic, the publication has a practical focus and includes an attached balancing test model, aiming to assist processing agents in the use of legitimate interest as a legal basis for the processing of personal data.

ANPD opens public consultation for the regulation of data subject's rights

On February 2nd, the ANPD initiated a public consultation to develop regulations concerning the data subject's rights.

The ANPD aims to gather contributions on aspects related to the format, timelines, and suitable means to facilitate the exercise of these rights.

The public is invited to submit their contributions by March 4th through the "Opine Aqui" space on the Participa+Brasil platform.

KLA Advogados has experience and assists organizations in implementing privacy programs, supporting clients across various sectors to comply with the Law and adopt the necessary controls to meet its requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.