Public consultation launched in Brazil for resolution on data security incidents

On May 2, 2023, the Brazilian Data Protection Authority (ANPD) opened a public consultation for contributions on a draft resolution concerning the reporting of personal data security incidents to the authority and affected data subjects.

The draft resolution seeks to regulate reporting requirements in the event of an incident that could lead to serious harm or risk for data subjects – as per Article 48 of Brazil’s General Data Protection Law (Law No. 13,709/2018 – LGPD). Among other subjects, the draft resolution’s provisions regulate:

• Classification of serious harm and risk – an incident may entail serious harm or risk for data subjects if it has the potential to significantly affect the interests and fundamental rights of data subjects and involves at least one of the following types of data: sensitive personal data; the data of children, adolescents or elderly people; financial data; system authentication data; or large-scale quantities of data;
• Deadlines – data controllers must report any such data security incidents to the ANPD and the affected data subjects within three business days of becoming aware of the incident;
• Forms of reporting incidents to data subjects – data controllers must report incidents to data subjects directly and individually, when it is possible to specifically identify those affected. If this proves to be unfeasible, controllers must disclose the security incident via available means, such as on their websites, applications, social media, and customer service channels. The form(s) of disclosure must facilitate broad awareness of the incident, with information directly accessible and easily visible for at least six months;
• Recording security incidents – controllers must keep records of personal data security incidents (including those not reported to the ANPD and data subjects) for a minimum of five years;
• Security Incident Investigative Proceedings – the ANPD may open such investigative proceedings should it become aware of a personal data security incident that a data controller has failed to report within the terms and conditions established in the draft resolution;
• Other measures – depending on the seriousness of the security incident, the ANPD may determine requirements for large-scale dissemination of the incident in the media or alternative measures to reverse or mitigate its effects.

Previous contributions and provisional guidelines

In February 2021, the ANPD opened an initial call for public contributions on relevant issues regarding the future regulation of information security incidents. This included risk assessment criteria, establishing reasonable reporting deadlines, and potential exceptions regarding obligations to inform the ANPD and affected data subjects.

Non-binding guidelines on the subject are currently available on the ANPD’s website, which seek to clarify and provide general recommendations for data controllers’ duties to report incidents while the final form of the resolution remains unpublished.

In addition to the public consultation, the ANPD has set a public hearing on the draft resolution for May 23. The hearing will be held online and can be viewed on the ANPD’s Youtube channel.

Contributions to the draft resolution should be sent via the Participa + Brasil platform by May 31, 2023.

For more information on topics related to data security, please contact Mattos Filho’s Data Protection & Cybersecurit practice area.