Sign In


The Brazilian President creates the National Data Protection Authority

Technology, Innovation and Digital Business; Data Protection and Cybersecurity

On December 28, 2018, the President enacted Provisional Measure No. 869 of 2018 ("PM"), which amends certain provisions of Law No. 13,709 of 2018 (known in Portuguese as Lei Geral de Proteção de Dados or "LGPD") and creates the National Data Protection Authority ("ANPD"). The PM also extends until August 2020 the deadline for companies to become compliant with the LGPD.

According to the PM, the ANPD will be a administrative body, connected to the Cabinet of the Presidency, with technical autonomy, but no financial and budgetary autonomy (Sections 55-A and 55-B).

As to the responsibilities of the ANPD, we highlight the following: 

  • To enact rules and regulations relating to data protection;
  • To analyze and interpret, in the administrative sphere, matters relating to the LGPD;
  • To request from data controllers and processors access to information;
  • To implement simplified mechanisms in order to receive and register complaints from data subjects;
  • To supervise processing activities and impose sanctions;
  • To promote the adoption of certain standards for services and products in order to assist data subjects in the exercise of control and protection of their personal data;
  • To promote cooperation with international and transnational data protection authorities;
  • To undertake public consultations. 

ANPD's organizational structure will include a board of directors, a national council for data protection and privacy, an internal complaints department, an ombudsman, an internal legal department and administrative and specialized units for the application of the LGPD (Section 55-C). The directors will be appointed for four-year terms.

The 23 members of National Council for Data Protection and Privacy will be appointed by the President and will include six members from the executive branch; one from the Senate; one from the House of Representatives; one from the National Council of Justice; one from the National Council of the Public Prosecutors Office; one from the Brazilian Internet Steering Committee; four from public organizations acting in the data protection field; four from scientific, technological or innovation institutions; and four representatives from the private sector acting in the data protection field.

In addition, the PM introduces innovations regarding administrative sanctions, providing that the ANPD will take priority, with respect to the protection of personal data, in relation to other government entities or authorities.

The PM stipulates that ANPD shall coordinate with the National Body of Consumer Protection – SENACON, which is connected to the Ministry of Justice, and with other agencies and entities responsible for data protection. However, the final interpretation and the enactment of rules and guidelines relating to data protection remains with the responsibility of the ANPD.  

The PM also amends provisions regarding sensitive health data, creating two important exceptions relating to the prohibition from communicating or sharing information among controllers in order to gain economic advantage. These exceptions include data portability requested by the data subject and the adequate provision of supplementary health services (Section 11, (4), I and II).

In addition, the PM has made it easier to transfer to private entities personal data contained in the databases of public entities, as follows: 

  • Where this is contemplated by law or the transfer is established in contracts or agreements;
  • To prevent fraud or protect the security and integrity of the data subject;
  • If a data protection officer is appointed for the processing of personal data; and
  • In cases when data is publicly accessible.

The PM is already in effect and will remain effective for 120 days from its publication by which time, Congress must convert it into law or the PM will lose its validity. 

See our recent publications