Regulatory agenda of the Brazilian national data protection authority for the 2021-2022 biennium

On January 28, 2021, due to the Data Privacy Day, the Brazilian National Data Protection Authority (“ANPD”), through Ordinance No. 11, made public the Regulatory Agenda approved by the Directing Council for the 2021-2022 biennium, through which it lists the topics to be regulated by the ANPD in this period and the respective deadlines for its beginning.

The agenda foresees the regulation of the so-called ‘priority aspects’. The deadlines defined by the ANPD for the regulation of these topics are divided into 3 distinct phases, highlighting that the scheduled date indicates the beginning of the regulation process, not its conclusion.

Although Ordinance No. 11 provides for the beginning of the regulatory process to take place in up to 1 year, for the aspects comprising phase 1, 1 and a half year for phase 2 and up to 2 years for the aspects comprising phase 3, Appendix I of the Ordinance, although it may still be changed, brings more optimistic forecasts for the beginning of the regulations, as shown in the schedule below:

Aspects / SubjectsPhaseForecasting beginning of the regulatory process
Publication of the First Internal Rules of the ANPD11st semester of 2021
Publication of ANPD’s Strategic Planning for the 2021-2023 triennium11st semester of 2021
Edition of simplified and differentiated rules, guidelines and procedures for adaptation of micro and small businesses to the LGPD1 , as well as startups and individuals who process personal data under economic purposes – according to article 55-J, XVIII of the LGPD11st semester of 2021
Establishment of rules for the application of administrative sanctions provided for in article 52 of the LGPD, including the calculation of the base value of fines and the circumstances and conditions for their appliance11st semester of 2021
Regulation of the notification, by the Controller to the ANPD, of security incidents, as provided for in article 48 of the LGPD, including deadline, templates and procedure for forwarding the information11st semester of 2021
Edition of Regulations and Procedures on Data Protection Impact Assessments in cases on which the processing represents a high risk to the guarantee of the general principles of personal data protection11st semester of 2021
Establishment of complementary rules on the definition and duties of the DPO, appointed by Controllers, pursuant to article 41, §3 of the LGPD21st semester of 2022
Regulation of International Transfer of Personal Data, including authorized countries, the assessment of the level of protection of personal data and the standard contractual clauses that allow the transfer21st semester of 2022
Regulation of the data subjects rights already provided for in the LGPD31st semester of 2022
Edition of Document providing for the legal hypotheses for the processing of personal data and the consequent application of the LGPD, on various topics32nd semester of 2022

This challenging scenario and the uncertainties surrounding the LGPD should start to become less obscure in a short time. We will continue to follow all topics regarding the regulation of the LGPD and soon we expect to be able to provide more information on the development of the law and the effective start of the regulatory process for the matters set out above.

Subscribe and stay updated
Receive our latest blog posts by email.