LGPD development in Brazil: ANPD Resolution No 15/24

Fabio Alonso Vieira

Kestener & Vieira Advogados, São Paulo

fabio.vieira@kvlaw.com.br

Eduarda Mourad Baldavira

Kestener & Vieira Advogados, São Paulo

eduarda.baldavira@kvlaw.com.br

Introduction

The discussion regarding personal data security in Brazil began in mid-2018, the year in which the Brazilian General Data Protection Law (LGPD) was published. The LGPD was inspired by the General Data Protection Regulation (GDPR), the European Union's pioneer data protection legislation. 

Both the Brazilian and European legislation have a very similar structure and aim for the same goal: to determine how companies and organisations should handle personal data. That is, how they should collect, process, share and make use of third-party information.

In the same way that the GPDR introduced the European General Data Protection Board (EDPB), the LGPD introduced the National Data Protection Authority (ANPD) as the public administrative body responsible for ensuring, implementing and monitoring compliance with the law nationwide.

The obligation to report the occurrence of a security incident to the ANPD and to the data subjects is set out in Article 48[1] of the LGPD. However, Article 48 of the LGPD was silent about the communication procedure and deadlines.

To implement the provisions of the LGPD in a practical way, on 26 April 2024 the ANPD published Resolution No 15/2024 (the ‘Resolution’) which approved the Security Incident Communication Regulation.

Security Incident Communication Regulation

Initially, the Resolution defines the term ‘security incident’ as any confirmed adverse event related to the violation of the confidentiality, integrity, availability and authenticity properties of personal data security.

The security incident only qualifies for communication when it affects the interests and fundamental rights of the data subjects and necessarily involves at least one of the following types of data:

1. sensitive personal data;
2. data of children, adolescents or the elderly;
3. financial data;
4. system authentication data (credentials);
5. data protected by legal, judicial or professional secrecy; or
6. large-scale data.

If the security incident is confirmed as likely to generate significant risk or damage to the data subjects, the controller must notify the ANPD, by electronic form, within three working days from the date of becoming aware of the incident. The communication may be supplemented, with grounds, within 20 working days from the date of the first communication.

One of the most important points addressed in the Resolution concerns to the content of the communication, which should indicate key information about the incident, such as:

• the nature and category of the personal data affected;
• the number of data subjects affected;
• technical and security measures used to protect personal data, adopted before and after the incident;
• risks and possible impacts on data subjects;
• measures that have been or will be adopted to reverse or mitigate the effects of the incident on data subjects;
• the date on which the incident occurred, when possible, and the date on which the controller became aware of it;
• a description of the incident, including the root cause if this can be identified; and
• the total number of data subjects whose data is processed in the affected processing activities.

The security incident communication shall also be made to the data subjects, preferably in a direct and individualised way (telephone, e-mail, electronic message or letter), in simple and easy-to-understand language, including, in addition to the information mentioned above, the contact to obtain information and the contact details of the person in charge.

In addition, the ANPD has made it mandatory to draw up an incident management report, which can be requested at any time, as well as keeping a record of all security incidents, whether or not reported to the ANPD and/or the data subjects, for a minimum period of five years.

Once the administrative process has been initiated, the ANPD may, at any time, carry out inspections and request additional steps from the handling agent, as well as define the adoption of preventive measures by the controller and impose a daily fine to ensure compliance.

The Resolution allows ANPD to initiate security incident investigation procedures on its own initiative when it becomes aware of security incidents not reported by the controller and can also make formal requests to the investigated controller.

Similarly, failure to cooperate with the ANPD or the confirmation of the existence of an unreported security incident, may lead to the opening of an administrative sanctioning procedure, already regulated in a preexisting resolution[2].

Positive aspects of the Security Incident Communication Regulation

The Resolution is clear and detailed, introducing precise definitions and specific procedures that make it easier for data processing agents to comply. This level of detail is essential to ensure that all parties involved understand their responsibilities and the actions required in the event of a security incident.

Requiring controllers to keep detailed records and adopt mitigation measures reinforces the principle of accountability, so as to encourage controllers to take a proactive approach to data security.

In addition, the Resolution encourages the adoption of good governance and security practices, which can lead to a more secure and reliable data processing environment, a crucial scenario for the development of a data protection culture in Brazil.

Negative aspects of the Security Incident Communication Regulation

The deadline of three working days for reporting incidents to the ANPD and to data subjects can be considered short, especially for small companies or organisations with limited resources, so that pressure to meet this deadline can result in incomplete or inadequate reporting.

In this sense, the detailed requirements and complex procedures can represent a significant challenge for small companies. The need for technical and administrative resources to comply with the resolution can be onerous for these data processing agents and the effectiveness of incident response measures can vary depending on the technical capacity and available resources of the controllers. Smaller organisations may find it difficult to quickly implement the measures needed to mitigate damage.

Finally, monitoring data processing agents’ compliance with the resolution represents a considerable challenge for the ANPD. Ensuring that all agents, especially small ones, comply with the established standards will require significant resources and effort.

Comparing the GDPR and the LGPD

When comparing the ANPD Resolution with the provisions of the GDPR, a number of similarities and differences can be observed.

Both regulations emphasise the protection of data subjects' rights, transparency and accountability of data processing agents and require the reporting of security incidents within short deadlines, with detailed procedures to mitigate damage.

However, while the GDPR offers some flexibilities in terms of deadlines and procedures for small companies, the Resolution is stricter regarding communication deadlines. In addition, the GDPR is more detailed in terms of documentation requirements and data protection impact assessment.

The new Resolution represents an important step in the implementation of data protection in Brazil. It offers a clear and detailed framework for reporting security incidents, promoting the protection of the rights of data subjects and the responsibility of data controllers. However, the Resolution introduces challenges, especially for small companies, in its implementation and enforcement.

Adjustments to the deadlines and simplification of the requirements, along with greater support from the ANPD, could improve the effectiveness of the resolution and ensure more robust data protection in Brazil.