Article 48 of the Brazilian Personal Data Protection Law (“LGPD”) establishes that the controller is responsible for notifying both the data subject and the National Data Protection Authority (“ANPD”) about the occurrence of a “security incident that may create risk or relevant damage to the data subjects.” However, the article does not specify the deadline for reporting (1st paragraph of Article 48), which should be defined by the authority. It also provides for the use of ANPD’s discretion when verifying the severity of an incident, in order to protect the data subjects’ rights, if necessary, and for determining the adoption of measures by the controller, such as (i) broad disclosure of the event in communications media; and (ii) measures to reverse or mitigate the effects of the incident (2nd paragraph).
According to the Technical Note that accompanies the Public Consultation, the ANPD believes it is important that “ the ANPD builds clear boundaries, along with the society, to make it possible to distinguish security incidents that may bring relevant risk or damage and that could require additional measures from those whose threat can be disregarded, if there is such.” . This would clearly define the aspects brought about by Article 48, caput and paragraph 2, from the LGPD, as well as a precise regulation on the deadline to adopt, which may or may not be based on international experiences.
In this sense, the Authority opened a Public Consultation on the topic, with questions, regarding the criteria for risk or damage assessment by the ANPD; the difference between risk and damage; the considerations that must be taken when assessing risk or damage; the information that controllers must present to the ANPD and data subjects; the definition of a reasonable deadline for informing both ANPD and data subjects; and possible exceptions to the obligation to inform the ANPD and data subjects.