O conteúdo National Data Protection Authority publishes Guide on Cookies aparece primeiro em Grinberg Cordovil Advogados.

The authority is now approaching the end of the phase  two of implementation of the guidelines of the National Policy for Personal Data Protection and Privacy and has already published several guidelines (some even published in Portuguese and English versions) and resolutions and has held an open dialogue with academia and private sector agents for the production of each of them.

Besides the publication of the Internal Regulation of the authority, during phase 1, the ANPD’s strategic planning was published in addition to guidelines on the application of the LGPD by small agents, as well as a Resolution on the same subject. ANPD also published a resolution concerning the enforcement procedures and Administrative Sanctioning Process, and a form was made available for the notification of security incidents with personal data, as well as a template for the Data Protection Impact Assessment.  

In phase 2 – currently underway – the Authority has already promoted discussions about the regulation of personal data controllers and is in the final phase (until June 17th) of receiving subsidies on the theme of international data transfer – which can be submitted through the Participa + Brasil online platform.

After the conclusion of this phase, ANPD must move on to the last one, Phase 3, of regulation of its National Policy for Personal Data Protection and Privacy. In which the Authority will deal with two main themes:

(i) Rights of personal data subjects; and

(ii) Legal hypotheses of personal data processing.

Both themes are central to the actions of public and private agents and to their compliance with the Brazilian Personal Data Regulation (LGPD), and are therefore highly anticipated. While the first will be subject to regulation, the second will be addressed through a guideline, as provided for in the authority’s regulatory agenda. 

It is also worth noting that on June 13 a Presidential Decree was issued that transforms the ANPD into a federal autarchy of a special nature.

With this change, the new agency will have its own legal personality and assets, and will no longer be an agency linked to the federal executive branch. 

With this change it is expected that the authority’s actions will be conducted with greater autonomy and prioritization capacity. 

O conteúdo ANPD – Recently converted in an autarchy – Steps forward in the accomplishment of its Regulatory Agenda aparece primeiro em Grinberg Cordovil Advogados.

Under the terms of the representation, AELEN is accused of selling A-type gasoline and S10Diesel at higher prices in the state of Bahia, compared to other states where it supplies lower volumes with higher logistic costs. Price lists of all of Petrobras’ refineries and a price spreadsheet published by AELEN on its website were presented to support the allegations for the purpose of comparing prices of commercialized fuels. Thus, the representation alleged an arbitrary increase in profits and abuse of a dominant position.

The PP had originally been filed, due to insufficient evidence of a violation of the economic order.

When voting for the re-opening of the case, Commissioner Gustavo Augusto said that there was indeed a price discrepancy in what was charged compared to the performance of the new refinery and Petrobras, and that the higher-than-expected prices may be a sign of a violation of the economic order. Thus, it would be necessary to investigate the presence of the following three (3) factors:

1. Arbitrary pricing;
2. Market power; and
3. Existence of at least one of the conducts foreseen in the antitrust legislation.

In view of the factual conditions, Commissioner Gustavo Augusto suggested the opening of two (2) administrative inquiries. And pointed out that the SG/CADE may include other defendants in the investigations:

1. To investigate the possible price discrimination imposed to the purchasers of “Type-A Gasoline” and “S10 Diesel” produced at the Landulpho Alves Refinery (RLAM), also known as the Mataripe Refinery, apparently harming purchasers in the state of Bahia; and
2. To investigate the possible practice of upstream price discrimination, specifically the investigation into whether the price of crude oil practiced by the supplier of the refinery in question (Petrobrás) is compatible with the sale prices of the commodity to the company’s own refineries, as well as if the amount is compatible with the sale made by the company in the exportation of the referred to commodity.

President-Commissioner Alexandre Cordeiro reiterated the terms of Commissioner Gustavo Augusto’s vote emphasizing that the investigation is relevant, since it is a structural measure to try to solve important issues in the market, as well as to bring light on any necessary advocacy work within the sectoral regulation.

Additionally, he emphasizes the necessity to ensure a healthy competitive environment in the upstream market of refineries, so that there is acquisition of raw materials, particularly crude oil, and that the refining can be done in Brazil under competitive conditions. It is essential to have options in the purchase of crude oil and that there is a tax dispute regarding the ANP (Regulatory Agency for the sector) reference price. He states that it is likely that there will be difficulty in acquiring raw materials, due to the way in which the market is organized. He then concludes by highlighting that the investigation can help to understand whether an adjustment in regulation is necessary or not.

The appeal was approved by the Court, and the case was sent to SG/Cade for further investigation. Written votes have not yet been made available.

O conteúdo Court votes to open new investigations into the fuel sector aparece primeiro em Grinberg Cordovil Advogados.

The regulation softens some LGPD obligations for the following agents:

• Microenterprises and small businesses: in accordance with the definitions of the Brazilian Civil Code and the National Statute of Microenterprises and Small Businesses;
• Startups: business or corporate organizations, beginning or recently in operation, whose performance is characterized by innovation applied to the business model or the products or services offered and that meet the requirements set out in the Legal Framework for Startups;[1]
• Private legal entities, including non-profits with a maximum revenue of BRL 4.8 million, as provided for in the National Statute of Microenterprises and Small Businesses.

For these agents, the registration of processing operations, as well as the communication of data breach, will be done in a simplified form, based on the model/procedure that will be made available by the ANPD itself. In addition, several communication deadlines before data subject and ANPD will be counted in an extended way or doubled.

Furthermore, APPs will not be required to appoint a DPO. However, a communication channel must be maintained with the data subject, and if a company choose to appoint a DPO, it will be considered as a policy of good practices and governance, being taken into account when applying any sanctions for non-compliance with the LGPD.

There are also definitions, concerning security criteria and good practices for APPs, which must adopt minimum measures to protect data from unauthorized access and accidental or illicit situations of destruction, loss, alteration, communication, or any form of inappropriate or illegal processing. These policies may consider implementation costs, as well as structure, scale, and volume of the agent’s operations, as simplification and limiting factors.

Important: the flexibilizations considered do not apply to agents that carry out processing defined as “high risk,” even if they fit the definitions of the regulation, which are: (i) large-scale processing or (ii) ones that may significantly affect the interests and fundamental rights of the holders. In both of these cases, these processing must be characterized by the following criteria: a) the use of emerging or innovative technology; b) the use of surveillance technology or the control of spaces open to the public; c) those who make decisions on the sole basis of automated processing of personal data; or d) the use of sensitive personal data or personal data related to children, adolescents, and the elderly.

It is important to highlight that there is no quantitative definition of what a large-scale processing would be. The regulation only defines a processing as that which covers a significant number of data subjects, considering the volume of data involved, the duration, the frequency, and the geographic extent of the processing. The processing of personal data that could significantly affect interests and fundamental rights will be characterized as those in which the processing activity may prevent rights being exercised or the use of a service, as well as causing material or moral damages to the data subject, such as discrimination, violation of physical integrity, the right to image and reputation, financial fraud, or identity theft, among others.

[1] According to Startups Legal Framework (Complementary Law No. 182/2021), individual entrepreneurs, individual limited liability companies, business companies, and cooperative and simple companies that meet the following criteria are eligible for inclusion in this modality: (i) gross revenue up to BRL 16 million in the previous calendar year or BRL 1.34 million multiplied by the number of months in the previous calendar year when the company has been active for less than 12 months; (ii) registration with a CNPJ for up to 10 years; and that (iii) meet one of the following requirements: a) declaration in its constitutive act or one amending the use of innovative business models for the generation of products or services or b) classification in the special Inova Simples regime.

O conteúdo ANPD approves regulation on the application of the LGPD for small agents aparece primeiro em Grinberg Cordovil Advogados.

The regulatory framework is quite relevant, and mainly, signals to market agents that the ANPD is functioning and organizing itself institutionally to exercise its inspection activities, which include: (i) monitoring; (ii) orientation; (iii) prevention, and (iv) repression.

Despite this, no guidelines have been established yet, regarding the dosimetry of sanctions and the calculation of the base value for the application of penalties. This point should be clarified later on in a specific rule published by the ANPD, subject to prior public consultation. In addition, the new regulations safeguard the ANPD’s Board of Directors’ power to issue an Ordinance to establish the necessary complementary instructions.

Thus, in general, the new resolution seeks to address the duties of the regulated agents, as well as to determine procedural provisions relating to subpoenas, deadlines, communication, and the awareness of administrative acts from the authority.

Furthermore, the regulations provide for the ANPD’s inspection powers, which must comply with a series of premises provided for in the regulations, may be carried out (i) ex officio; (ii) as a result of periodic inspection programs; (iii) in a coordinated manner with public agencies and entities; or (iv) in cooperation with data protection authorities of other countries.

In relation to the ANPD’s acting areas in exercising this authority, it states that:

• The activity of monitoring should gather relevant information and data to support decision making by the ANPD, in order to ensure regular functioning of the regulated environment. The agency’s General Inspection Coordination, whose competencies are defined in the ANPD’s Internal Regulations, will conduct the monitoring of treatment activities, based on a compliance assessment, to plan and subsidize the authority’s inspection activities. The monitoring also involves the production of an annual report, as well as a biannual map of priority issues to consolidate information on activities and guide the authority’s future actions.
• Guidance is focused on cost-effectiveness and the use of methods and tools to promote guidance, awareness, and education for data processors and subjects. Guidance measures include good practice guides, recommendations of technical standards, and document templates to be used by the processing agents, among other products.
• Prevention preferably consists of action based on the joint construction and dialogue of solutions and measures that aim to bring the processing agent back into full compliance or to avoid or remedy situations that may lead the personal data holders and other processing agents into situations of risk or damage. Note that the measures applied in the preventive context do not constitute a sanction to the regulated agent and may include the disclosure of information, warnings, the request for regularization or additional information, or even a compliance plan, which in the case of non-compliance, will lead to repressive action by the authority.
• Repressive activity is characterized by the coercive action of the ANPD, aimed at the interruption of situations of damage or risk, the return to full compliance, and the punishment of those responsible, by applying the sanctions provided for in Article 52 of the LGPD through the administrative sanctioning process. In conducting the proceedings, the ANPD shall comply with the principles of legality, purpose, motivation, reasonability proportionality, morality, full defense, adversary system, legal certainty, public interest, and efficiency, among others.

Regarding the administrative proceeding within the scope of the ANPD, the resolution establishes that the proceeding may be initiated ex officio, at the request of the Inspection Coordination, or as a result of a monitoring process. Additionally, the General Inspection Coordination may, through ex officio or upon request, make preliminary inquiries by means of a preparatory procedure, when the evidence of an infraction is not sufficient for the immediate opening of a sanctioning administrative proceeding. Once the instruction phase of the preparatory procedure is concluded, the General Inspection Coordination may close the procedure or initiate a sanctioning administrative procedure, without damage to the adoption of guidance and prevention measures, depending on the case.

After the infraction notice has been issued, the accused party may present its defense, add any evidence it deems necessary, or present closing arguments. After analyzing the records, the General Inspection Coordination will issue a final decision, which may be appealed to the ANPD Board of Directors.

In order to ensure the aforementioned action of the ANPD, the processing agents have the duty to provide information and documents, allow the authority access to facilities and equipment, be submitted to audits conducted or determined by the ANPD, and keep physical and digital documents during the periods determined legally or administratively. Furthermore, Law No. 9.874, which regulates the Administrative Proceeding, has subsidiary application.

Finally, it should be noted that the General Inspection Coordination Office may also receive Conduct Adjustment Declaration (“TAC”) requests, which have the effect of suspending any administrative proceedings in progress until the term is fully complied with, once the case has been dismissed.

The Resolution is already in effect and can be accessed here. The first monitoring period will begin in January 2002.

O conteúdo Brazilian Data Protection Authority Supervisory and Sanctioning Proceeding Receives Regulation by the Authority aparece primeiro em Grinberg Cordovil Advogados.

The new “Best Practices” Handbook has been edited to help small and microenterprises, as well as self-declared startups, implement data protection procedures in a way that mitigates possible compliance burdens.

Even in the absence of a final definition (so far) of what “small data processing agents” would be, the new Guide is helpful to any agent that needs to improve its information security standards, regardless of budgetary or personnel limitations, due to its size.

In this way, the document clarifies some central themes, concepts, and obligations of the Brazilian General Data Protection Act (LGPD, Lei Geral de Proteção de Dados[1] in Portuguese) and suggests security measures that can be taken by these organizations towards a safer institutional environment, regarding the processing of personal data. The suggestions are not exhaustive and can (should) be complemented by other initiatives that are deemed pertinent. They include, in summary:

1. Information security: The ANPD recommends establishing an “information security policy” with guidelines on controls related to the treatment of personal data (e.g.: guidelines on security copies; use of passwords; access to information; sharing of data; updating software; use of e-mail; use of antivirus, among others), whenever possible. The policy can be simplified, but it is important to review it periodically.
2. Personal data training: the Guide recommends conducting training sessions and awareness campaigns for all employees (especially those directly involved in data handling processes). Useful information to be shared in these trainings can range from ways to use IT systems security controls to guidelines for filing physical documents in drawers, among others.
3. Creating an organizational environment that encourages users of company systems (both customers and employees) to report incidents and vulnerabilities when they are detected.
4. Contract management: Non-Disclosure Agreements (NDAs) should be signed by company employees or outsourced employees, guaranteeing their commitment to maintain strict secrecy of information involving personal data. When third parties are hired, the ANPD advises on specific clauses to include in the contracts to address themes, such as data sharing, controller-operator relations, guidelines on specific treatment to be carried out, and other treatments that are prohibited from being used, as they are incompatible with the instructions.
5. Data access control: only authorized persons should access the data. The system access must have authentication, allowing for the identification and tracking of who has access to the data and authorizations for its specific processing.
6. Security of stored data: (i) collect and store only necessary data; (ii) use solutions to store sensitive personal data[2] to prevent the identification of whose it is (e.g. use of cryptography); (iii) ensure that the data is only accessed by means of a password for individual use, instructing the employees about the importance of this security measure; (iv) avoid data transfer by physical devices, such as USB sticks or external HDs, among others; (v) back up data regularly and store the copies in devices other than the main storage (if stored in clouds, it is important to avoid real-time synchronization); and (vi) for the elimination of data stored in media, the ANPD suggests formatting prior to disposal and, if possible, destroying the disks (which also applies to data on paper). If there is a contract with third parties for disposal, the Handbook recommends establishing a clause to record the destruction carried out.
7. Ensure the security of data communications between customers and employees (and among employees themselves): use encrypted connections or applications with encryption, if possible, manage network traffic and ensure removal of personal data unnecessarily made available on public sites.
8. Keep a vulnerability management program: constant update and scan systems, applications, and software in use.
9. Control data access by mobile devices (such as smartphones and laptops) used for institutional purposes: employees, whenever possible, should have a device exclusively for professional purposes. Moreover, as mobile devices are more susceptible to loss or theft, the guide suggests how to evaluate the implementation of functionalities that allow for remote deletion of personal data stored on these devices.
10. Evaluation of services offered by cloud storage providers: verify if the storage providers meet the level of protection required for the intended data processing. In addition, service users should be educated on these requirements and on the use of multi-factor authentication techniques (e.g. tokens or SMS code delivery) for accessing the data room.

To ease the verification of the implementation of these measures, the ANPD has made a checklist available for internal use by these organizations, along with the Guide.

The Guide supports the differentiated application of the LGPD by small agents, since the regulation recognizes that smaller players may face greater budgetary or staffing difficulties in implementing these standards.

The debate over the rules for small data processing agents has been considered a priority. On one hand, it is understood that compliance with the LGPD may represent a burden for these enterprises, yet on the other hand, exemptions or simplifications may generate greater insecurity and reduce the businesses volume.

Following the ANPD’s Regulatory Agenda 2021-2022, a new resolution implementing this differentiated treatment for small and microenterprises and self-declared startups is under regulatory impact assessment. The draft has already been discussed at two Public Hearing sessions (held on 09/14 and 09/15), and it is currently under Public Consultation. Contributions will be accepted through the official platform until October 14.

[1] Law No. 13,709/2018 has been in effect since September 2020.

[2] According to the LGPD, art. 5, II, sensitive data are defined as any data that can be used for discriminatory purposes, such as personal data on racial or ethnic origin, religious conviction, political opinion, membership of a trade union or organization of a religious, philosophical, or political nature, data concerning health or sexual life, genetic or biometric data, when linked to an individual.

O conteúdo The ANPD publishes “Guidelines on Information Security for Small Data Processing Agents” aparece primeiro em Grinberg Cordovil Advogados.

This is the first time CADE decides to investigate conducts regarding the labor market, a topic which has been a growing trend in the United States (given the publication of the Antitrust Guide for Human Resources Professionals in 2016), as well as in the OECD’s 2020 round table (Competition Issues in Labor Markets).

O conteúdo Cade investigates whether exchanging human resources related information breaches the antitrust legislation aparece primeiro em Grinberg Cordovil Advogados.

According to the Technical Note that accompanies the Public Consultation, the ANPD believes it is important that “ the ANPD builds clear boundaries, along with the society, to make it possible to distinguish security incidents that may bring relevant risk or damage and that could require additional measures from those whose threat can be disregarded, if there is such.” . This would clearly define the aspects brought about by Article 48, caput and paragraph 2, from the LGPD, as well as a precise regulation on the deadline to adopt, which may or may not be based on international experiences.

In this sense, the Authority opened a Public Consultation on the topic, with questions, regarding the criteria for risk or damage assessment by the ANPD; the difference between risk and damage; the considerations that must be taken when assessing risk or damage; the information that controllers must present to the ANPD and data subjects; the definition of a reasonable deadline for informing both ANPD and data subjects; and possible exceptions to the obligation to inform the ANPD and data subjects.

O conteúdo ANPD Launches Public Consultation Regarding Data Security Incidents aparece primeiro em Grinberg Cordovil Advogados.

Context: In 2015, the CNIL ordered Google to expand its de-indexation, regarding the implementation of the right to be forgotten to all domains of its search engine. With this decision, a de-indexation request, based on the right to forgotten, claimed before google.fr that would have effects in several countries around the world, not just in France. The nonfulfillment to comply with this resolution by the company, resulted in a fine of 100,000 Euros. In light of this, the company appealed to the French Administrative Court (Conseil d’État) seeking the annulment of this decision. In its defense, Google argued that by imposing de-indexation to all of its domains of the search engine, the European Union (EU) would be violating the principle of Non-Interference, as well as the principles of freedom of expression, freedom of information, freedom of communication, and freedom of press disproportionately. As the subject raised sensitive issues, the Conseil d’État decided to refer the matter to the Court of Justice of the European Union.

The Court’s Decision: In order to solve the litigation, the Court has ruled that rights relating to the protection and free movement of personal data must be interpreted as meaning that when a search engine operator accepts a de-indexation request. It does not have to expand such deletion of references in all its versions and only of the versions that correspond to the Member States of the European Union. In addition, the decision addresses the need to combine the de-indexation with measures to prevent users located in the EU from having access to de-indexed content through other countries’ search engine versions.

O conteúdo The Right to be Forgotten is limited by the European Court of Justice aparece primeiro em Grinberg Cordovil Advogados.