[BreachExchange] Brazilian government to create data protection authority

Destry Winant destry at riskbasedsecurity.com
Wed Jan 2 22:24:25 EST 2019


https://www.zdnet.com/article/brazilian-government-to-create-data-protection-authority/

Brazil's National Authority for Personal Data Protection (ANPD, in the
Portuguese acronym) will be created and the go-live date for the new
information law extended through a stopgap measure signed by former
president Michel Temer.

The provisional measure that creates the ANPD was released on December
28 as one of the last decisions made by Temer before Jair Bolsonaro
took over as the country's new president yesterday (1).

The creation of the agency had been initially vetoed by Temer at the
time he signed the country's General Data Protection Regulations last
August. The autonomy model of the body was one of the main reasons
behind the veto - however, the body is considered crucial for the
implementation of the new rules so the government was forced to
address the issue.

Attributions of the ANPD as stated in the measure released last week
include the creation of frameworks on how to handle information and
guide organizations on how to adhere to the rules. It will also be
responsible for monitoring and applying fines to non-compliant
organizations.

However, since the early discussions of the Bill that originated
Brazil's GDPR, the government implied that it would prefer to create a
data authority that would not be as heavy-handed towards government
agencies as it would have to be with private sector organizations.

Other items vetoed by Temer at the time the data bill was signed
included the protection of information of citizens requesting access
to government information. The original idea was that such citizen
information would not be shared between government agencies or private
sector organizations.

If the latest measure goes ahead with its original content, the result
would be the creation of a weaker data protection body, linked to the
federal government with limited autonomy for decision-making,
especially when it comes to protecting citizens against data-related
incidents involving public sector bodies.

The new agency would be composed of a board of directors of five
members, to be chosen by the president, as well as an advisory board
of 23 members including public, private a third sector
representatives.

As well as the inception of the new data protection agency, Temer also
tried to buy some extra time for local organizations to comply with
the new regulations. Brazil's data protection law was due to go live
in February 2020 - with the stopgap measure, the deadline would be
postponed until August next year.

The measure is due to be voted by the Brazilian Congress over the next 60 days.


More information about the BreachExchange mailing list