On August 27, 2020, the Brazilian Presidency published Decree 10.474/2020 (the “Decree”) in the Official Journal, approving the regulatory structure of the new Brazilian data protection authority (the “ANPD”) and establishing its roles. The Decree will apply after the President-Director of the ANPD is officially appointed through publication in the Official Journal.

The Decree was published hours after the Brazilian Senate rejected a delay of the new Brazilian data protection lawLei Geral de Proteção de Dados Pessoais (“LGPD”). As we previously reported, the Secretary-General of the Presidency of the Republic, Jorge Antônio de Oliveira Francisco, had announced that the Decree was ready for publication during a webinar organized by the Centre for Information Policy Leadership (“CIPL”).

According to the Decree, the ANPD must carry out public consultations, public hearings and analyses of regulatory impact prior to issuing regulations and standards. All public hearings must be recorded and published on the ANPD’s website. The ANPD can also issue a resolution establishing other means for stakeholders to participate in its decision-making processes.

The ANPD will have a staff of 36 people, including its President-Director and four Directors appointed by the Office of the Chief of Staff of the Brazilian Presidency appointed by the President and approved by the Senate. The remainder of the staff will be public servants reallocated from other governmental departments and the Military. Staff cannot refuse their new role and can be dismissed at any time.

The ANPD’s Council of Directors will include the President-Director, the four Directors and five project managers, who will be appointed for a term of four years. The Council of Directors will meet at least monthly and must publish its meeting agendas in advance. They will be the ultimate decision-makers within the ANPD, though they can delegate decision-making to other departments.

The Council of Directors will be responsible for executing most of the ANPD tasks outlined in the LGPD, including providing guidance, establishing further rules governing the ANPD, defining mechanisms to enable international transfers of personal data, requesting organizations to undertake risk assessments of data processing operations and acknowledging best practices concerning data governance. They also will be responsible for defining the methodology for the calculation of fines for non-compliance with the LGPD.

The Council of Directors will be supported directly by the following departments:

  • General Secretariat – composed of one secretary and four technical advisors. They will be responsible for all administrative tasks, including organizing the agenda of the Council of Directors’ meetings and overseeing the drafting of ANPD reports and promoting ANPD transparency.
  • General Coordination of Internal Administration – composed of one general coordinator and three other coordinators. They will manage human resources and finance.
  • General Coordination of Institutional and International Relations – composed of one general coordinator and one coordinator. They will be responsible for supporting the Council of Directors by engaging with international data protection authorities, supporting the authorization of international data transfers and assessing the level of adequacy of third countries and international bodies.

In addition, the ANPD will have the following departments:

  • Internal Affairs – composed of one inspector and one legal advisor, who will be responsible for internal disciplinary actions concerning the ANPD staff.
  • Ombudsman – composed of the Ombudsman and a technical advisor, who will be responsible for accepting complaints, queries and suggestions from the general public.
  • Legal Counsel – composed of one counsel and one coordinator, who will be responsible for interpreting the LGPD and other relevant laws and drafting regulations, which will be approved by the President-Director.

The following departments will be responsible for analyzing specific matters relevant to the LGPD:

  • General Coordination of Technology and Research – composed of one general coordinator and one other coordinator.
  • General Coordination of Standardization – composed of one general coordinator and two other coordinators.
  • General Coordination of Oversight/Inspection – composed of one general coordinator and two other coordinators.

Finally, the Office of the President-Director will be composed of one chief officer, responsible for drafting the ANPD’s annual report, determining its budget and managing spending, contracting and meetings.

The Decree also specifies the structure of the National Data Protection Council, the ANPD’s external advisory council (the “Council”); this body may issue its own bylaws with further details concerning its functioning. The Council will be chaired by the Office of the Chief of Staff of the Brazilian Presidency and include representatives of other governmental bodies, the Senate, the House of Representatives, civil society, scientific institutions and industry associations. Each body will be responsible for appointing its own representatives, who will not be paid for this work. Some bodies have already appointed representatives prior to the publication of the Decree, including the Senate and the House of Representatives. The Council will meet at least three times a year, preferably over video-conferencing, and its meeting agendas must be published at least a week in advance.

CIPL has published a paper on “The Role of the Brazilian Data Protection Authority (ANPD) under Brazil’s New Data Protection Law (LGPD),” outlining what the ANPD’s priorities should be once it is established. The paper is available in English and in Portuguese.