This Friday (28), it is remembered the International Data Protection Day, which was instituted on 26 April 2006 by the Committee of Ministers of the Council of Europe (EC). In Brazil, the date has been promoted by the recently created National Data Protection Authority (ANPD).
Sanctioned by Law N° 13.709/2018, the entity is responsible for inspecting, guiding, acting preventively and punishing violations of the General Data Protection Law (LGPD). The request of TecMundo, the ANPD informs that despite the application of sanctions in 2021, 27 inspection procedures were initiated, some of which are still in progress. Most cases are at the conclusion stage of the instruction or awaiting analysis by the General Inspection Coordination.
According to the ANPD, in relation to complaints and petitions sent by individuals, who felt that there were violations of privacy, the agency identified that most were related to improper exposure of personal data, mainly on the internet.
Read too: BRATA: Android malware steals your data and resets your phone
“As far as security incidents are concerned, the main perceived irregularity is the resistance to communicating data subjects about the incident and about the possible consequences of the incident that could affect the data subject”, explains another excerpt from the note.
The organization also points out that it is not uncommon to see companies that have difficulties in adopting security measures, technical and administrative, suitable for the correct application of the LGPD and suitable for the protection of personal data against incidents.
The law allows that, in addition to warnings, which indicate deadlines for adaptation, the institution has “police power”, being able to apply fines of up to 2% of the revenue of the legal entity governed by private law, group or conglomerate in Brazil. In value, each infraction can be a maximum of R$ 50 million, which has not yet occurred.
Inspection at the beginning
Luiza Leite, who is a lawyer with experience in digital law with a focus on data protection and privacy, explains to the TecMundo that in previous years the ANPD underwent a structuring. The period served for the institution to plan a system of inspection, dosimetry (calculation of the time of sentences), form a board of directors and more.
“The years 2020 and 2021 served more to set up this regulatory framework than to prosecute [as empresas]. Because of this, 2022 should be the first major year of oversight by the agency. Currently, the agency already has all the regulation parts so that it can apply all the sanctions that are provided for in the LGPD”, he said.
The expert recalls that despite the fact that the ANPD has not yet started to penalize with sanctions, there is the possibility of retroactive penalties. That is, companies that circumvented the data protection law since August of last year can be punished and held accountable from now on.
“In Brazil, we have related bodies that carry out inspection work. This is the case of the Public Ministry, Procon, Bacen [Banco Central] and Susep [Superintendência de Seguros Privados], for example, that within their scope are able to demand a level of compliance from companies”.
On the other hand, the specialist recalls that despite being in force since September 2020, many institutions are still not prepared for the LGPD. “The law is a great incentive for companies to start this movement, but many companies have not implemented these changes on a day-to-day basis and continue to treat data improperly,” he said.
“[…] many companies have not implemented these changes on a day-to-day basis and continue to treat data improperly”.
“It’s no use having all this structure and not doing ‘homework’. The public power being adequate is a first step, but action by the private sector is also needed. If there is no such collaboration, the LGPD may end up falling into disuse”, warns the lawyer.
Cybersecurity as an ally
Arthur Capela, country manager at Tenable, a cyber exposure company, defends TecMundo that the country has done an important job in terms of data protection. He recalls that the formation of the National Council for Data Protection and Privacy (CNPD), in November 2021, will be essential to foment the debate on the subject.
The CNPD is made up of members of society and the government and has among its attributions: disseminating knowledge about the protection of personal data and privacy to the population; prepare annual evaluation reports on the execution of the actions of the National Policy for the Protection of Personal Data and Privacy; and prepare studies and hold debates and public hearings on the protection of personal data and privacy.
Despite the advances, like Dr. Luiza Leite, Capela mentions that there needs to be a cultural change so that Brazilians are more secure in relation to personal information.
“It takes a complementary effort in two directions. The first is greater awareness of individuals, data owners, who need to be careful with their information. At the same time, it is important to work together with public and private companies so that they invest more in protecting the data they have. Cybersecurity and data protection are different topics, but they need to go hand in hand”, he argues.
The executive makes the correlation with digital security because bad protection structures end up exposing user databases. In this sense, the last Tenable Vulnerability Report showed that in 2020 alone, 18,300 new holes were found that could be exploited by attackers.
Because of this, Capela argues that there is still a need to improve maturity on cybernetic culture. Allied to the LGPD and new data protection entities, the country will be able to guarantee greater safeguards for Brazilians’ information, according to him.
ANPD Challenges for 2022
THE TecMundo also questioned the ANPD about the entity’s balance on the data protection work so far. The official’s note argues that the leaders believe that 2021 was “positive”. The justification is that in just over 1 year, the ANPD has already carried out 15 Deliberative Circuits, published 17 Ordinances, signed 4 Technical Cooperation Agreements, published 6 educational materials including Guides, Booklets, Fascicles and Articles (together with partners) and more.
Regarding the difficulties of inspection and protection of personal data in 2022, the agency says that “it sees them as opportunities”. Despite that, the organization makes it clear that it may suffer from the demands because the infrastructure and the number of employees is not ideal.
Part of the ANPD board during a meeting
“Our biggest challenge will be to improve the organizational structure, by changing the legal nature of an indirect federal public administration entity, subject to a special autonomous regime, in the search for greater autonomy and trust from society and international organizations, and increasing the our number of personnel, as we currently have just over 60 servers, in addition to an adequate physical and operational infrastructure to accommodate them”.
Finally, the ANPD points out that it will be challenged year after year to ensure the protection of the private data of Brazilians, as society is increasingly “connected and digital and technological resources develop”.