The General Data Protection Law (Law 13,709/18 – LGPD) established a complex set of rules and regulations whose implementation depends, to a large extent, on interpretation and supplementation by a competent body, in this case the National Data Protection Authority (ANPD).
Furthermore, the wording of the LGPD itself, in line with personal data protection legislation around the world, adopted as one of the main rules for demonstrating compliance with the legislation, the use of the institute of regulated self-regulation to the detriment of the logic of state command and control. This delegation of powers and accountability attributed to data controllers and operators is clear in several provisions of the LGPD that indicate that it is the responsibility of the data processing agent to adopt effective measures capable of proving compliance with and compliance with personal data protection standards, as well as the effectiveness of these measures.
In this sense, article 50 of the LGPD indicates the possibility for controllers and operators to formulate, individually or through associations, rules of good practices and governance, in addition to specific regulatory standards on personal data, which can be recognized and published by the ANPD and their existence and observance can be considered to mitigate possible sanctions.
The provisions of Article 50 of the LGPD have been highlighted by several sectors of the economy as a great ally in proving the regularity and good practices of data processing agents under the LGPD. In fact, the ANPD cannot be given the responsibility of regulating all details related to data processing in all economic sectors and at this point it is more than necessary to count on interested parties to define their own specific rules that demonstrate their commitment to the LGPD. And it is in this sense that Article 50 gains its prominence in the LGPD.
It is important to note that consultation with economic sectors to formulate rules relating to data protection has already been carried out, to a certain extent, by the ANPD through the signing of technical cooperation agreements which, as part of the agency's strategic planning, have as their main objective the promotion of dialogue with public and private entities for the joint construction and implementation of strategic partnerships that incorporate best practices related to the topic of data protection, such as the agreements already signed with Senacon, Cade, NIC.br and the TSE.
In addition, the authority has been collecting input from society to regulate several points still open in the LGPD. In 2022, for example, the contributions received from micro and small businesses that gave rise to Resolution No. 2, which regulates the application of the LGPD for small-scale data processing agents, were largely the result of prior debate held with society to understand the peculiarities of the sector and adapt the requirements of the law to the reality of small-scale agents.
Thus, the creation of specific good practice rules, whether through technical cooperation agreements, through mechanisms such as obtaining subsidies, or through regulated self-regulation of each sector can, if well structured, be fundamental in protecting the fundamental right to the protection of personal data.
Especially with regard to the institute provided for in article 50 on regulated self-regulation, it is clear that the LGPD, even due to the generic and procedural nature of the rule, does not indicate how it can be implemented and what requirements must be adopted by economic agents and taken into consideration by the ANPD for the approval of these rules, including when formulated by associations, in order to ensure that the institute meets the basic notions of procedural legitimacy, publicity and participation of those who will be affected by the rules, as allowed by article 50 of the LGPD.
In this regard, Bill No. 6,212/2019 was presented by then Senator Antonio Anastasia, which amends the LGPD to improve the mechanisms of regulated self-regulation within the scope of the LGPD. Without addressing the merits and adequacy of the bill, this bill is already a winner because it puts the issue up for debate and brings specific provisions not only on the best way to regulate this instrument within the scope of the LGPD but also on the requirements that must be taken into consideration by the ANPD.
It remains to be discussed within the scope of the project's processing and/or within the ANPD itself whether it is the case for a change in the LGPD as intended by the rapporteur, to provide for self-regulation mechanisms regulated in the LGPD itself or, whether the Authority itself, within the limits of its competence, can define procedural rules for the viability of the institute.
In any case, it is important to pay attention to the next steps of this bill so that, together with the ANPD, we can establish the adequate and effective implementation of the regulated self-regulation institute, otherwise, failing to do so, the institute will become a dead letter in the law. The adequate implementation of this institute contributes not only to the acculturation of society regarding data protection, making it permanent and effective, but also presents itself as a great ally of the inspection agents, since it is above all a recognized tool that allocates risks and shares the guarantee of compliance with the legislation with the processing agents, making the application of the law itself more rational and effective.
Dr. Ellen Carolina da Silva
Luchesi Lawyers
With a history spanning over 30 years, we are a reference in providing specialized legal services to clients in the agro-industrial production chain and other sectors of the industry. Our activity has been recognized nationally and internationally and stands out for the innovative way in which we handle consultancy issues, contractual negotiations, as well as litigation and strategic operations in agribusiness.