On Monday, August 30, 2021, the National Data Protection Authority (ANPD) published a public consultation on draft proposals governing the application of the Common Law for the Protection of Personal Data (LGPD) for micro and small-sized businesses . For business initiatives of an incremental or disruptive nature that declare themselves as startup or innovation companies, as provided for in Article 55-J, item XVIII of that Law.
Public consultation will be available on Plataforma + Brasil to send contributions for 30 days and public hearings on the subject were scheduled for September 14 and 15, 2021.
The draft proposed by ANPD aims to facilitate the application of LGPD and contribute to the spread of data protection culture through the possibility of adoption of simplified and differentiated processes by micro enterprises, small businesses, startup and innovation companies and non-legal entities. Benefit.
It is, in fact, the rule of relaxation and flexibility relative to controls of LGPD for a group of organizations, which together were referred to as “short healing agents”.
Who are the Small Healing Agents?
micro and small business: ANPD adopted the gross revenue criterion of Art. 3heynumber of supplementary lawhey 123/2006 which established the National Law on Micro Enterprises and Small Business. Thus, business companies, ordinary companies, individual limited liability companies and individual micro-entrepreneurs earn a gross income equal to or less than R$4,800,000.00 (which refers to the relative upper limit) for the small business, in each calendar year ;
startup: ANPD once again did not innovate and adopted pre-existing norms, in this case, the Legal Framework for Startups and Innovative Entrepreneurship established by the Supplemental Law.hey 182/2021. Art. 4hey That law establishes a range of eligibility criteria, which include, in essence, an annual (R$16,000,000.00) or monthly gross revenue limit; Constitution’s time limit (10 years); Declaration of relevant activity in the articles of incorporation or under the special regime Innova
. Non-Profit Legal Entities: Formed by associations, foundations, religious organizations and political parties;
- replicated entities, who process personal data assuming specific controller or operator obligations;
- any healing agent, whose gross revenue is up to R$16,000,000.00 in the previous calendar year or R$1,333,334.00 multiplied by the number of months of activity in the previous calendar year, when less than 12 (twelve) months.
Exception – high risk treatment
The exemption, flexibility or remission established by the draft resolution does not apply, even if the treatment is performed by a smaller treating agent, when the treatment is high risk and massive. High-risk treatments, in an exemplary list and including treatments at large, are those that include:
- sensitive data or data of sensitive groups, including children, adolescents and the elderly;
- monitoring or control of publicly accessible areas, those were defined as spaces open to the public, such as squares, shopping centers, public roads, bus and train stations, airports, seaports, public libraries, among others;
- use of emerging technologies, causing material or moral damage to holders, such as discrimination, infringement of the right to image and reputation, financial fraud and identity theft;
- automatic processing of personal data, defined as those that affect the interests of the holders, including decisions aimed at defining their personal, professional, consumer and credit profiles or aspects of their personality; Or
- massive treatment, Which covers a significant number of holders, considering the amount of data involved, as well as the duration, frequency, and geographic extent of treatments performed.
It shall be the responsibility of the Small Size Handling Agent to assess and prove its classification in exemptions and exceptions, as the case may be, and ANPD is entitled to change the same in its inspection activity. In addition, ANPD may determine the fulfillment of obligations even if the framework is adequate, considering the circumstances of the situation, including the nature and volume of operations and the risks to the holders. It shall be the responsibility of the Small Size Handling Agent to assess and prove its classification in exemptions and exceptions, as the case may be, and ANPD is entitled to change the same in its inspection activity. In addition, ANPD may determine the fulfillment of obligations even if the framework is adequate, considering the circumstances of the situation, including the nature and volume of operations and the risks to the holders.
Flexibility of dismissal and obligations
As a general rule, dismissal and waiver do not exempt the small processing agent from complying with other legal and regulatory obligations regarding the protection of personal data.
The dismissals and flexibility are as follows:
- With respect to the rights of the holder: (i) does not provide data portability; (ii) the choice between methods of anonymizing, blocking or deleting data that is unnecessary, excessive or treated in violation of the LGPD; (iii) Compliance of access rights through simplified format declaration only; (iv) information to the holder about the treatment by electronic means; (v) the right to be represented by third parties for the purposes of negotiation, arbitration and settlement of claims from the holders.
- Exemption from duty to register treatment activities: Exemption from duties of art. 37 of the LGPD, who will become volunteers. However, the records remain valid for the purposes of accountability, good practices and dosimetry of the resulting dimensions and sanctions.
- Right to submit simplified personal data protection impact reports.
- security incident reportingRelaxation, flexibility or simplification as defined by the ANPD in specific regulations.
- Foreman or DPO: Exemption from the duty of indicating, with the duty of providing a communication channel with the holder.
- information security: The right to a simplified information security policy that takes into account the structure, scale and volume of small agent operations, as well as the sensitivity and criticality of the processed data, in addition to implementation costs.
The draft resolution provides a dual deadline for short processing agents to meet holders’ requests, to communicate to ANPD and holders about a personal data protection incident, except when there is a potential compromise to holders’ integrity or national security. and for the time limits established in specific regulations for the presentation of information, documents, reports and records requested by ANPD to other treatment agents.
According to SEBRAE statistics, there are 6.4 million establishments in Brazil. Of this, 99% are micro and small businesses. These establishments account for 52% of formal jobs in the private sector. In addition, at last count, there were 3.7 million individual micro-entrepreneurs in Brazil.
Given the importance of the subject to data security, since these numbers should also be reflected in the amount of data handled, we have set an international benchmark for the matter. In addition to the comparison with GDPR, we chose countries relevant to comparison with Brazil (Mexico and Argentina) or reference countries in terms of personal data protection (Canada, Australia, Hong Kong and Singapore).
Surprisingly, only Europe (GDPR) and Australia have provisions similar to those contained in the draft proposed by the ANPD. In Europe, the legislator opted to establish a framework for a maximum number of employees (250), referring only to the duty to register treatment with flexibility. Nevertheless, there are exceptions to the flexibility, which are similar to the draft regulation. On the other hand, in Australia, the main eligibility criterion is financial: a limit of 3 million Australian dollars of annual gross revenue, with no flexibility but full exemption.
In both Mexico, Hong Kong, Singapore, Argentina and Canada, the most important references are guidelines issued by local authorities (DPAs), if any. No official flexibility or exemption arrangements were identified.
The fact is that, regardless of the points that should be reconsidered by the ANPD during the public consultation period, giving special treatment to small and medium-sized companies and startups is appropriate and relatively innovative in the context of public policy.
Gustavo Artes and Luiza Vidal Rocha, attorneys for Artes Advogados.