The National Data Protection Authority (ANPD) kicks off a public consultation on personal data security incident reporting rules
The public consultation is available on the +Brasil Platform until May 31, 2023.
On May 2, ANPD published a public consultation on the Personal Data Security Incident Reporting Regulation (Regulation) draft resolution. The document regulates article 48 of Law No. 13,709/2018, the General Personal Data Protection Law (LGPD), which provides for the criteria for reporting security incidents involving personal data that may pose significant risk or damage to data subjects.
The proposed Regulation is a response to ANPD’s guidelines on incident reporting, published in February 2021 and updated in December 2022. Any interested party may contribute to the public consultation on the wording of the Regulation until May 31 on the +Brasil Platform (in Portuguese). ANPD will also hold a public hearing on May 23 to discuss the proposal.
According to the draft proposal, the Regulation standardizes mechanisms for reporting personal data incidents personal data incidents in case of significant risk or damage to data subjects. The Regulation aims to protect data subjects’ rights, ensure controllers mitigate or reverse incident-related damages, and ensure processing agents work transparently and build a trustworthy relationship with data subjects, among other aspects.
Below are the highlights of the Regulationwith our comments on points to be revised before the final document is published.
What is a personal data security incident?
Under the draft Regulation, a personal data security incident is any confirmed adverse event related to violating personal data security’s confidentiality, integrity, availability, and authenticity properties.
Therefore, it is important to note that an incident is not just an undue disclosure of personal data, such as a “data breach”. Under article 48 of the LGPD, an incident also includes irregular loss or tampering of personal data and must be reported whenever it presents a relevant risk or causes significant damage to data subjects.
Which are the criteria for reporting personal data security incidents?
Under LGPD Article 48, controllers must report incidents that cause relevant risk or damage to personal data subjects. Hence, ANPD’s draft Regulation outlines the criteria for what we can consider an incident that must be reported.
According to the proposed text, an incident may present relevant risk whenever it has any of the criteria listed below and potentially jeopardizes data subjects’ fundamental rights and interests:
- Sensitive data;
- Children, teenagers, or elderly subjects’ data;
- Financial data;
- System authentication data; or
- Large-scale data.
Furthermore, the following will be considered an incident that may potentially jeopardize data subjects’ fundamental rights and interests:
- Hindering or restraining exercising rights or using a service; or
- Incurring material or moral damage to data subjects, e.g., discrimination, physical harm, the right to honor and reputation, financial fraud, or identity misuse.
In other words, if a situation triggers a criterion from each list above, the controller must report the incident to ANPD and the respective data subjects.
However, the proposed incident reporting classification is worth some consideration. Firstly, the proposed criterion for an incident that may incur “material and moral damage to data subjects” is vague and impractical, since assessing what may or may not incur material and moral damage relies on a judicial analysis of civil liability.
Besides, the criterion “large scale” (i.e., an incident has affected a significant number of data subjects, considering the amount of data and the data subjects’ geographic breadth and location) should be regarded as apart from the affected data’s nature. According to the current proposed Regulation, one might interpret that controllers must report an incident affecting sensitive personal data of just one data subject to ANPD, because of the intrinsic discriminatory risks related to this category of personal data.
Considering this example, in our view, it would be unreasonable to have a duty to report to ANPD a sensitive personal data incident involving just one data subject. In such cases, reporting the event solely to the affected data subject would likely be more efficient and sufficient. This way, the controller and the data subject can adopt risk mitigation measures if needed, without incurring costs for the public authority to investigate and process information related to the incident.
Therefore, we believe that the volume of affected data should be a separate criterion to define the risks of the incident, and this criterion should be assessed along with the other criteria ANPD has suggested to eventually confirm the need to report to the authority.
According to the proposal, how long does an organization have to report an incident?
The Regulation proposes up to 3 business days after the controller becomes aware of the event to report both to ANPD and the respective data subjects. So, the proposed deadline extends the deadline suggested in ANPD’s current guidelines, which is 2 business days.
However, ANPD points out in the draft Regulation that controllers have a 20-day deadline to report complementary information about the incident. The 20-day deadline starts after the controller becomes aware of the incident and can be extended just once, for 20 days, upon a reasoned request and subsequent analysis by ANPD.
Therefore, this provision sets the maximum deadline for the controller to conclude the technical assessment of the incident and manage to provide all the required information within the final deadline as foreseen under the upcoming Regulation.
What information must controllers report to ANPD and data subjects?
The Regulation proposes what information must be included in the reports to ANPD and data subjects when an incident occurs. Regarding reporting to ANPD, controllers must submit the same information the current incident report form requires but with more details about the affected data subjects. For example, controllers must specify how many children, teenagers, or elderly individuals were impacted.
Additionally, the proposal states that controllers must indicate both the total number of data subjects with personal data processed and the total number of data subjects affected by the specific processing activity involved in the incident, so that the large-scale data criterion may be assessed.
In addition, the controller must indicate that is has reported the incident to data subjects. This leads us to understand that organizations must inform data subjects before reporting the incident to ANPD.
About disclosing the incident to data subjects, the notice must inform:
- A description of the nature and category of affected personal data,
- Incident-related risks or impact on data subjects,
- Action the organization is taking to mitigate or reverse the incident’s effect,
- The date the controller became aware of the incident, and
- The DPO’s contact information so data subjects can ask questions or get information.
The suggested Regulation underscores ANPD’s latest recommendation: controllers must inform data subjects directly and individually (e.g., by email or phone number already used by the controller for contacting data subjects) unless doing so is unfeasible. In that case, controllers may issue a public notice, e.g., on their websites or social media profiles.
ANPD’s proposal also states that controllers must keep records of personal data security incidents, including those unreported to ANPD and data subjects, for at least 5 years after registering the event; the Regulation defines the minimum data said records must contain.
Regarding administrative proceedings, the Regulation establishes the proceedings whereby reporting the personal data security incident occurs within the ANPD’s scope to ascertain the occurrence of personal data security incidents that may give rise to relevant risk or damage to data subjects.
This proceeding may include the following:
- Security Incident Verification Procedure, whereby ANPD may check information about an incident unreported by a controller, and
- Security Incident Report Procedure, whereby ANPD may analyze the incident reported by a controller,
As described in the Regulation.
One of the noteworthy points is that under the proposed Regulation, ANPD may audit or inspect data processing agents at any moment to gather complementary data or validate received information to make decisions during the personal data security incident reporting proceedings.
Furthermore, after assessing the seriousness of the incident, ANPD may impose that the controller employs safeguarding measures for the data subjects’ rights. For example, ANPD may mandate public disclosure of the incident on the media or actions to mitigate or reverse the incident’s effects.
Finally, the Regulation defines that ANPD may set up a disciplinary action administrative proceeding if a controller fails to adopt reversal or mitigating actions concerning the incident’s effects within the preestablished deadline and conditions.
The draft Regulation’s complete text is available here (Portuguese only).
Lefosse’s Technology, Data Protection and Intellectual Property Team closely monitors the changes that impact the Brazilian Market. For further clarification on this matter, or others that may be of interest to you, contact our professionals.
+55 11 3024 6490
Tem alguma dúvida? Entre em contato com a nossa equipe firstname.lastname@example.org