Accountability in the General Personal Data Protection Act (LGPD) leaves little room for controversy. The legislative text itself expresses the need for the data processing agent to demonstrate the adoption of effective measures and compliance with security standards — the principle of accountability and accountability. In its scope, however, some gaps make room for divergent readings. Two of them are contained in the section on good practices and governance, a matter not yet addressed by the National Data Protection Authority (ANPD), as it was not included in the regulatory agenda.
Article 50 of the LGPD establishes that controllers and operators may, individually or through associations, formulate rules of good practices and governance. This is an opening for a kind of self-regulation, from which entities can specify organizational conditions, operating regimes, and procedures related to the processing of personal data.
The law defines that the controller must observe minimum criteria for implementing a privacy governance program and demonstrate its effectiveness when appropriate, in case there is a request from the national authority or another institution responsible for compliance with good practices, for example. The third paragraph of the same article also says that the guidelines must be published and updated periodically, and the ANPD can recognize and disseminate them.
According to Fabiano Menke, professor of Civil Law at the Federal University of Rio Grande do Sul (UFRGS) and member of the National Council for the Protection of Personal Data and Privacy (CNPD), there are at least two difficulties in the context of good practices and governance:
If an association adopts certain rules, must everyone in it follow them?
What criteria and procedure will the ANPD use to recognize and disclose such rules?
In response to the report, the ANPD informed, via the press office, that it has not yet addressed the matter. “The Authority is very zealous in responding to all issues related to the LGPD and, therefore, we have no way of responding at the moment, precisely because the matter has not yet been addressed in the Regulatory Agenda”.
For Menke, it should not be mandatory for the associate to follow the rules of good practices and governance of his entity. From the specialist's point of view, if an association approves guidelines for data processing within its sphere of competence, there should be a flexible mechanism for optional adherence.
Regarding the second point, the professor stated that the national authority must carry out a test to ensure that those rules comply with the LGPD, from which another obstacle is extracted, to know the particularities of all sectors. The LGPD “is ??a general law, and the ANPD oversees all of Brazil about data protection. How to know all the areas in the depth in which they operate today? Is very difficult. This calls for an investigation of what happens in that particular sector, which is far too complex,” he explained.
This was a situation recognized by Luiz Felipe Di Sessa, a partner in Data Protection and Cybersecurity at Mattos Filho. Hence, it would even be possible to understand why the General Law for the Protection of Personal Data leaves certain matters open. According to the lawyer, it would be unfeasible and undesirable for a legislator to want to determine standards of good practices and governance for all sectors, given that these models must vary according to the sector, company, volume, and sensitivity of the data processed.
Di Sessa also acknowledged that the adoption of these guidelines is beneficial to the data subject, but mainly to processing agents. This is because it reduces the space for unwanted surprises and, in an eventual stress scenario, it would be possible to present to interested parties the effort made to be in line with the law.