On January 27, 2022, the Brazilian Data Protection Authority (ANPD) edited Rule CD/ANPD #2 to regulate the application of the Brazilian Data Privacy Act, (LGPD), Statute #13,709/2018 to small processing agents: micro-enterprises, small businesses, startups, legal entities governed by private law, including non-profits, as per the legislation in force, as well as natural persons and depersonalized private entities that process personal data, assuming typical controller or processor obligations.
With this new regulation, small agents would benefit from distinct legal treatment, reasonably more flexible than that imposed by the LGPD to other personal data processing agents.
However, the rule itself made it clear that small processing agents that fit into one of the 3 situations below are not benefited from the distinct legal treatment brought by the rule:
SITUATIONS THAT EXCLUDE SMALL PROCESSING AGENTS FROM THE BENEFITS OF DISTINCT LEGAL TREATMENT
1. Small processing agents performing high-risk processing for data subjects, except for those that organize themselves by means of entities that represent business activity, by means of legal entities or by natural persons for the purposes of negotiation, mediation, and conciliation of complaints filed by data subjects.
2. Small processing agents earning gross revenue of more than BRL 4,800,000.00, or in the case of startups, BRL 16,000,000.00 in the previous calendar year or BRL 1,333,334.00 multiplied by the number of active months in the previous calendar year, when less than 12 months.
3. Small processing agents pertaining to a de facto or de jure economic group, the global revenue of which exceeds BRL 4,800,000.00.
Said rule establishes the concept of high-risk personal data processing as one that cumulatively meet at least one general criterion and one specific criterion, among the following and starting with the general criteria:
1. large-scale personal data processing; or
2. personal data processing which may significantly affect the data subjects' interests and fundamental rights;
The specific criteria:
1. use of emerging or innovative technologies;
2. surveillance or control of publicly accessible areas;
3. decisions made solely on the basis of automated personal data processing, including those intended to define personal, professional, health, consumer, and credit profile or aspects of the subject's personality; or
4. use of sensitive personal data or personal data of children, adolescents, and the elderly.
It is important note that ANPD's initiative to define high-risk personal data processing based on meeting two specific criteria, among the above mentioned, was an intelligent initiative. This prevents any subjectivity that could be attributed to the agent's data processing framework, should they not meet any of the general or specific criteria, and should they had been imposed for its characterization.
It so happens that the ANPD, in its role of educating society with regard to privacy and personal data protection, decided to make a guide with directions which will be supported by a public consultation, with the purpose of obtaining the information resources necessary for elaborating said material, especially with regard to large-scale and high-risk personal data processing.
Indeed, anyone can participate by accessing the form, which is available until September 28, 2022.