Law No. 13,853 (“New Law”) was published on July 8, 2019, resulting from Draft Law No. 7 (“PLC No. 7”), which in turn derives from Provisional Measure 869/2018 governing the creation of the National Data Protection Authority (“ANPD”) in addition to other matters. As a result of vetoes of the text of PLC No. 7 by the Presidency of the Republic, the New Law brings significant changes to the General Personal Data Protection Law (Law No. 13709/19 – “LGPD”).
Among the main vetoes and consequent changes to the LGPD, we highlight the following:
- The Data Protection Officer (“DPO”)1 will no longer be required to have legal and regulatory knowledge and be able to provide specialized data protection services, as previously provided in PLC No. 7.
- Three categories of sanctions for breach of the obligations set out in the LGPD were removed, which had been established in subsections X to XII of article 52 of the PLC. The penalties excluded were: (a) partial suspension of the operation of the database to which the infraction refers; (b) suspension of the exercise of the activity of processing of personal data to which the infraction refers; and (c) partial or total prohibition of the exercise of activities related to data processing.
- There will no longer be a mandatory human review of automated decisions.
- The possibility for the ANPD to charge fees / emoluments for services rendered was also vetoed, which shall impact its financial autonomy.
However, the legal nature of the ANPD remains transitory, inasmuch as it can be transformed by the Executive Branch into an indirect entity of the federal public administration, consigned to a special autonomous regime and linked to the Presidency of the Republic. The evaluation of this transformation must take place within two years of the date of entry into force of the ANPD’s regulatory framework.
The presidential vetoes are still subject to analysis by the National Congress. However, given the quorum required for change, there is a high chance that they will be maintained.
Our Data Privacy and Cybersecurity practice is available for any further information or clarification regarding this matter.
1 The DPO is the person who will act as a communication channel between the controller, the processor (in certain circumstances), the data subjects and the National Data Protection Authority.