Following debate in the Brazilian National Congress, Provisional Measure No. 869/2018 (“PM 869”) was converted into Draft Law No. 7/2019 (“Draft Law”) by the Federal Senate. The new text, which has been approved in Congress and establishes certain significant provisions regarding the LGPD, awaits presidential approval to be enacted into law.
We highlight below some of the relevant provisions of the new text of Law 13,709/2018 (the “General Data Protection Law” or “LGPD”):
- On the preliminary provisions chapter, two items immediately call one’s attention. Firstly, the Data Protection Officer, who shall possess the necessary legal and regulatory knowledge, must be appointed not only by the personal data controller but also by the processor in some circumstances, which will be regulated by the National Data Protection Authority in the future.
- Secondly, there is confirmation of the creation of the National Data Protection Authority (“ANPD”) as proposed in PM 869 (which had been vetoed in the first text of the LGPD), however its nature is maintained as a federal public administration body in the Draft Law. In contrast, the positive news is that the LGPD foresaw the possibility of transforming the legal nature of the ANPD into an autonomous body two years after the enactment of the Law. This change, if it occurs in the future, will give the Authority greater independence in its operation, which is characteristic of an autonomous regime. Nevertheless, the LGPD stipulates what will constitute revenue of the ANPD, guaranteeing a minimum financial backing.
- With respect to the requirements for processing of personal data, it will be possible to process the personal data whose access is public for new purposes in relation to the original ones, provided there are legitimate and specific purposes for the new processing.
- The LGPD now allows the processing of sensitive personal data related to health for the purpose of profit in relation to the provision of healthcare and health services as well as pharmaceutical assistance to the benefit of data subjects and also in certain specific situations, such as financial transactions resulting from these services.
- Among the rights of the data subject, the possibility of reviewing automated decisions that affect the interests of the data subject is maintained, but this right will need to be regulated by the ANPD, subject to certain conditions such as the volume of processing operations.
- The new text of the LGPD also brought a major change by including three new administrative sanctions in the case of violations of the law: (i) partial suspension of the operation of the database to which the violation refers; (ii) suspension of the exercise of the activity of processing of personal data to which the infraction refers; and (iii) a partial or total prohibition of the exercise of activities related to data processing. However, due to the severity of these penalties, they will only be applied in the case of recidivism (repeat offence), which is configured for application of at least one of the other sanctions provided for in the law for the same case.
- The new text also provides for a conciliation phase between the data controller and the data subject prior to the application of administrative penalties if the parties fail to reach a consensus.
- Among the changes in the competence of the ANPD, it is important to highlight that its performance will include supervision of compliance with the Statute of the Elderly (Brazilian Law No. 10,741/2003), insofar as imposing the need for information regarding the processing of personal data of the elderly should be provided in a simple, clear, accessible and adequate way to the understanding of the elderly. This means that companies dealing with so-called “third-age” audiences (an age bracket in Brazil that include the elderly) will eventually need more streamlined and “less-technological” means to inform their clients about the circumstances surrounding the processing of their personal data. In addition, the ANPD should establish norms that simplify procedures for micro- and small-sized businesses as well as for startups engaged in disruptive initiatives.
Now, more than ever, the implementation of the measures to comply with the General Data Protection Law is advancing at full steam and with greater security, as a result of the approval of the new text, pending only enactment into law by the President of the Republic.
Our Data Privacy and Cybersecurity team is available for any further information or clarification on this matter.