In July, President Jair Bolsonaro sanctioned the final version of the Brazilian General Data Protection Law that converted the Provision Measure and consolidated the LGPD with publication in Brazil’s Union Official Journal. The legislative process for the creation of the LGPD began in 2010 and subsequently, Law no.13709/18 was enacted in August 2018. However, former President Michel Temer argued there were issues related to the constitutionality of the law and issued executive order Provisional Measure no. 869/18, which amended some aspects of the LGPD (e.g. extending the compliance period of the law to August 2020 and created the Brazilian National Data Protection Authority). The provisional measure review was finalized by Brazilian Federal Senate approval in May 2019 and followed by the presidential sanction.
Before sanctioning Law no. 13.853/19, Bolsonaro made some important changes/vetoes that need to be clarified:
Role of the data protection officer
Unlike the draft version, the final version of the law does not require the data protection officer (“encarregado” in Brazil) to have legal and regulatory knowledge of data protection. In the draft version of the law, the DPO would have been required to have an understanding of both the LGPD and the EU General Data Protection Regulation as there are differences between the laws. Bolsonaro argued this would be an overly rigorous requirement, the opposite of the public interest and an affront to fundamental rights.
Also, in the final law, the data controller appoints the DPO, which is a different process than in the GDPR.
Review of automated decisions
The draft proposal of the LGPD provided that if a data subject wants to solicit review of any decision made exclusively by automated means, they could request the company use a human agent to conduct the review. Under the final law, companies do not need to provide reviews by a human agent.
The final law also differs from GDPR Article 22, which gives data subjects the right to obtain human intervention in relation to review of automated decisions.
Treatment of personal health data
Law no. 13.853/19 that establishes health protection now encompasses procedures made by health services, health professionals and sanitary authorities, which is wider than the draft version. Under the final law, it is prohibited from sharing of special categories of personal data, unless:
- The treatment is for health services, pharmaceutical and health care assistance.
- It is beneficial to data subjects interests.
- It is not intended for private health insurance to analyze the contract risks, as well as including and excluding beneficiaries.
- It is related to one of the following activities: data portability requested by the data subject or financial transactions resulting from the use of the services.
The creation of the National Data Protection Authority
Under the final law, the National Data Protection Authority is now directly connected to the office of the president but can be changed within two years after entering into force, submitted to a special autarchy regime and linked to the Presidency of the Republic of Brazil, which gives more autonomy and independency to the ANDP.
The main activities of the ANDP ensure compliance with the law, receive and process data subject’s complaints, conduct audits, and support the enterprisers on how to really understand and get ready for the situations that will come up when the law comes into force.
Administrative sanctions
The administrative sanctions remain the same as the draft version, but it is worth repeating. The penalties start from warnings to more heavily sanctions, applicable by the supervisory authority:
- Warning, with an indication of a term for adoption of corrective measures.
- Simple fines up to 2% for the prior year of sales revenue, excluding taxes of the legal entity of private law, group or conglomerate in Brazil, limited to 50 million reais per infraction.
- Daily fine limited to the value referred above.
- Disclosure of the infraction after it has been duly investigated and its occurrence has been confirmed.
- Removal of the personal data to which the infraction relates.
Before the LGPD was sanctioned, Brazil had several different sectoral laws that protected personal data against misuse. The LGPD provides specific regulations, which gives legal security to citizens and the country will become more efficient in this matter. Brazil is now part of more than 100 countries that already have a specific data protection law in place.
Photo by Agustín Diaz on Unsplash.