Dec. 28, 2018, Executive Order n° 869, of December 27th 2018, was published in the Diário Oficial da União. It promotes several alterations to Federal Law n° 13.709, of Aug. 14, 2018, known as the Brazilian General Data Protection Regulation. One of the most important alterations is the creation of the Brazilian National Data Protection Authority. It is important to mention that MP n° 869/18 also alters the vacatio legis period for the LGPD to 24 months, changing the enforcement date from February 2020 to August 2020. During this vacatio legis period, the ANPD must exercise collaborative and consultative functions, aiming to provide assistance in the process of compliance to the new law.
It is important to remember that at the time of its promulgation in August 2018, the LGPD was subject to presidential vetoes by Michel Temer, in particular with regard to Articles 55 to 59, which constituted and organized the ANPD and the National Council for the Protection of Personal Data and Privacy, or Conselho Nacional de Proteção de Dados Pessoais e da Privacidade. The justification given for the veto was "vice of initiative," that is, one of the branches (executive, legislative or judiciary) has proposed something that is not within its prerogative — in this case, the National Congress. Thus, the initiative for the creation of these entities should come from the Executive Power, as has just been done via an executive order, a type of norm in the Brazilian legal system that is proposed by the president and not the National Congress.
It is worth keeping in mind that executive orders have immediate application, but their conversion into law is conditioned to the assessment of the National Congress within a period of 120 days. Therefore, the conversion into law of MP n° 869/18 will be the responsibility of the new Congress, which will be formed in 2019 based on the 2018 elections.
Among the main changes brought by the executive order to the LGPD are:
- The creation of the Data Protection National Authority on December the 28th, which will be part of the presidency and consist of five directors.
- The creation of the Data Protection National Council, with 23 representatives from a multi-sectoral background.
- Modification of the vacatio legis period to 24 months. Hence, excluding the Data Protection National Authority, which will be operating from December 2018 onwards, the LGPD will only enter into force in August 2020.
- Data Protection Officers (encarregado), no longer need to be natural persons, which means that companies, committees and working groups can take the position. Furthermore, the MP states that the DPO can be executed by a third party.
- Revocation of the provision that prevented personal data from national and public security databases from being processed by private actors, now with some exceptions.
- Removal of the possibility of requesting data protection impact assessments from the National Authority for national and public security processing purposes, which may impact transparency obligations by the Public Authorities.
- Transparency and access to information obligations have been reduced when the treatment is based on the legal basis of (i) legal obligation and (ii) public policy.
- The inclusion of a provision granting the possibility to share health data when the purpose is to provide supplementary health services, even if there is economic advantage. What continues to be banned is the pure commercialization of health data (raw data).
- It will no longer be necessary that a natural person review totally automated decisions affecting the interests of the data subjects. With the new wording, the data subjects continue with their right to review, nevertheless not necessarily by a natural person. The ANPD is empowered to request information at any time from the controllers and processors of personal data who carry out personal data processing operations.
- Article 26 provides about the shared use of personal data by the Public Authorities. Paragraph 1 provides about the exceptions to the sharing of such data with private entities, increasing their role. With the new wording, it is possible to transfer personal data which is the public authority's responsibility to private entities when: (i) the private entity has appointed a data protection officer (encarregado); (ii) when there are legal provisions or administrative legal instruments; (iii) where the transfer is for the purpose of fraud prevention, security and integrity of the data subject; and (iv) data are publicly accessible.
- The prerogatives of the ANPD were changed when compared to the text sent to the National Congress. Among the relevant changes, the following are the most prominent:
- Removal of the express provision of audit power in private and public entities to inspect compliance with the data protection rules, however keeping the power of requesting information and inspection in the event of data processing conducted upon failure to comply with the legislation, through administrative process.
- The ANPD should liaise with the public regulatory authorities (such as BACEN and regulatory agencies) to exercise its powers in specific sectors of economic and government activities subject to regulation.
- The elaboration of the National Policy for the Protection of Personal Data and Privacy will no longer be included within its obligations, although the policy is mentioned in the part of MP which creates the National Council for the Protection of Personal Data and Privacy.
- There will be a permanent forum for communication, including by means of technical cooperation, with bodies and entities of the public administration responsible for regulating specific sectors of economic and government activity, in order to facilitate the regulatory, inspection and punitive competence of the ANPD.
photo credit: Sol duas cores via photopin