The approval of the final text of the law now opens up the debates regarding the composition of the directive body of the National Data Privacy Authority (ANPD, mentioned below); the first guidelines on interpretations of the LGPD and also the edition of the regulation of the LGPD, which should include issues related to the processing of data by the Government, the operationalization and the deadlines to attend the rights of the data holders, the measures of information security, the DPO specifications, among other relevant topics.

Regarding the Data Privacy Officer, following the logic of the European Regulation (GDPR), the final version of the Brazilian law provides that such a function should exist not only for those controlling companies, but also for the operators. Both should appoint a person in charge to engage as a channel of communication between the controller, the data holders and the National Data Privacy Authority. The latest changes now predict that such role can be performed by a natural person or a legal person, amplifying the role of the DPO that now can be performed by a company.

With respect to the use of publicly accessible data, the approved law waives further approvals for the use of the data for new purposes (other than those for which the data was made public at the first time), provided that legitimate and specific purposes for the new treatment are observed and the preservation of the rights of the data holder, as well as the grounds and principles foreseen in the LGPD.

  The story of the new privacy landmark in Brazil is far from over but as of now the country can be proud of its new achievement on the protection of the privacy of its citizens, both in digital and physical realms.

Furthermore, LGPD also brought some changes related to the review of automated decisions, since initially it was anticipated that any data subject would have the right to request revisions of decisions made exclusively in an automated manner and such revision should be made, by a human agent. The need for human participation had been withdrawn by Provisional Measure 869 in force since December 2018, however the text of the law provided that such obligation was incorporated again, and then suffered a veto by the President by the time of sanctioning the law. Thus, in the LGPD there is no longer the obligation of a review made by humans, what allows companies to employ its algorithms on the review of previous decisions or data treatments.

The regulatory legal knowledge of the DPO was also subject to change through a presidential veto, and the final text of the approved LGDP determines that the DPO is not necessarily required to have regulatory legal knowledge in data privacy, under the justification that the requirement is “excessive severe and reflects an unnecessary interference on the part of the State in the discretion for the selection of the productive sector staff, as well as offends fundamental right, foreseen in art. 5, XIII of the Constitution of the Republic, for restricting free professional practice to the point of reaching its essential core”.

Despite the attempt by the Congress to circumvent the vetoes of then-President Michel Temer, the administrative sanctions in the way they were known were kept in the LGPD, as follows:

1. warning, indicating the deadline for the adoption of corrective measures;
2. simple fine, up to 2% (two percent) of company’s annual income, considering its group or conglomerate in Brazil, in its last fiscal year, excluding taxes, limited in total to a R$ 50,000,000.00 (fifty million Brazilian reais) per infraction;
3. daily fine, subject to the total limit abovementioned;
4. publication of the infringement in the media;
5. blocking the personal data that the infraction refers to until its regularization; and
6. elimination of the personal data to which the infraction refers.

Finally, the law creates the National Authority for the Protection of Personal Data (“ANPD”). Vetoed on the occasion of the publication of the LGPD in August of last year, recreated by MP 869/18 and amended now, the body will be responsible for supervising and guiding the compliance with the LGPD.

According to the current version of the Law, ANPD will be a direct federal public administration body, a member of the Office of the Presidency of the Republic, and it will be possible for the Executive Branch itself to reassess this condition in 2 years from the entry into force of its regimental structure.

If this happens, the Executive Branch, according to the LGPD, may transform the ANPD into an indirect federal public administration entity, subject to a special autarkic regime and linked to the Presidency of the Republic, which, in theory and at least legally, gives greater autonomy and independence to authority.