Rafael Pellon, MEF LatAm advisor and Technology, Media & IP Law specialist Nathalia Santos share an update on the latest developments in Brazilian data privacy regulation, and the recently approved Brazilian Data Protection Law.
After much discussions and negotiations on Congress, the Brazilian Data Protection Law (“LGPD”) was finally approved last July 9th, 2019. After reviewing Congress passed the document to sanction and veto of the President, which made some final amendments before approving the final wording, which will come into force on August 16, 2020, which means an an extension of 6 months from the first deadline that was set.
Amongst the changes made in the new law are the definition of the Data Privacy Officer (DPO); the specific rules for the use of publicly accessible data; the review of automated decisions by natural persons; the framework of sanctions applicable for non-compliance with the law and the creation of the National Data Privacy Authority.
The approval of the final text of the law now opens up the debates regarding the composition of the directive body of the National Data Privacy Authority (ANPD, mentioned below); the first guidelines on interpretations of the LGPD and also the edition of the regulation of the LGPD, which should include issues related to the processing of data by the Government, the operationalization and the deadlines to attend the rights of the data holders, the measures of information security, the DPO specifications, among other relevant topics.
Regarding the Data Privacy Officer, following the logic of the European Regulation (GDPR), the final version of the Brazilian law provides that such a function should exist not only for those controlling companies, but also for the operators. Both should appoint a person in charge to engage as a channel of communication between the controller, the data holders and the National Data Privacy Authority. The latest changes now predict that such role can be performed by a natural person or a legal person, amplifying the role of the DPO that now can be performed by a company.
With respect to the use of publicly accessible data, the approved law waives further approvals for the use of the data for new purposes (other than those for which the data was made public at the first time), provided that legitimate and specific purposes for the new treatment are observed and the preservation of the rights of the data holder, as well as the grounds and principles foreseen in the LGPD.
The story of the new privacy landmark in Brazil is far from over but as of now the country can be proud of its new achievement on the protection of the privacy of its citizens, both in digital and physical realms.
Furthermore, LGPD also brought some changes related to the review of automated decisions, since initially it was anticipated that any data subject would have the right to request revisions of decisions made exclusively in an automated manner and such revision should be made, by a human agent. The need for human participation had been withdrawn by Provisional Measure 869 in force since December 2018, however the text of the law provided that such obligation was incorporated again, and then suffered a veto by the President by the time of sanctioning the law. Thus, in the LGPD there is no longer the obligation of a review made by humans, what allows companies to employ its algorithms on the review of previous decisions or data treatments.
The regulatory legal knowledge of the DPO was also subject to change through a presidential veto, and the final text of the approved LGDP determines that the DPO is not necessarily required to have regulatory legal knowledge in data privacy, under the justification that the requirement is “excessive severe and reflects an unnecessary interference on the part of the State in the discretion for the selection of the productive sector staff, as well as offends fundamental right, foreseen in art. 5, XIII of the Constitution of the Republic, for restricting free professional practice to the point of reaching its essential core”.
Despite the attempt by the Congress to circumvent the vetoes of then-President Michel Temer, the administrative sanctions in the way they were known were kept in the LGPD, as follows:
- warning, indicating the deadline for the adoption of corrective measures;
- simple fine, up to 2% (two percent) of company’s annual income, considering its group or conglomerate in Brazil, in its last fiscal year, excluding taxes, limited in total to a R$ 50,000,000.00 (fifty million Brazilian reais) per infraction;
- daily fine, subject to the total limit abovementioned;
- publication of the infringement in the media;
- blocking the personal data that the infraction refers to until its regularization; and
- elimination of the personal data to which the infraction refers.
Finally, the law creates the National Authority for the Protection of Personal Data (“ANPD”). Vetoed on the occasion of the publication of the LGPD in August of last year, recreated by MP 869/18 and amended now, the body will be responsible for supervising and guiding the compliance with the LGPD.
According to the current version of the Law, ANPD will be a direct federal public administration body, a member of the Office of the Presidency of the Republic, and it will be possible for the Executive Branch itself to reassess this condition in 2 years from the entry into force of its regimental structure.
If this happens, the Executive Branch, according to the LGPD, may transform the ANPD into an indirect federal public administration entity, subject to a special autarkic regime and linked to the Presidency of the Republic, which, in theory and at least legally, gives greater autonomy and independence to authority.
The degree of independence of the ANPD from the Government will be a relevant fact when the European Union analyzes the level of adequacy of Brazil as a “safe territory” for the receipt of data protected by the GDPR.
Nonetheless the updates above, the Brazilian Congress still has to review more than 100 bills of law designed to change the LGPD and its principles, besides trying to surpass the vetoes done by President Bolsonaro. The story of the new privacy landmark in Brazil is far from over but as of now the country can be proud of its new achievement on the protection of the privacy of its citizens, both in digital and physical realms. We will continue to follow up on the changes on this scenario and update MEF members as needed.
Join MEF to actively discuss, review and influence the debate on personal data and identity in the mobile world. Email Initiatives@mobilecosytemforum.com for more details.