Brazil’s General Data Protection Law is enacted, but the National Data Protection Authority (ANPD) is vetoed.

After eight years since the first public consultation promoted by the Ministry of Justice, Law 13.709/2018, known as the General Data Protection Law (LGPD), was sanctioned on Tuesday (14) by President Michel Temer. The LGPD comes from PLC 4.060/2012, which was converted into PLC 53/2018, from the Chamber of Deputies, which creates a regulatory framework on the protection of personal data in Brazilian territory and amends Law 12.965/16 (Marco Civil da Internet). Considering the  18-month vacatio legis period  , the law will come into force in February 2020.

The timing of this law’s entry into force is not a mere coincidence. Its passage through the Senate occurred under an urgency regime, driven by the entry into force of the European data protection legislation, the  General Data Protection Regulation  (GDPR), in May of this year. The GDPR has required many Brazilian companies operating in the European Union or processing data of European citizens to adapt in order to avoid the hefty fines stipulated in this law and the loss of contracts with local partners. Among the new rules, the requirement for adequate levels of cybersecurity in the countries to which the data of European citizens is transferred was established.

It is in this context that major world economies are also seeking to respond to recent data breach incidents, such as that of Cambridge Analytica, which improperly used data from American Facebook users for electoral purposes, and here in Brazil, where the Public Prosecutor’s Office pointed to an alleged scheme of selling personal data of Brazilians by the Federal Data Processing Service (Serpro) to other public administration bodies.

The LGPD (Brazilian General Data Protection Law) aims to adapt the practices of Brazilian companies to these new standards and the current scenario, placing Brazil among the more than 120 countries that have a data protection law. The law regulates the use, protection, and transfer of personal data in Brazil, in both public and private sectors, online or offline. Let’s look at some of the main points covered:

Scope of application :  applicable to any activity involving the use of personal data, both in the public and private sectors, online or offline, including consumer and employment relations.

Extraterritorial application : foreign companies with branches in Brazil or offering services to the national market are also subject to the law.

Personal, sensitive, anonymized, and public data : specific concepts and rules have been established for each type of data collected, stored, and shared.

Authorization for data processing.For the processing of personal data, which includes data collection, a legal basis will always be necessary, with consent being only one of the 10 hypotheses listed by the LGPD (Brazilian General Data Protection Law) that authorize the use of data.

Data protection principles : the LGPD lists 10 basic principles of data protection, including purpose, necessity, transparency, security, non-discrimination, accountability, and reporting.

Rights of data subjects : data subjects will have broad rights, including the right to information, access, rectification, cancellation or deletion, opposition, and portability.

Data Protection Officer (DPO) : every company subject to the LGPD must have a data protection officer, who will be a person appointed by the controller to act as a communication channel between the controller and the data subjects and the National Authority.

Security : those responsible for data processing must adopt technical and administrative security measures capable of protecting personal data.

Mandatory notification : notification to the ANPD (National Data Protection Authority) regarding the occurrence of information security incidents will be mandatory within a reasonable timeframe. The ANPD may also determine the notification of the data subjects involved and the public disclosure of the incident, depending on the severity of the case.

Sanctions : the ANPD may apply administrative penalties for violations of the LGPD, ranging from warnings to fines that may reach R$ 50,000,000.00 (fifty million reais) per infraction.

National Data Protection Authority : the LGPD established the National Data Protection Authority – ANPD, a public authority linked to the Ministry of Justice responsible for supervising the application of the law, which may establish guidelines for the protection of personal data in Brazil and will have the responsibility of developing the “National Data Protection and Privacy Policy,” with powers to monitor and apply sanctions, among other activities. Additionally, the National Data Protection and Privacy Council was created, an advisory body that will assist the ANPD.

However, President Temer’s sanction included some vetoes to certain provisions of the law, most notably the veto of the creation of the ANPD and the National Council. The justification for this exclusion is the legal prohibition against the Legislative branch creating bodies that generate expenses for the Budget, which would cause a “flaw in the initiative” since only the executive branch has this prerogative. Considering the fundamental importance of these bodies for the enforceability of the law, in the coming weeks the executive branch should create them through a provisional measure or a new bill of its own authorship.

Also vetoed were provisions that would have prevented the sharing of personal data by the Public Authorities with private entities, under the argument that this prohibition could make the provision of public services unfeasible, as well as Article 28 in its entirety, which provided for the publicity of the communication or shared use of personal data between public bodies and entities, as it would make the regular exercise of some public actions, such as inspection, control and administrative policing, unfeasible.

Finally, some sanctions provided for in Article 52 of the Bill were vetoed, such as the suspension or prohibition of the exercise of data processing activities and the partial or total suspension of the operation of databases. This veto was due to the risk of insecurity for those responsible for such activities, and the damages resulting from the unavailability of databases.

Therefore, considering the widespread use of personal data in the daily operations of companies across various sectors in Brazil, the LGPD (Brazilian General Data Protection Law) will require a significant effort for them to adapt to this new scenario as quickly as possible, given that the adaptation period is short considering all the measures to be taken. As with the European GDPR, the delayed adoption of measures can lead to operational difficulties and even the application of heavy administrative sanctions.

Attorney Luiz Guilherme Silveira Franco –  lfranco@dvwca.com.br  is available to provide any further clarifications deemed necessary on this subject.