On May 28, 2019, Provisional Measure No. 869/18 was approved by the Brazilian Chamber of Deputies, promoting amendments to several articles of the Brazilian General Data Protection Law (in Portuguese, Lei Geral de Proteção de Dados - LGPD - Law No. 13,709/2018), enacted in August 2018; and created the Brazilian Data Protection Authority (Autoridade Nacional de Proteção de Dados - ANPD). On the following day, on May 29, 2019, the Provisional Measure was transformed into Conversion Bill No. 7/2019, as a result of the alterations made in the Chamber of Deputies, being also approved in the Federal Senate.
In Conversion Bill No. 7/2019, the creation of the National Data Protection Authority (ANPD) was maintained, however, its nature was determined to be transitory, and it may be transformed by the Executive Branch, within two (2) years, into an entity of the Indirect Public Administration, subject to a special autarchic regime and linked to the Presidency of the Republic. The structure given by MP 869/2018 to the ANPD was, therefore, preserved.
In addition to the creation of the ANPD, the Conversion Bill also maintained the deadline for the LGPD to enter into force as of August 2020.
The main changes brought by Conversion Bill No. 7/2019 are:
- The Data Protection Officer (DPO), who previously had no qualification requirements, must now have legal and regulatory knowledge, as well as the ability to provide specialized data protection services
- An economic group may appoint a single DPO for companies of the same economic group, provided that access is facilitated.
- The ANPD will define the cases in which operators (data processors) must also appoint a DPO as in the original text of the LGPD only controllers had such obligation.
- In the original text of the Provisional Measure No. 869/18, the possibility for a natural person to review decisions made on the basis of automated processing is no longer accepted. However, the Conversion Bill disposed that the ANPD will regulate such situations based on the nature and size of the entity or the volume of data processing operations, establishing the situations in which the review will be made by a natural person.
- The Conversion Bill provides that in cases of unauthorized access or individual leaks there may be a direct conciliation between the controller and the data subject and, only if there is no agreement, the controller will be subject to the penalties of the LGPD.
- New penalties to be applied by the ANPD were created, namely: (i) partial suspension of the operation of the database to which the violation refers, for a maximum period of 6 months, extendable for the same period, until the controller regularizes the data processing activity; (ii) suspension of the exercise of the personal data processing activities to which the violation relates for a maximum period of 6 months, extendable for the same period; and (iii) partial or total prohibition of the exercise of activities related to data processing.
- The Provisional Measure provided the legal basis of health protection as a hypothesis for data processing, as long as it was performed by a health professional or by health entities. The final text of the Conversion Bill includes treatment by health professionals, health services or health authorities in said legal basis.
- The shared use of sensitive data between controllers in order to obtain economic advantage is allowed, but only when the purpose is the provision of health services, pharmaceutical assistance and health care, including auxiliary services for diagnosis and therapy, provided that it is in the best interest of data subjects.
- Operators of private health care insurance are expressly prohibited from carrying out data processing activities for the purposes of risk analysis, as well as for the exclusion of beneficiaries.
- The ANPD has now the competence to indicate deadlines and to edit standards, guidelines and differentiated procedures for startups, small companies and microenterprises, in order to facilitate compliance with the LGPD.
- Inclusion of two exception to data controllers' obligation to inform other agent with whom it has shared the contents about corrections, deletions or blocking of data requested by data subjects, which are (i) if the transfer is provenly impossible; and (ii) if such transfer entails a "disproportionate effort".
- The Conversion Bill added the possibility of processing public assessible personal data or data manifestly made public by the data subject, for new purposes, provided that the legitimate and specific purposes for such new treatment and the preservation of the rights of the data subject are duly observed, as well as the principles laid down in the LGPD.
- Inclusion of two exceptions to the prohibition of transferring data from public authorities to private entities, namely: (i) when there is a legal provision or the transfer is backed by contracts, agreements or similar instruments; and (ii) with the exclusive purpose of preventing fraud and irregularities or to protect the security and integrity of the data subject, provided that treatment is prohibited for other purposes.
- Public legal entities are prohibited to share personal data of a claimant who invoked the Law of Access to Information (Law No. 12,527/11).
- The National Council for the Protection of Personal Data and Privacy shall have the following structure: (i) five members of the Federal Executive Branch; (ii) one member of the Federal Senate; (iii) one member of the Chamber of Deputies; (iv) one member of the National Justice Council; (v) one member of the National Prosecutor's Office Council; (vi) one member of the Brazilian Internet Management Committee; (vii) three members of 'civil society' entities acting in relation to the protection of personal data; (viii) three members of scientific, technological and innovation institutions; (ix) three members of union confederations representing the economic categories of the productive sector; (x) two members of entities representing the business sector related to the area of personal data processing; and (xi) two members of representative entities of the labor sector, totalizing 23 members
Finally, it is worth noticing that the abovementioned aspects are the main changes provided by Conversion Bill No. 7/2019, however, there are several other smaller modifications
Subject to presidential sanction, Conversion Bill No. 7/2019 will be assessed by the President of the Republic in order to be turned into law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.