1. What is the status of the Brazilian Data Protection Law?
The Brazilian General Data Protection Law, also known as LGPD, was approved in August 2018. At that time, the creation of the Data Protection Authority was vetoed by President Michel Temer due to a formality issue.
On 27 December 2018, the Provisional Measure No. 869/2018 was issued, amending some aspects of the LGPD and introducing the most relevant change by creating the Brazilian Data Protection Authority. The provisional measure was review pending by the National Congress and was finalized by the approval of the Brazilian Federal Senate on May 29, 2019, following for the presidential sanction.
2. When the LGPD comes into force?
The LGPD will come into force in August 16, 2020.
3. What are the main changes of the final text of the Brazilian Data Protection Law?
We consider ten main points as the most relevant changes in the final version of LGPD:
- Indication of a DPO by the Processor: The need for some processors to appoint a DPO to process personal data, in the cases provided for by future ANPD regulations.
- Use of public access data: Use of publicly accessible data for other purposes than those initially envisaged, provided that the legitimate and specific purposes are observed, as well as the grounds and principles set out in the LGPD.
- Flexible data processing for the protection of health: The processing of personal data – including sensitive data – can now also be justified for the protection of health in procedures carried out by “health services”.
- Possibilities of sharing health data for economic purposes: Permission to share health data for pharmaceutical care and health care, as long as it relates to data portability and transactions related to the use and provision of health services, to the benefit of the interests of data subjects.
- Prohibition of the use of data by health care insurance companies to select risks and clients: Prohibition of the practice of risk selection, by the operators of private health care plans, in the contracting of any modality, as well as in the contracting and exclusion of beneficiaries.
- Review of automated decisions by natural person: As initially envisaged by the LGPD, the review of automated decisions will have to be done by a natural person under future regulation.
- DPO qualifications: The DPO shall be the holder of legal and regulatory knowledge and able to provide specialized services in data protection.
- New sanctions: Inclusion of sanctions that had previously been vetoed during the presidential sanction of the LGPD, such as partial suspension of the operation of the database, suspension of data processing activities, and total or partial prohibition of the exercise of activities.
- Legal nature of the National Data Protection Authority (ANPD): The ANPD will have a transitory legal nature and may be converted into an indirect federal public administration entity within two years of its operation.
- Decision-making autonomy to the National Data Protection Authority (ANPD): Guaranteed decision-making autonomy for ANPD.
4. What should foreign organizations pay attention to while doing business with Brazil?
As in the GDPR, one of the most relevant aspects of the LGPD is the principle of extraterritoriality and the possibility of law enforcement when the processing of Brazilian citizens occurs. It is important to note that foreign companies that have a branch in Brazil must be aware of the legal provisions, to start the implementation project to demonstrate compliance with the law.