The Development: On July 8, 2019, Brazil enacted Law No. 13,853/19 outlining the final version of its General Data Protection Law.
The Purpose: The final bill introduces some important changes to the regulations established in the original version such as the creation of the enforcement authority.
Looking Ahead: The new law will take effect in August 2020. Brazil's new data-protection agency is expected to become operational in October 2019.
On July 8, 2019, the final version of the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais) (Law No. 13,709/2018) ("LGPD"), a statute regulating the processing of personal data in Brazil inspired by the General Data Protection Regulation (EU) 2016/679 ("GDPR") was finally approved.
The LGPD introduces some important revisions to the requirements established in the original text such as the creation of an enforcement authority—the National Data Protection Authority (Autoridade Nacional de Proteção de Dados) ("ANPD"). We have previously written on the scope and application of LGPD.
The ANPD was the missing piece to the data protection framework introduced by the LGPD and will be the Federal agency responsible for overseeing the data protection regulation.
Other important changes to the final language of the LGPD include:
- Grace Period: The new law will take effect in August 2020, which means that companies will have an additional six months to become compliant with the LGPD.
- National Interest: The LGPD is now considered a matter of national interest and shall also apply to the Federal government, the states, the Federal district, and municipalities.
- Data Protection Officer ("DPO"): A DPO—who acts as an intermediary between the controller, the data subjects, and the ANPD—now must be appointed by both thedata controller and processor. The DPO is no longer required to be an individual, thus, this role can be fulfilled by a third-party entity.
- Sensitive Health Data: While the communication or shared use of health-related data was only allowed for purposes of data portability upon the individual's request, now it is also allowed when used in connection with the provision of health services, pharmaceutical and health care assistance, including diagnosis and therapy services, or financial and administrative transactions resulting from the provision of such services.
- Direct Conciliation: Disclosures and unauthorized access may be resolved directly between the controller and the data subject. If no agreement is reached, the controller is subject to the penalties imposed under the LGPD.
- Commitment Term: The ANPD shall have the power to execute commitment terms with the controller and processor to eliminate irregularities, legal uncertainty, or litigation in connection with administrative proceedings.
- Penalties: The Brazilian President vetoed the language that required the partial or total suspension for up to six months from database operation, or the partial or total prohibition from carrying out data processing activities. The final version of the LGPD fails to provide for specific penalties in the event of a data breach; instead, it gives the authority to the ANPD to enact regulations and apply sanctions.
- Breach Notification Deadline: There is no specific deadline for data breach notifications. The controller shall notify the ANPD within a "reasonable time" from the occurrence of any breach that may result in a risk or damage to data subjects.
José Eduardo Pieri from Brazilian law firm Barbosa, Müssnich, Aragão coauthored this Commentary.
FIVE KEY TAKEAWAYS
- Companies now must prepare for compliance with the LGPD by August 2020.
- Companies processing Sensitive Health Data may now share this data when needed for the provision of services facilitating its processing.
- The ANPD will oversee and enforce the data protection regulations, and decide on which sanctions shall apply to violation of the LGPD.
- As a first resort before initiating enforcement proceedings, the ANPD may offer controllers and processors to enter into an agreement by which a commitment is reached to correct any irregularities found in connection with the law.
- Companies must notify instances of a personal data breach to the ANPD within a "reasonable time."