On July 9th, law No. 13,853/2019, which amended Law No. 13,709/18 (the General Data Protection Law - LGPD) was published in the Official Gazette. The main changes are summarized below:
Data Protection Officer: this may be an individual or a legal entity, contrary to what was established in the original text of the LGPD, according to which this role could only be exercised by an individual. In addition, operators must also appoint a person in charge, as defined in article 5 of the LGPD. However, article 41 of the LGPD has not been modified and continues to provide that only the controller should appoint the person in charge. The text submitted for presidential approval provided that the scenarios in which the operator should appoint the responsible party would be regulated by the National Data Protection Authority (ANPD). As this section was vetoed by the President of Brazil, it is not clear when the operator should appoint a responsible party.
Health sector: with respect to the legal framework for the processing of personal data, including sensitive data, wording has been added providing that health services or health authorities, in addition to health professionals, may also process personal data in order to safeguard the health of the data subject. Regarding the prohibition of shared usage of sensitive data among controllers of sensitive health data seeking an economic advantage, the wording added cites as an exception health and pharmaceutical assistance services – conducted in the interests of the data subjects in order to allow data portability and financial and administrative transactions resulting from the use and rendering of health services. Also, very relevant wording has been added for health plans, prohibiting the operators of these plans from processing personal data to manage risks in the acceptance and exclusion of beneficiaries.
Rights of data subjects: The old wording of the LGPD provided that the data controller must report any correction, elimination, anonymization, or blocking of data to the processing agents with whom they shared it, for them to perform the same procedure. According to the addition made to the original wording, the responsible party is not required to carry out such reporting in cases in which it is proved impossible or involves disproportionate effort. Regarding the right to review decisions made on the basis of automated data processing, the original wording provided for the review to be done by an individual. Presidential Decree No. 869/18 had excluded the need for review by an individual, and the new wording maintained this exclusion.
Data processing by Public Authorities: with regard to the shared usage of personal data by Public Authorities, items were added to the first paragraph of article 26 in order to provide that Public Authorities may transfer personal data included in databases to which it has access in the following cases: when required by law; when the transfer is supported by contracts, agreements, or similar instruments; or if the purpose is the prevention of fraud and irregularities, protection of the safety and integrity of the data subject, with any treatment for other purposes being prohibited.
Penalties: In cases of violation of the LGPD, the provision for penalties applicable to entities and public bodies listed in paragraph 3 of article 52 was excluded. In addition, a paragraph was also added to provide that the amount collected via penalties applied be allocated to the Fund for the Defense of Diffuse Rights, provided for in the Public Civil Action Law and the law that created the Federal Governing Council of the Fund for the Defense of Diffuse Rights. Lastly, paragraph 7 was added to article 52, providing that individual data leaks could be the subject of direct reconciliation between controller and data subject, and only in the absence of an agreement may the controller be subject to the penalties provided for in the LGPD.
The National Data Protection Authority (ANPD): the ANPD was created, initially as a part of the executive branch overseen by the President of Brazil. Its legal nature as a body of the federal public administration must be reassessed after a period of two years. Various duties, assigned to the ANPD, were also added, such as preparing guidelines for the National Policy for the Protection of Personal Data and Privacy; executing settlements with processing agents to eliminate irregularities, legal uncertainty or litigious situations; promulgating simplified and differentiated standards, guidelines, and procedures (including deadlines) for micro and small businesses, as well as business initiatives of an incremental or disruptive nature that declare themselves to be startups or innovation companies, to guarantee their adaptation; and ensure that data processing for the elderly is carried out in a simple, clear, and accessible manner.
Click here to see our table providing a complete comparison of the original wording of the LGPD, Presidential Decree 869/18, and Law No. 13,853/19: