After 176 amendments were presented and various public hearings were held, the joint committee formed by senators and deputies to review the Executive Order (MP) 869/2018, which amended Law No. 13,709/2018 (General Law on Data Protection - LGPD), voted on May 7 in favor of approval of the wording proposed in the report by Deputy Orlando Silva, also rapporteur for the special committee that approved the bill that originated the LGPD.
With the wording approved by the joint committee, MP 869/2018 will now proceed to a vote by the Chamber of Deputies and, later, the Federal Senate. If approved, the text will follow for presidential signature and will be converted into law.
According to what was proposed in the report, the main changes to the LGPD will be the following:
Health area: with respect to the legal bases for the processing of personal data, including sensitive data, wording has been added so that, in addition to health professionals and health entities, health services may also process personal data for protection of the data subject's health. Regarding the prohibition of shared use among controllers of sensitive personal health data for the purpose of obtaining economic advantage, the wording proposed cites as an exception the provision of health services and pharmaceutical assistance, to the benefit of the interests of the data subjects and to enable data portability and financial and administrative transactions resulting from the use and delivery of health services. Also, very important wording has been added for health care operators, prohibiting the operators of these plans from processing personal data for risk selection in contracting with and exclusion of beneficiaries.
Data subjects' rights: The current wording of the LGPD provides that the data controller must report correction, elimination, anonymization, or blocking of data to the processing agents with whom they have shared it, for them to perform the same procedure. According to the proposed addition to this wording, the person responsible will not need to carry out such reporting in cases where this is demonstrably impossible or involves disproportionate effort. Regarding the right to review decisions made on the basis of automated data processing, the proposed wording provides for the review to be done by an individual, as provided for in regulations by the Brazilian authorities. These rules should take into account the nature and size of the processing agent or the volume of data in the processing operations.
Penalties: In cases of infringement of the LGPD, the proposed wording also adds the penalties of partial suspension of the operation of the database; suspension of the exercise of the processing of personal data; and partial or total prohibition on the performance of activities related to processing of data. These penalties will only apply in cases of repeat offenses. A paragraph was also added to provide that the amount collected via the fines applied be allocated to the Fund for the Defense of Diffuse Rights, provided for in the Public Civil Action Law and the law that created the Federal Management Council of the Fund for the Defense of Diffuse Rights.
National Data Protection Authority (ANPD): the ANPD's link with the Presidency of Brazil and its legal nature as a body of the federal public administration should be re-evaluated after a two-year term. Various attributions were also added to the ANPD, such as preparing guidelines for the National Policy for the Protection of Personal Data and Privacy; entering into commitments with processing agents to eliminate irregularities, legal uncertainty, or contentious situations; promulgating simplified and differentiated standards, guidelines, and procedures (including deadlines) for micro and small businesses to adapt; and ensuring that data processing for the elderly is carried out in a simple, clear, and accessible manner.