The final version of Brazil’s data protection law, Lei Geral de Proteção de Dados (LGPD), was approved by the Brazilian Federal Senate in May 2019 and sanctioned by President Jair Bolsonaro in July. The LGPD is now scheduled to become effective in August 2020.
When the LGPD was first approved by the Senate in August 2018, former President Michel Temer vetoed the LGPD’s provisions creating a national data protection authority to oversee and enforce the law on constitutional grounds. In December 2018, President Temer issued Provisional Measure No. 869, which provided for several amendments including new provisions for the creation and structure of the National Data Protection Authority (ANPD). Before sanctioning the law, President Bolsonaro also weighed in on several provisions.
Key updates to the LGPD are provided below. For a full summary of the LGPD, see our previous post, available here, which has now been updated.
The LGPD will now become effective on August 16, 2020.
Creation of the ANPD
Oversight and enforcement of the LGDP will now be controlled by the ANPD, a federal entity directly linked to the office of the President that will be responsible for issuing guidance, reviewing data protection complaints, overseeing compliance and enforcing sanctions under the LGPD. The president will appoint five members to the Board of Directors who will have primary decision-making power within the ANPD. The ANPD will also include an advisory body made up of representatives from various industries and sectors.
Notably, the ANPD has also been granted authority to establish separate guidelines, rules and deadlines applicable to start-ups and other small businesses to facilitate compliance with the LGPD.
Appointment of DPO
The obligations to appoint a data protection officer (DPO) under the LGPD now apply to both controllers and processors. DPOs are expected to serve as the liaison between data subjects, companies and the ANPD.
Personal Health Data Processing
The amendments to the LGPD include broader exemptions for processing sensitive personal data categories when the processing is for medical and health services. However, processing of sensitive personal data is prohibited when completed for purposes of underwriting health insurance or selecting beneficiaries.
Automated Decision-making – No Human Review Required
Under the draft version of the LGPD, data subjects had a right to request a review by humans of any automated decision. However, the updated law will not require this review to be completed by humans.
Penalties: Suspension from Processing
The final version of the LGPD provides that the ANPD may penalize noncompliant companies with temporary and, in some instances, permanent suspension from data processing activities.