* Adriano Mendes
Expert Lawyer and DPO
On July 9, 2019, Law 13,853 / 2019 was published in the Official Gazette of the Union, amending and consolidating the General Law of Protection of Personal Data of Brazil (Law 13,709 / 2018).
As a result of the analysis and conversion of Provisional Measure 869/2019, the new Law maintained the creation of the National Data Protection Authority (ANPD) and allowed the Authority to expand its powers by including new items and working on the correct correction of some issues raised. in the original text of the LGPD.
Overall, both the inclusions suggested by Congress during the course of MP 869/2018, as well as the analysis and presidential sanction of Law 13.853 / 2019 were positive and show the government's interest in regulation and data protection, as well as the concern of all involved in creating text that minimizes doubts and applies to all types of companies and markets.
Unlike the European Union, which has had data protection laws for over 20 years, Brazil was still in the process of unifying its internal norms and understandings of the concepts already applied abroad and should now strive to ensure the same level. of protection from other countries.
Presidential vetoes were few and accurate.
Given the context of the legislation and powers of the National Data Protection Supervisor, the removal of the obligation for a human to review automated decisions under Article 20 (3) makes sense as it would be a higher cost for technology-based companies. The veto of this paragraph does not remove any direct or modify the principles of the Law, nor does it prevent the holders from asking for clarification and to resort to the applicable law in case of abuse or error in the decisions made.
“Art. 20
Paragraph 3. The review referred to in the caption of this article shall be carried out by a natural person, as provided for in the regulations of the national authority, which shall take into account the nature and size of the entity or the volume of data processing operations. ”(NR )
The processing of personal data by the Government also suffered a presidential veto in Art. 23, IV below:
IR & #8211; personal data of applicants for access to information are protected and preserved under Law No. 12,527 of November 18, 2011, forbidden to share it in the sphere of public power and with legal entities governed by private law.
Again, while still incipient in Brazil, the dialogue of sources and correction between the LGPD and the Access to Information Act and all other applicable rules will still depend on further adjustments and revisions.
Similarly, the new Law made it clear in Article 5. VII that the Data Protection Officer (DPO), responsible for data protection, shall be “the person appointed by the controller and operator to act as a communication channel between the controller, the data subjects and the National Data Protection Officer. Data (ANPD) ”. With this new wording, it is clear that DPO functions do not need to be performed by a single individual and that their professional relationship with the company can take many forms, in addition to direct employment through employment.
Accordingly, on the basis of Articles 37 to 39 of the European GDPR, the mere inclusion of Paragraph 4 of Article 41 would be detrimental. Thinking of a continental country like Brazil and the scope of the legislation, the mention of legal-regulatory knowledge already generated behind the scenes more fears than benefits to the controllers and operators.
“Art. 41
Paragraph 4. With respect to the person in charge, who shall have legal-regulatory knowledge and be able to provide specialized data protection services, in addition to the provisions of this article, the authority shall:
In our view, the vetoes to the new clauses of Article 52 were not beneficial in removing from the ANPD the possibility of the Authority exercising part of its Supervisory Power and enforcement, already provided for in other legislation such as the Internet Civil Framework and the Consumer Protection Code.
“Art. 52
X & #8211; partial suspension of the operation of the database to which the infringement refers for a maximum period of six (6) months, extendable for the same period, until the processing activity is regularized by the controller;
XI & #8211; suspension of the exercise of the activity of processing personal data to which the infringement refers for a maximum period of six (6) months, extendable for the same period;
XII & #8211; partial or total ban on data processing activities.
The same problem stems from the vetoes of Article 52, paragraph 3. Even aware of the preponderance of public over private interests, for such laws to work, their application must be isonomic and for all:
Art. 52
Paragraph 3. The provisions of items I, IV, V, VI, X, XI and XII of the caput of this article may be applied to public entities and bodies, without prejudice to the provisions of Law No. 8,112, of December 11, 1990, in Law No. 8,429, of June 2, 1992, and Law No. 12,527, of November 18, 2011.
There is also sense in the Presidential Veto made to article 52 sixth paragraph, since similar provision exists in Article 55-K of the approved Law:
Vetoed text:
Paragraph 6. The sanctions provided for in items X, XI and XII of the caput of this article shall be applied:
I & #8211; only after at least 1 (one) of the sanctions dealt with in items II, III, IV, V and VI of the caput of this article have already been imposed for the same specific case; and II - in the case of controllers submitted to other organs and entities with sanctioning powers, after hearing these organs.
Text kept:
“Art. 55-K The application of the sanctions provided for in this Law rests solely with the ANPD, and its powers shall prevail, as regards the protection of personal data, over the related competences of other entities or bodies of public administration.
Single paragraph. The ANPD will articulate its activities with other organs and entities with sanctioning and normative competences related to the subject of personal data protection and will be the central body for the interpretation of this Law and the establishment of rules and guidelines for its implementation. ”
Finally, the veto to Article 55-L, V is commendable so that it is clear that the ANPD shall not charge and establish fees or charges for the provision of its services. Access to the Authority and its services shall be free of charge:
“Art. 55-L ANPD's revenues include:
V & #8211; the product of charging fees for services rendered;
With the approval of Law 13.853 / 2019, Brazil is now definitely among the nearly 130 nations in the world that have some data protection legislation. With its concepts aligned with the European OECD and GDPR, this type of legislation will allow Brazil to treat data from natural persons from other countries and also ensure a higher level of protection for its citizens against new businesses that exploit data and information worldwide.
But there is still a lot of work. Via Presidential Decree, the 5 ANPD directors shall be appointed. Only then, with the formation of the ANPD, will start the work and issue guidelines that will regulate the market in the necessary adequacy and compliance that has already begun and should mature until August 16, 2020.
We hope that the next steps are safe and sound, so that the new rights of the holders and principles of the Law will be reflected in the other norms and that the application of LGPD in practice has the bias of education and never punishment.
Adriano Mendes, Data Protection Attorney, is a collaborator on Safeway consulting projects.
* The consolidated text of the LGPD will be available from 10/07 through the official link: http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709.htm
Learn more about the LGPD:
