On 14 August 2018 Brazil approved its new General Data Privacy Law (Lei Geral de Proteção de Dados Pessoais or “LGPD”) – a comprehensive law that closely mirrors the European Union’s General Data Privacy Regulation (“GDPR”). Although the LGPD significantly expands Brazil’s data protection framework and places the country among one of the few jurisdictions to provide similar data privacy protections as those offered in the European Union, the new law did not create a data protection authority.
This issue was addressed on 28 December 2018 by the outgoing President Michel Temer, who signed a last-minute executive order (Medida Provisória no. 869/18) that made some important changes to the LGPD and most notably created the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados or “ANPD”).
The Brazilian National Data Protection Authority
The ANPD is part of the federal government and linked to the office of the President of Brazil. From a technical and subject matter perspective, the ANPD is an independent entity, capable of freely evaluating and addressing data protection and privacy issues; however, it is linked to the office of the President of Brazil, which may bring into question if the ANPD will be more prone to political pressures than other Brazilian agencies that are not directly tied to the country’s administration.
With regard to the attributions of the ANPD, Section 55(j) of Executive Order no. 869/18 establishes that the ANPD has the authority to, among other things:
- Issue rules and regulations regarding data protection and privacy;
- Within the administrative sphere, exclusively interpret the LGPD, including cases in which the law is silent;
- Request information regarding the processing of personal data from data processors and controllers;
- Exclusively oversee and impose administrative sanctions for violations of the LGPD;
- Promote data protection and privacy within the Brazilian society; and
- Develop studies regarding domestic and international data protection and privacy practices and establish partnerships with authorities from other counties to increase international cooperation.
Revision of the LGPD
Executive Order no. 869/18 also implemented other important changes to the LGPD, notably:
- The LGPD will only come into effect in August 2020, six months after the initially scheduled date of February 2020. While the LGPD is not in effect, the ANPD will have a consulting and collaborative function and will address questions and issues with the purpose of assisting the country in implementing and complying with the LGPD.
- The role of a Data Protection Officer (a requirement created by the LGPD) does not need to be performed by an individual. The position may be filled by an internal committee, department, or working group and may even be delegated or outsourced to third parties, such as specialized companies and law firms.
- Private entities are now able to process personal data related to public entities and matters of public interest, such as national security, defense, investigation activities, and application of penalties related to criminal offenses. This change will also allow private entities to process sensitive personal information linked to public entities.
- A data subject will continue to be entitled to have his or her information reviewed and/or rectified; however, the revision does not need to be carried out by an individual. The process can be accomplished by an automated system.
These changes should not impact the LGPD’s conformity with the GDPR or the European Union’s acceptance of the LGPD as a broad and encompassing data protection law.
The executive order entered into effect immediately; however, it must be voted into law by the Brazilian Congress within 120 days in order to continue to be valid and become permanent. In any case, discussions and speculation regarding if and when a national data authority will be created have now been addressed and companies should start making preparations to comply with the LGPD.