Data Protection

Brazil has recently seen im­portant developments in its data protection regulation. The country’s fragmented regulation – which revealed a lack of legal certainty – had its expiration date set with the publication of the LGPD – the Brazilian General Data Protection Law, in August 2018. The newly-approved and principle-infused Act modernizes data protection in Brazil as it su­persedes the current fragmented regulations and establishes a comprehensive unified system for the protection of personal data. However, a change this im­portant is never straightforward and the months following the pu­blication of the new law created additional concerns, which only now are beginning to clear.

Entry into force

An initial concern was the fact that then President Michel Te­mer vetoed the articles referring to the creation of a National Data Protection Authority (ANPD). As the LGPD was heavily inspired by the European model, the Autho­rity would have an essential role in the protection systems created, ranging from guidance to moni­toring, and from regulation to en­forcement. The veto was justified by noncompliance with legisla­tive formalities and President Temer immediately promised to properly recreate the authority.

On December 28, 2018, President Temer finally fulfilled his pro­mise and enacted a Provisional Measure (“PM”) with several pro­posed amendments to the LGPD, two among which should be men­tioned: (i) the creation of the na­tional authority, with significant changes regarding its nature, le­gal framework and functions; and, (ii) the postponement of entry into force of all substantive articles of the LGPD to Au­gust 15, 2020.

Conversion of the Provisional Measure

Following a lengthy discussion before the Brazilian congress, which included over 170 amend­ment proposals, the PM was ap­proved and sent to presidential sanction. After the two exten­sions permitted by law, the Pre­sident sanctioned the PM into Law on July 8th, 2019 with few modifications: creation of the ANPD as a federal public administrative entity for the first two years; reestablishment of ANPD’s res­ponsibilities such as conduc­ting audits, issuing regulations and standards procedures, draf­ting data protection impact as­sessments, legal construction of LGPD, among others; prohibition of health data pro­cessing by private health care plans with the purpose of practi­cing risk elimination in any mo­dality; maintenance of the review of decisions made solely by au­tomated pro­cessing of the personal data; revocation of the need for le­gal knowledge by the Data Protection Of­ficer (“DPO”), which enables the appointment of professionals from different areas.

State of play

As of now, the deadline is set. In addition, there is hope that the National Authority will be ful­ly implemented in time to tackle existing legal gaps and to provide enough guidance to all those im­pacted by the LGPD. It seems that, at last and despite all the obstacles, Brazil is on track to implementing a solid data protection regime.

ABOUT THE AUTHORS

Claudio Barbosa: Senior partner. Head of the Data Protection Commission at the Brazilian Intellectual Property Association (ABPI). LL.M. in International Law from Universidade de São Paulo (USP); LL.M. in Intellectual Property Law, George Washington University, Law School; S.J.D. in Commercial Law, USP.

E-mail: claudio.barbosa@kasznarleonardos.com  Phone: +55 11 2122 6604

Larissa Martins: Associate. Holds a post-graduate degree in Intellectual Property from Fundação Getulio Vargas (FGV); and a short-term intensive course in Data Protection from FGV.

E-mail: larissa.martins@kasznarleonardos.com  Phone: +55 11 2122 6600