Dear ItechLaw members,
Yesterday, on the 14th of August 2018, the President Michel Temer sanctioned the Brazilian General Data Protection Law (LGPD), which regulates the processing of personal data by individuals, private entities and public authorities.
The LGPD reproduces some of the central points of the General Data Protection Regulation (GDPR), an European regulation that became effective on May 25th, and which requires quite significant compliance measures by companies that process data or offer services to individuals in Europe. Similarly to the European legislation, the LGPD establishes the principle of extraterritoriality, that is, the Law also applies to companies based outside Brazil that treat data collected in the national territory or provide services intended for Brazilians.
The Bill of Law that originated the LGPD was widely discussed, for about 8 years, by various sectors of the Brazilian society, public agencies, specialists and companies and its approval means a major step forward for the country in terms of data protection. The new Law is expected to foster business and bring greater legal certainty to the relationships involving the processing of personal data.
Aiming at creating a more protective environment for consumer data, the new legislation bears relevant requirements and obligations, which definitely deserve the attention of data processing agents. These requirements include, for example, the need for free, specific and revocable consent of the data subject; facilitated access to information about the treatment; data subject right to demand correction or deletion of the data; and specific rules for international transfers.
The Bill of Law submitted to the approval of the Presidency was subject to certain vetoes, whose justifications were the public interest and the possible unconstitutionality of certain articles. Sections that prohibited the sharing of personal data by the government with private legal entities were excluded. The section that required publicity in the shared use of personal data among public law entities was also excluded, under the justification that there would be an impact on the activities of inspection, control and administrative police. Some of the administrative sanctions were excluded of the final text of the Law.
The most important veto, which was already expected, was related to the creation of the National Data Protection Authority (ANDP) and the National Council for the Protection of Personal Data and Privacy. Several Ministries, in addition to the Central Bank of Brazil, stood for the unconstitutionality of the respective articles, given that both the ANPD and the Council should be created by the initiative of the Executive Power. Therewith, it is expected that a Provisional Measure or a new Bill of Law will be published soon, to address this gap.
Once the Law is published in the Official Gazette, the agents of data treatment will have 18 months to adapt to the new rules.
Our Information Technology and Data Protection team remains available for additional information.
Fábio Luiz Barboza Pereira
Veirano Advogados - Brazil