LGPD: The Latest Updates to Brazil’s Data Privacy Law
The final version of the General Data Protection Law (LGPD), was ratified by the Brazilian Federal Senate in May 2019 and signed into law by President Jair Bolsanaro in July 2019.
The final version of the General Data Protection Law (LGPD), was ratified by the Brazilian Federal Senate in May 2019 and signed into law by President Jair Bolsonaro in July 2019.
When the LGPD was first passed by the Brazilian Senate in August 2018, the then President, Michel Temer, vetoed the law’s provision of setting up a Federal Data Protection Authority to oversee and implement this regulation on constitutional grounds.
However, the LGPD is now scheduled to come into effect on August 16, 2020.
Some of the key changes incorporated into the final version of the LGPD include:
- The establishment of the National Data Protection Authority (ANDP)
- A review of automated decisions
- The handling of personal health information
- Administrative sanctions
- The role of the Data Protection Officer
The Establishment of the National Data Protection Authority
In the final version of the LGPD sanctioned by Brazilian leader, Jair Bolsonaro, the National Data Protection Authority will now be anchored in the Office of the President.
However, the law provides for the enactment of a change within two years of the LGPD being enforced. This aspect is aimed at giving the ANDP more autonomy.
The primary duties of the ANDP include:
- Ensuring compliance with the LGPD
- Receipt and resolution of data subjects’ complaints
- Perform audits
- Provide support services to businesses in terms of understanding and preparing for various circumstances that will emerge when the LGPD comes into effect
A Review of Automated Decisions
According to the draft version of the LGPD, in case a data subject needed to seek a re-examination of any decision reached exclusively through an automated manner, it was within their rights to ask a company to use a human agent to carry out the assessment.
However, the final version of the LGDP eliminates the review of automated decisions by a human agent.
This provision is different from Article 22 of the GDPR which grants consumers the privilege of getting human intervention in the assessment of automated decisions.
The Management of Personal Health Information
The final version of the LGPD not only establishes the protection of health data but also covers the procedures used by health service providers and professionals as well as sanitary agencies.
For this reason, the LGPD prohibits the sharing of specific types of sensitive personal information, except if;
- the information is crucial to the delivery of healthcare or pharmaceutical assistance
- It is beneficial to the welfare of the data subject
- It is not intended for private health insurance to review contract exposures, as well as adding or removing beneficiaries
- It is for the purpose of either data portability petitioned by the data subject or monetary transactions resulting from the receipt of healthcare services
The Role of the Data Protection Officer
The initial conception of the LGPD provided for the appointment of a Data Protection Officer (DPO) with a legal and regulatory background in data protection. Essentially, a DPO was required to have extensive knowledge of both LGPD and the EU’s General Data Protection Regulation (GDPR). See the Key Similarities and Differences between LGPD and GDPR here.
However, President Bolsonaro amended this provision by arguing that this requirement would amount to an overly rigorous qualification, in addition to being against public welfare, and a violation of fundamental rights.
The bill signed into law also provides for the appointment of the DPO by the data controller, which is different from the procedure employed in appointing Data Protection Officers under the GDPR.
Another crucial update is connected to the fact that the requirement to appoint a Data Protection Officer under the LGPD is now applicable to both controllers and processors. Primarily, DPO’s are expected to act as the link between data subjects, businesses, and the ANPD.
Although the regulatory penalties remain unchanged in the final version of the LGPD, it is still important to highlight them.
LGPD’s administrative sanctions include;
- Caution with a pointer for the adoption of corrective measures
- A fine of up to 2% of the previous year’s sales revenue limited to 50 million reais for every violation
- Daily fine limited to the aforementioned value
- Disclosure of the violation after due investigative processes and its occurrence verified
- Erasure of the personal information related to the violation in question
Essentially, the LGPD provides that the ANPD my fine non-compliant companies with temporary, and in some cases, permanent suspension from data processing activities.
Our detailed LGPD summary gives you a simplified, yet a comprehensive breakdown of the key provisions under Brazil’s data protection regulation.
For personalized LGPD compliance support, book a call with us today to speak with a data privacy and security expert.
Download your free LGPD e-book and have it delivered directly into your inbox.
See how businesses can prepare for Brazil’s Data Protection Law here.
Want to try
Get your free cookie banner up and running today!
CPRA Data Retention
Unlike other data protection laws, such as the GDPR of the EU, the CPRA does not prevent you from collecting personal data freely without asking anyone. However, it doesn’t allow you to keep it longer than needed. This article will delve into the CPRA requirements for data retention.
CPRA and Employee Data: What You Need to Know
Under the CPRA, employee personal information is any information that could be used to determine who a person is and how they work. California employees have all the same rights guaranteed by the California Privacy Rights Act as any other consumer. Learn all you need to know about CPRA and Employee Data here.
Your users have the right to know what personal information is being collected about them, and they may contact you with a request to get information about how you handle personal information, ask you to delete it, transfer it to another company, or do something similar. Under the CPRA, you are obliged to respond to them. In this article, we explain how to comply with such consumer requests and the CPRA.