Legislation defines the entry dates, in which the LGPD shall come into effect and for the creation of the National Authority

On the night of 05.29.2019, the Brazilian Senate approved Conversion Bill No. 07/2019 that alters Provisional Measure No. 869/2018 ending with the remaining uncertainty, regarding the creation of the Data Protection Nacional Agency (“ANPD”) and the vacatio legis of the new law, set for August 16, 2020.

Based on the approval of the new wording of the law, the ANPD will be composed by a Counsel of five members appointed by the Executive Power and then approved by the Senate. The counselors will have full technical and decision-making authority granted by the new wording of the law. There is also the possibility that such authority could be converted into a federal autarchy within two years.

Among other changes, it should be highlighted that the appointment of a Data Protection Officer (“DPO”) is no longer mandatory; the decision resting upon future council to establish the cases in which the companies shall name an officer. Moreover, the approved new wording also determines that the DPO should have unquestionable “juridical/regulatory knowledge,” regarding the activities that he will perform, furthermore, specifying the prerequisites of such position. It should be pointed out that the DPO can be an individual or a corporate entity and must act as the link between the ANPD, the owners of the personal data, and the processing entity to which he belongs, that can be classified as an “operator” or a “controller,” according to the grounds of the General Personal Data Protection Law (“LGPD”).

The sanctions that were previously vetoed by Provisional Measure No. 869/2018 were reinserted in the LGPD, according to the terms established by the new wording. The ANPD can now apply sanctions to the companies that do not comply with the LGPD. This includes the following: (A) the partial suspension of usage of the data bank or the processing activities and/or (B) the prohibition, partially or in full, of the processing activities that violate the principles of the LGPD. Adding these sanctions brings the LGPD closer to the Internet Civil Act approved in 2014.

Other alterations approved by the new redaction grant flexibility of the rules for data processing from companies in the health sector and the obligation of possibly reviewing automatized decisions by individuals.

There is a little more than one year left before the LGPD comes into force. Furthermore, the newly defined national authority still has to be formed and establish the necessary regulations that the law left blank, granting more legal certainty and foreseeability to those involved, while allowing enough time to adapt to the new legislation.