Congress has just approved Executive Order #869/2018, which now awaits presidential sanction

On May 29, 2019 Brazilian Congress passed Executive Order #869/2018, which establishes changes in the Brazilian General Data Protection Act and, primarily, provides for the creation of the National Authority for Data Protection (“NADP”). With the new rules, the Act will come into force in August 2020.

The NADP was designed as a body of the federal administration, linked to the Presidency. Despite that, the final wording attempts to grant the NADP with technical and decision-making autonomy and provides that the Authority’s design will be revaluated in a two-year period, when the structure may be changed into an independent regulatory agency model.

The new provisions grant NADP with a key role into enforcing Brazilian General Data Protection Act. Some of the Authority’s responsibilities are:

• issuing regulations and proceedings about personal data and privacy protection;
• requesting information, at any given time, from data controllers and operators;
• creating simplified tools, by electronic means, for the filing of complaints in cases of non-compliance in data treatment operations;
• inspecting and imposing sanctions in case of data mismanagement;
• disseminating into the society the knowledge about the rules and policies related to data protection as well as the security measures;
• promoting public consultations about matters related to data protection.

The new rules also created two NADP’s internal bodies: the Board of Directors and the National Council of Privacy and Data Protection. The Board will be composed by 5 members, Brazilian citizens, for a term varying from 2 to 6 years for the first members, appointed by the President and approved by the Senate. The Board is the top-level governing body, and its attributions include the drafting of the NADP’s bylaws and the appointment of mid ranking officials.

As for the Council, it will be composed by 23 members, appointed by several governmental authorities, such as the Congress, National Council of Justice and Public Attorney’s Office, and private entities, such as the Management Committee of Brazilian Internet and corporations in the field of data treatment. The Council’s attributions are, among others, proposing guidelines to be carried out by the NADP, preparing annual assessments, promoting studies about practices in personal data and privacy protection and disseminating into the society the knowledge about data protection and security measures.

Other relevant changes provided by the Executive Order #869/2018 include:

• Data Protection Officer. It is required that the DPO holds legal-regulatory data privacy background and it is now possible that companies linked into the same economic group assign one only officer, and that small entities may be waived from appointing one. In addition, the DPO may now be an individual or a legal entity.
• Health-related data. The new provisions softened the restrictions to health-related data treatment, which are considered “sensitive data”. On the other hand, the new regulation expressly forbids health insurance companies to use health-related data for risk assessment when signing up or excluding users.
• Review of automated decisions. The revision of automated decisions must be made by an individual person.
• The sanctions for data mismanagement now include full or partial suspension of the database operation and full or partial prohibition of the data treatment operation.

The new provisions represent a major step for providing legal certainty for users and companies, establishing a culture and a regulatory benchmark for data protection in Brazil. Now, it is important to keep track of the first steps to be taken by the Authority for the enforcement of the law. Meanwhile, the clock is ticking, and companies have until August 2020 to comply with the regulation.

In the past few years, our team has worked on some of the leading cases regarding data privacy and information security in Brazil, with successful results. For more information regarding the matter or to receive an English version of the Law, email us at dataprivacy@lickslegal.com.

‍