By Leonardo Neri

After the Personal Data Law was enacted without due approval from the National Data Protection Authority (ANPD), some experts questioned the enforcement of the General Data Protection Law (LGPD), given that the sanctions provided for in the law would be prerogatives of the ANPD.

Although the sanctions provided for in the ANPD in no way prevent the recognition of civil liability as a legitimate right of people who feel harmed by a certain act, former President Michel Temer issued Provisional Measure (MP) No. 869/2018, which was published on December 28, 2018, creating the ANPD. A fundamental change brought about by MP 869/18 is the increase in vacatio legis of the LGPD from 18 to 24 months, which implies that the LGPD will only come into force in August 2020.

Another timely issue with the approval of the measure is the effectiveness of the application of administrative sanctions or the exercise of the rights provided for in article 18, regarding the provision to the user of data processed by the controller, which, in order to be exercised, depended on regulation.

In short, in addition to the points discussed above, the most important changes in the MP are the following:

1. Creation of the ANPD, which will be an integral body of the Presidency of the Republic and formed by five Directors appointed by the President of the Republic to serve a four-year term;
2. Establishment of a National Council for the Protection of Personal Data and Privacy, which will be formed by 23 representatives from different sectors, appointed by the President of the Republic for a two-year term, which may be renewed for one opportunity;
3. Possibility for companies to appoint a person in charge of compliance with the LGPD who is a legal entity;
4. Feasibility of sharing health data when the purpose is to provide supplementary health services, even when obtaining an economic advantage;
5. Reduction of transparency obligations and provision of information to the holder of personal data processed in compliance with a legal or regulatory obligation by the controller;
6. Exclusion of the need for review, by a natural person, of decisions taken solely on the basis of automated processing of personal data that affect their interests;
7. End of the provision that prevented private entities from accessing all personal data in databases used exclusively for public security and national defense; and
8. Increased possibilities that allow the Public Authorities to transfer personal data contained in databases to which they have access to private entities.

It is worth noting that, until the MP is converted into law, it is subject to possible changes and subsequent approval by the National Congress within a maximum period of 120 days.

Finally, it is worth highlighting that companies and public bodies have less than 20 months to adapt to the rules of the new law, with the creation of the ANPD, since failure to comply with it may result in the controller being held liable in the civil sphere.

1. Creation of the ANPD, which will be an integral body of the Presidency of the Republic and formed by five Directors appointed by the President of the Republic to serve a four-year term;
2. Establishment of a National Council for the Protection of Personal Data and Privacy, which will be formed by 23 representatives from different sectors, appointed by the President of the Republic for a two-year term, which may be renewed for one opportunity;
3. Possibility for companies to appoint a person in charge of compliance with the LGPD who is a legal entity;
4. Feasibility of sharing health data when the purpose is to provide supplementary health services, even when obtaining an economic advantage;
5. Reduction of transparency obligations and provision of information to the holder of personal data processed in compliance with a legal or regulatory obligation by the controller;
6. Exclusion of the need for review, by a natural person, of decisions taken solely on the basis of automated processing of personal data that affect their interests;
7. End of the provision that prevented private entities from accessing all personal data in databases used exclusively for public security and national defense; and
8. Increased possibilities that allow the Public Authorities to transfer personal data contained in databases to which they have access to private entities.