On July 9, 2019, Law n. 13.853/19 that creates the Brazilian Data Protection Authority ("ANPD") and modifies and consolidates Law 13.709/18 ("LGPD") was enacted. Below are the main modifications and vetoes brought by the Law:
1. Review of decisions taken solely by automated processing of personal data. A relevant vetoed provision was the one related to the possibility of review by a natural person of decisions solely taken by the automated processing of personal data. With the consolidated wording of the LGPD, the review of decisions taken solely by automated processing of personal data remains possible, nonetheless, without the obligation of such review being mandatorily conducted by a human being.
2. Information Access Law. Another vetoed provision related to the prohibition of data sharing, between the public sector and private companies, of personal data regarding data subjects that requested information access, as established by the Law n. 12.527/11 ("Information Access Law"). The rationale to veto this provision was the avoidance of legal insecurity, since several activities involving public policies may justify the sharing of personal data.
3. Data Protection Officer ("DPO"). It is no longer required for the DPO to have legal and regulatory knowledge. Further, the provision that the ANPD would regulate when one single DPO could be appointed for the entire group of companies was also vetoed.
4. Penalties. Finally, the penalties related to the possibility of partial suspension of the functioning of database and those related to the suspension or prohibition of the performance of data processing activities were also vetoed.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.