The National Congress approved yesterday, May 29, the bill of conversion of Provisional Measure 869/2018, which deals with amendments to the General Law of Data Protection - LGPD, which is not yet in force. Despite following the provisional measure closely, the new law brought some sensitive changes to the LGPD. We highlight the main ones:
Health: the processing of personal data for health protection is now justified for "health services" in general, not just health professionals and health entities, and sensitive health data may be shared for health services, pharmaceutical assistance or health care, even for economic purposes - it is prohibited for health insurance providers to use it for risk selection and the hiring or exclusion of beneficiaries.
Public data: publicly accessible data or data made public by the data subject may be used for purposes other than their original purpose, provided that the legitimate and specific purposes for the new treatment and the preservation of the data subject's rights are observed.
Research: Processing of personal data for research is again justified only for private non-profit entities, so private research in companies will need to rely on other legal grounds for data use, such as express consent. Health research may be affected, as the law does not provide authorization for sensitive health data to be shared in research for economic purposes.
Algorithms: human review of decisions made automatically by algorithms to define personal, professional, consumer and credit profiles or aspects of a holder's personality, among others, was guaranteed, in the form of ANPD regulations.
Officer: the data protection officer - also known as the "DPO" - should be endowed with specific legal and regulatory knowledge about data protection and have guaranteed autonomy in his or her actions. The law also provides for the regulation of the hypotheses in which an entire economic group may appoint a single officer for all the companies that comprise it and the hypotheses in which data operators need to appoint an officer - something that already occurs in European legislation.
Start-ups: the National Data Protection Authority - ANPD will be required to issue a specific and more beneficial regulation for micro and small enterprises and self-declared start-ups in the form of the new Complementary Law 167/2019 that deals with simple credit companies and Inova Simples.
ANPD: also with regard to the ANPD, it has received several new powers to act more actively in the interests of the data subjects, with technical and decision-making autonomy, approximating the powers of the vetoed text of the LGPD and the European legislation. The ANPD's Board of Directors received guarantees for independent performance - the directors appointed by the president will be submitted to a trial by the Federal Senate and may not be expelled from office during the four years of their term, except by final and unappealable court decision or through disciplinary administrative proceedings. Finally, it remains linked to the direct federal administration, but there are provisions for its transformation into a special autarchy after two years of effectiveness of the law.
CNPD: the National Council for Data Protection and Privacy - CNPD, an advisory body acting in conjunction with the ANPD, now has one less representative from the State and one more representative from the private sector, and now the trade union confederations and entities from the labour sector will also appoint representatives, not only the entities from the business sector.
Penalties: in addition to fines, the LGPD now also provides for cumulative penalties of suspension of the use of databases, suspension of data processing activities for up to one year and prohibition of the exercise of specific activities that infringe the law and violate the privacy of data subjects.
It is estimated that the new law will be sanctioned in early June this year and, with that, the LGPD will come into force in August 2020, as expected.
