On this Tuesday (14/08/2018), Brazilian President Michel Temer sanctioned the Brazilian General Data Protection Law – LGPD with vetoes. The law, which establishes dispositions for data treatment operations made in Brazilian territory, will enter into force 18 months after its publication in the Official Federal Journal.

The articles regarding the creation of the National Authority on Data Protection – ANPD were vetoed by the president. According to an official statement during the sanctioning ceremony, President Temer will elaborate a project to the National Congress regarding this matter, since the LGPD does not have the sufficient attributions necessary to create the ANPD.

An analysis of the Brazilian Law’s dispositions clearly shows it took inspiration from the European Union’s General Data Protection Regulation – GDPR, which entered into force on May 25th of the present year. The strengthening of data protection regulations is a global trend, and will be able to foment economic and commercial ties between countries. An example of such ties is the agreement for the seamless transfer of data that was entered into by Japan and the European Union in July of the present year. Japan had its Act on the Protection of Personal Information – APPI amended in May 30th of 2017.

On this matter, the LGPD determines the need for the demonstration of the lawful bases for the data processing, such as the data subject’s consent, compliance with a legal obligation or the development of studies by research organizations, among other situations.

Nonetheless, the data subject shall have the right to access information regarding the data processing easily, with specifications on the purpose, manner and duration of the processing, as well as the identification of the data controller who is responsible for their data and the procedures. The data subject also has the right to withdraw their consent, with specific dispositions for the processing of data considered ‘sensitive’ and children and adolescent subject’s data.

Companies must also pay attention to the dispositions regarding the international transfer of data and the security and confidentiality of all data processes. Such significant changes must be taken into consideration for the intense process of policy and structural adaptation in the next 18 months, until the effective date the LGPD enters into force. In case of any infringement of the provisions established in the Law, the data processing agents will be subject to reprimands, fines of up to 2% of the company, group or conglomerate’s annual turnover, limited to R$ 50.000.000,00 (fifty million reais) for each infringement, besides blocking access to personal data and even the partial or complete suspension of all data processing activities, which could significantly harm companies’ operational flow and commercial activities.

We remain available for further information regarding the innovations brought by the Brazilian LGPD, as well as any necessary adaptations to data treatment procedures.