Impacts of changes in the General Data Protection Regulation

January / 2019

On December 27, 2018 the Provisional Measure No. 869 (PM) was enacted, which amends several provisions of the General Data Protection Regulation (GDPR) and creates the National Data Protection Authority (NDPA). The legislative bill that originated the GDPR already provided for the creation of the NDPA, but was vetoed by virtue of possible unconstitutionality. However, many rules of the GDPR depend on regulation and supervision by the federal agency and the alternative found was the institution of the NDPA through the newly issued PM, remedying such a gap left by the Regulation.

The initial expectations were that the agency was created as an independent governmental agency. However, the NDPA was created as an agency of direct administration and, therefore, with a lower degree of autonomy. The NDPA will have attributions to create regulatory standards for the GDPR, making it more effective. It will be the central body for interpretation of issues related to the Regulation and have exclusivity to apply sanctions in the event of processing of data in breach of the legislation. The PM also foresees that the performance of the NDPA be articulated with the National System of Consumer Protection and with other agencies and entities related to the subject of protection of personal data.

Another relevant change presented by PM 869/18 was the increase of the GDPR's vacatio legis period from 18 to 24 months, implying that the organizations and individuals targeted by the Regulation will have until August 15, 2020 to comply with the requirements of the GDPR.

In addition, the PM brought other changes, such as: 

  • Extension in the scope of application of the Regulation, so that GDPR will be aimed to those whose data processing activity has the objective of offering or providing goods or services or also processing personal data of individuals located in national territory (previously the focus was restricted only to personal data whose treatment would be in national territory);
  • Possibility of legal entities to perform the data processing - agent that acts as a channel of communication between the controller, data holders and the NDPA (the original wording of the Law provided only the possibility of such a function being exercised by a natural person);
  • Expansion of the possibility of the treatment of sensitive personal data in the health area, allowing the sharing of data for the adequate provision of supplementary health services, even when there is an economic advantage (the previous version of the GDPR prohibited the communication or share of sensitive health data with the objective of obtaining an economic advantage, except with the consent of the holder in cases of portability);
  • Decrease of transparency and disclosure obligations for the holder of personal data processed under compliance with a legal or regulatory obligation by the controller;
  • Exclusion of the need for review, by natural person, of decisions taken solely based on automated processing of personal data that affect their interests;
  • End of prediction that prevented private entities from accessing all personal data from a database used exclusively for public security and national defense; and
  • New possibilities of transfer by the Public Authority to private entities of personal data contained in databases.

Although the PM has entered into force on the date of its publication, its conversion into law is subject to changes and subsequent approval by the National Congress within a maximum period of 120 days. Thus, this proposal shall be appreciated by the new parliamentarians, who will take office on February 1, 2019.

Vernalha, Di Lascio, Mesquita & Associados is at the disposal of its clients for more information on the subject.