As predicted even before Covid-19, the Senate today unanimously approved the postponement of the application of sanctions linked to the General Data Protection Law (LGPD) which deals with the processing and protection of personal data.
In a remote session held today, Friday, April 3, the parliamentarians decided that the legal penalties for non-compliance with the rules can only be applied from August 2021, one year after the deadline originally approved by the government.
The postponement is part of a bill by senator Antonio Anastasia (PSD-MG), presented on Tuesday, 31, which called for the postponement of the law's validity to February 2022. After repercussion in recent days, however, the rapporteur of the bill, Simone Tebet (MDB-MS) decided to make a new proposal in her opinion: in the text, the beginning of the law will be set in January 2021, therefore it enters into force on that date. Administrative sanctions on companies, however, will only take effect in August 2021.
The proposal is a compromise in face of the protests that have emerged in recent days. In a manifesto, a group of 13 media entities asked for the law not to be postponed, but for the sanctions provided for companies to be applied only from August 2021, as stated in the text.
Now, the text goes to the Chamber of Deputies, where, if approved, it must still pass through the sanction of President Jair Bolsonaro. According to the state, with sources close to the subject, there is little chance that the text will be altered in the Chamber, since it is part of a project already discussed by the Senate, with proximity to the other house of Congress and to the Judiciary.
Who will regulate the LGPD?
The supervision and regulation of the LGPD will be under the responsibility of the National Authority for the Protection of Personal Data (ANPD). These are essential tasks for the national authority to act as an agency at the service of the citizen. The authority will also be a link between society and government, allowing people to send questions, suggestions, complaints related to the LGPD for investigation.
It will also have an important role in guiding and supporting government bodies and companies in relation to situations in which they may or may not process personal data about citizens. ANDP's proposal is to guide, guide and guide, preventively. After that, inspect, warn and, only after all that, penalize, if the LGPD continues to be breached.
It is worth noting that the “success” of LGPD and ANDP in the country depends on the adoption of the law by each government agency, each company. And, to reduce disparities, it is essential that everyone works together. This is the only way for the law to “get it” and then respond to the social outcry for more protection of personal data.
ANPD Autonomy
The ANPD, which is currently being formed, will be linked to the Presidency of the Republic and will have technical autonomy guaranteed by law. The authority will have the support of the National Council for the Protection of Personal Data and Privacy. The board will be composed of 23 unpaid members, with a two-year term, from different sectors: six from the Federal Executive Branch; one from the Federal Senate; one from the Chamber of Deputies; one from the National Council of Justice; one from the National Council of the Public Prosecutor's Office; one from the Brazilian Internet Steering Committee; four from civil society with proven experience in the protection of personal data; four from scientific, technological and innovation institutions; and four from entities in the business sector linked to the area of personal data processing.
It is worth remembering that the creation of the national authority was provided for in the General Law on the Protection of Personal Data, sanctioned in August 2018 by President Michel Temer. However, the provision of the law that created the ANPD was vetoed by Temer, who later, in December 2018, recreated the authority, through a provisional measure, approved in May 2019 by the Chamber of Deputies and the Senate, and sanctioned in July 2019 by the President of the Republic.
Check out 5 points to understand more about the LGPD:
1 – Objectives: the main goal is to guarantee the privacy of the personal data of individuals, the owner of the personal data and allow greater control over them. In addition, the law creates clear rules on the processes of collection, storage and sharing of direct or indirect information, helps to promote technological development in society and consumer protection itself.
2 - Data Protection Officer: from now on, organizations must establish an Information Security Committee to review internal procedures. Within this body there will be an exclusive professional for data protection and responsible for complying with the new law.
3 – Reduction of risk exposure: here is the step of implementing measures to protect personal data at the company's base. They can be security, technical and administrative, which prevent, combat or minimize the loss or unavailability of information assets due to threats that act on some vulnerabilities.
4 – Adoption of Privacy by Design: covers protection from the conception of the product or system, being directly incorporated into the technological structures, the business model and the physical infrastructure. In other words, privacy is present in the architecture itself, allowing the user to be able to preserve and manage the collection and treatment of their personal data.
5 – Fines: the new law provides sanctions for those who do not have good practices. They include warnings, fines or even the total or partial prohibition of activities related to data processing. Fines can range from 2% of the previous year's sales to R$ 50 million, including daily penalties.
Click here to read Law No. 13,853.
we are the 4Matt Technology, experts in Software Governance and CCoE, Cloud Center of Excellence. Talk to us, access our social networks or search our article databases.
Tag: Postponement of the LGPD, Entry into Force of the LGPD, National Data Protection Authority, Processing of personal data, Personal Information, Internet Civil Rights Framework, Access Law, Data leak, Data processing, Start of Validity, Validity of the LGPD.