After the presidential sanction held yesterday, today, August 15^th, 2018, Law No. 13.709/2018 (“GLDP”) was published in the Official Federal Gazette. Such Law rules the protection of personal data and amends Law no. 12.965/2014 (Brazilian Civil Rights Framework for the Internet).

As expected, the Law contains vetoes to several articles, among which we highlight the followingt:

• Articles 55 to 59, which determined the creation of the National Data Protection Authority (“NDPA”) and the National Council for the Protection of Personal Data and Privacy (“NCPPDP”), as well as their respective attributions. Such articles were considered to be unconstitutional, due to their creation by the Legislative;

• Items VII, VIII and IX of article 52, which provided the following administrative sanctions: (i) partial or total suspension of the functioning of the database to which the violation refers, (ii.) suspension of the activities related to data processing and (iii.) partial or total prohibition of activities related to data processing;

• Item II of article 23, which provided, as a condition for the processing of personal data by legal entities governed by public law with legal entities of private law, the preservation of data related to a party who request access to information, under the Brazilian Law of Access to Information;

• Item II of § 1º of article 26, which determined that Public Authorities would be authorized to proceed with data sharing with legal entities of private law supported in legal provisions and in settlements, conventions or similar instruments. The reason for the veto consists in the unfeasible operation of the Public Administration, since several procedures are already detailed in infralegal normative acts.

• Article 28, which provided that the communication or shared use of personal data between authorities governed by public law would be subjected to publicity, under item I of the caput of article 23 of GLDP, to protect the regular exercise of public action such as inspection, control and administrative police.

Although relevant, these vetoes do not affect the main data protection rules provided by the Law. The vetoes tend to pass through the National Congress, and thus the gaps arising from the vetoes tend to be clarified through a Provisional Measure or another bill of law.

Besides that, although the veto to some administrative sanctions, it is still provided relevant sanctions for the hypothesis of noncompliance with the Law, including an eventual fine that may reach R$ 50 million (fifty million Reais) per infraction.

The full text of the Law can be found in this link, as well as the justifications for the vetoes.

Feel free to contact us should you need further information on this matter.