Data protection rules in Brazil still in flux as lawmakers offer flood of proposed amendments
7 February 2019. By Rodrigo Russo.
Decisions on which data protection rules will be enforced in Brazil and a model for the supervising agency are still far from certain, as lawmakers this week offered amendments to the December presidential decree creating the authority.
Former President Michel Temer approved Brazil’s data protection law last August, but vetoed important provisions of the bill, such as the creation of an independent data protection authority.
In his final days in office, Temer signed a presidential decree to create the agency, with his favored design putting it under control of the presidency, and to make changes in the bill approved by the Congress.
Such a presidential decree, however, needs Congress’ approval to become law. And the new lawmakers who took office Feb. 1 haven’t been shy in proposing amendments to Temer’s proposal.
Between yesterday and today, 61 amendments already have been submitted. The deadline for proposing changes is Feb. 11; lawmakers will then have until April 4 to approve the proposal and any amendments, which would then become law. If the deadline passes without action, Congress will be unable to vote on other matters until it addresses the decree and proposed changes.
Proposed amendments suggest changes on a host of issues. As currently written, the data protection legislation is to go into effect in August 2020. Senator Oriovisto Guimarães, however, considers this date to be too far off, and is proposing it be implemented this August.
Many lawmakers, including Deputy Orlando Silva — who led the efforts to approve the bill in the House — have proposed having the format of the data protection authority return to the independent model originally set forth in the vetoed provision. Silva's proposal pointed to international best practices.
“The international personal data protection standards suggest an agency with autonomy and financial, administrative, and technical independence. The main benefits of such a model are the consistency of interpretation, legal-technical expertise, regulatory certainty and the necessary independence to act with efficiency and to balance all rights, duties and interests at stake,” Silva wrote* of his reasons for submitting an amendment.
Deputy André Figueiredo pointed out that Brazil is working toward membership in the Organisation for Economic Co-operation and Development, which demands that countries have an independent data protection authority.
“As is, this decree leaves Brazil far from what foreign nations require for data flows. If approved, it would be difficult for the Brazil model to be recognized as adequate under international standards, and this could impact the national economy,” Figueiredo wrote.
Lawmakers are also challenging Temer’s assertion that data protection officers don’t necessarily need to be individuals, and that DPO services could be provided by companies. Some are offering new provisions to clarify rights and duties of DPOs.
Hoping to enhance legal certainty on data protection matters, one of the proposed amendments suggests they should be considered a matter of national interest — therefore, no Brazilian state or city could create local regulations about the subject. There are currently more than 10 state and city-level draft bills to create local data protection bills.
A proposed amendment requiring data-related lawsuits be suspended while the data protection authority discusses the same topic is also on the table. According to this proposal, the courts would await a decision by the administrative agency and ask if the parties agree with the decision to put an end to the dispute.
Another provision being considered covers giving the data protection authority the ability to sign settlement agreements, an idea inspired by the practice of the country’s antitrust agency. Currently, the bill is silent about this possibility.
Some lawmakers are also asking for a return to the original, pre-veto provisions of the bill on the human-led review of automated data handling. The presidential decree established that reviews didn’t need to be led by individuals, but critics say automated reviews could lead to the same flaws under question in the automated data handling process.
Temer had exempted the need for consent of data sharing in cases of “adequate services of private healthcare,” but some lawmakers are asking for this exception to be dropped.
All of those issues have been raised in only two days, showing a significant spike in lawmakers' interest in data protection concerns. The next few months will be decisive in shaping the rules that will be enforced in the country for the years to come.
*MLex translation of Portuguese documents.